Prepare for AppArmor 4.0 alpha 2 release

- update version file

Signed-off-by: John Johansen <john.johansen@canonical.com>

common/Version

@@ -1 +1 @@
-4.0.0~alpha1
+4.0.0~alpha2

libraries/libapparmor/src/Makefile.am

@@ -59,7 +59,7 @@ lib_LTLIBRARIES = libapparmor.la
 noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h private.h PMurHash.h
 
 libapparmor_la_SOURCES = grammar.y libaalogparse.c kernel.c scanner.c private.c features.c kernel_interface.c policy_cache.c PMurHash.c
-libapparmor_la_LDFLAGS = -version-info $(AA_LIB_CURRENT):$(AA_LIB_REVISION):$(AA_LIB_AGE) -XCClinker -dynamic -pthread \
+libapparmor_la_LDFLAGS = -version-info $(AA_LIB_CURRENT):$(AA_LIB_REVISION):$(AA_LIB_AGE) -XCClinker -Bdynamic -pthread \
 	-Wl,--version-script=$(top_srcdir)/src/libapparmor.map
 
 pkgconfigdir = $(libdir)/pkgconfig

parser/af_unix.cc

@@ -413,7 +413,7 @@ int unix_rule::gen_policy_re(Profile &prof)
 			tmp << "..";
 			buf = tmp.str();
 			if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY,
-							 map_perms(AA_NET_OPT),
+							 map_perms(mask & AA_NET_OPT),
 							 map_perms(audit == AUDIT_FORCE ? AA_NET_OPT : 0),
 							 parseopts))
 				goto fail;

parser/apparmor.d.pod

@@ -113,9 +113,11 @@ B<XATTR VALUE FILEGLOB> = I<FILEGLOB>
 
 B<PROFILE FLAG CONDS> =  [ 'flags=' ] '(' comma or white space separated list of I<PROFILE FLAGS> ')'
 
-B<PROFILE FLAGS> = I<PROFILE MODE> | I<AUDIT_MODE> | 'mediate_deleted' | 'attach_disconnected' | 'chroot_relative' | 'debug'
+B<PROFILE FLAGS> = I<PROFILE MODE> | I<AUDIT_MODE> | 'mediate_deleted'
+| 'attach_disconnected' | 'attach_disconneced.path='I<ABS PATH> | 'chroot_relative'
+| 'debug'
 
-B<PROFILE MODE> = 'enforce' | 'complain' | 'kill' | 'unconfined'
+B<PROFILE MODE> = 'enforce' | 'complain' | 'kill' | 'unconfined' | 'prompt'
 
 B<AUDIT MODE> = 'audit'
 
@@ -459,6 +461,11 @@ profile replacement. This mode is should not be used under regular
 deployment but can be useful during debugging and some system
 initialization scenarios.
 
+=item B<prompt> This mode allows task mediation to send an up call to
+userspace to ask for a decision when there isn't a rule covering the
+permission request. If userspace does not respond then the access
+will be denied.
+
 =back
 
 =head4 Audit Mode
@@ -486,6 +493,10 @@ though they are part of the namespace. WARNING this mode is unsafe and
 can result in aliasing and access to objects that should not be
 allowed. Its intent is a debug and policy development tool.
 
+=item B<attach_disconnected.path>=I<ABS PATH> Like attach_disconnected, but
+attach disconnected objects to the supplied path instead of the root of
+the namespace.
+
 =item B<chroot_relative> This forces file names to be relative to a
 chroot and behave as if the chroot is a mount namespace.
 

parser/parser.conf

@@ -77,7 +77,3 @@
 
 ## Pin older policy to the 5.4 kernel abi + out of tree network and af_unix
 #policy-features=/etc/apparmor.d/abi/kernel-5.4-outoftree-network
-
-## TO BE reverted - this is only for 4.0 dev cycle
-## pin policy that doesn't have an abi to 4.0
-policy-features=/etc/apparmor.d/abi/4.0

parser/parser_interface.c

@@ -420,6 +420,12 @@ void sd_serialize_profile(std::ostringstream &buf, Profile *profile,
 		}
 	}
 
+	/* added in 4.13, unfortunately there is no features flag */
+	if (profile->flags.disconnected_path) {
+		sd_write_string(buf, profile->flags.disconnected_path,
+				"disconnected");
+	}
+
 	sd_write_struct(buf, "flags");
 	/* used to be flags.debug, but that's no longer supported */
 	sd_write_uint32(buf, profile->flags.flags);

parser/parser_variable.c

@@ -285,7 +285,20 @@ static int process_variables_in_name(Profile &prof)
 	int error = expand_entry_variables(&prof.name);
 	if (!error && prof.attachment)
 		error = expand_entry_variables(&prof.attachment);
+	if (!error && prof.flags.disconnected_path) {
+		error = expand_entry_variables(&prof.flags.disconnected_path);
+		if (error)
+			return error;
+		filter_slashes(prof.flags.disconnected_path);
+		// TODO: semantic check should go somewhere else
+		if (prof.flags.disconnected_path[0] != '/')
+			yyerror(_("attach_disconnected_path value must begin with a /"));
+		int n = strlen(prof.flags.disconnected_path);
+		// removing trailing / */
+		while (n && prof.flags.disconnected_path[n-1] == '/')
+			prof.flags.disconnected_path[--n] = 0;
 
+	}
 	return error;
 }
 

parser/parser_yacc.y

@@ -575,7 +575,7 @@ valuelist:	valuelist TOK_VALUE
 	}
 
 flags:	{ /* nothing */
-	flagvals fv = { 0, MODE_UNSPECIFIED, 0, 0 };
+	flagvals fv = { 0, MODE_UNSPECIFIED, 0, 0, NULL };
 
 		$$ = fv;
 	};
@@ -627,7 +627,7 @@ flagvals:	flagval
 
 flagval:	TOK_VALUE
 	{
-		flagvals fv = { 0, MODE_UNSPECIFIED, 0, 0 };
+		flagvals fv = { 0, MODE_UNSPECIFIED, 0, 0, NULL };
 		enum profile_mode mode;
 
 		if (strcmp($1, "debug") == 0) {
@@ -653,6 +653,10 @@ flagval:	TOK_VALUE
 			fv.path |= PATH_CHROOT_NSATTACH;
 		} else if (strcmp($1, "chroot_no_attach") == 0) {
 			fv.path |= PATH_CHROOT_NO_ATTACH;
+		} else if (strncmp($1, "attach_disconnected.path=", 25) == 0) {
+			/* TODO: make this a proper parse */
+			fv.path |= PATH_ATTACH;
+			fv.disconnected_path = strdup($1 + 25);
 		} else {
 			yyerror(_("Invalid profile flag: %s."), $1);
 		}

parser/profile.cc

@@ -27,6 +27,7 @@ const char *profile_mode_table[] = {
 	"complain",
 	"kill",
 	"unconfined",
+	"prompt"
 };
 
 bool deref_profileptr_lt::operator()(Profile * const &lhs, Profile * const &rhs) const
@@ -106,6 +107,8 @@ Profile::~Profile()
 		free(name);
 	if (attachment)
 		free(attachment);
+	if (flags.disconnected_path)
+		free(flags.disconnected_path);
 	if (ns)
 		free(ns);
 	for (int i = (AA_EXEC_LOCAL >> 10) + 1; i < AA_EXEC_COUNT; i++)

parser/profile.h

@@ -62,9 +62,10 @@ enum profile_mode {
 	MODE_COMPLAIN = 2,
 	MODE_KILL = 3,
 	MODE_UNCONFINED = 4,
-	MODE_CONFLICT = 5	/* greater than MODE_LAST */
+	MODE_PROMPT = 5,
+	MODE_CONFLICT = 6	/* greater than MODE_LAST */
 };
-#define MODE_LAST MODE_UNCONFINED
+#define MODE_LAST MODE_PROMPT
 
 static inline enum profile_mode operator++(enum profile_mode &mode)
 {
@@ -120,6 +121,7 @@ public:
 	enum profile_mode mode;
 	int audit;
 	int path;
+	char *disconnected_path;
 
 	ostream &dump(ostream &os)
 	{
@@ -131,6 +133,8 @@ public:
 		if (flags & FLAG_HAT)
 			os << ", Hat";
 
+		if (disconnected_path)
+			os << ", attach_disconnected.path=" << disconnected_path;
 		os << "\n";
 
 		return os;
@@ -221,7 +225,7 @@ public:
 
 		parent = NULL;
 
-		flags = { 0, MODE_UNSPECIFIED, 0, 0 };
+		flags = { 0, MODE_UNSPECIFIED, 0, 0, NULL };
 		rlimits = {0, {}};
 
 		std::fill(exec_table, exec_table + AA_EXEC_COUNT, (char *)NULL);

parser/tst/errors.py

@@ -13,10 +13,13 @@
 #
 # ------------------------------------------------------------------
 
+import os
 import subprocess
 import sys
 import unittest
 from argparse import ArgumentParser
+from shutil import rmtree
+from tempfile import mkdtemp
 
 import testlib
 
@@ -28,6 +31,15 @@ class AAErrorTests(testlib.AATestTemplate):
         self.maxDiff = None
         self.cmd_prefix = [config.parser, '--config-file=./parser.conf', '-S', '-I', 'errors']
 
+        self.tmpdir = os.path.realpath(mkdtemp(prefix='test-aa-parser-errors-'))
+        self.profile_dir = os.path.join(self.tmpdir, 'profile')
+        os.mkdir(self.profile_dir)
+
+
+    def tearDown(self):
+        if os.path.exists(self.tmpdir):
+            rmtree(self.tmpdir)
+
     def _run_test(self, profile, message='', is_error=True):
         cmd = self.cmd_prefix + [profile]
 
@@ -90,28 +102,65 @@ class AAErrorTests(testlib.AATestTemplate):
             is_error=False
         )
 
+    def test_non_existant_profile(self):
+        test_profile = os.path.join(self.profile_dir, "does-not-exist.sd")
+        self._run_test(
+            test_profile,
+            "File {} not found, skipping...\n".format(test_profile),
+        )
+
+    # We can run this test with multiple different arguments
+    def _test_non_existant_symlink_target(self):
+        """Helper Function to test the parser on a symlink with a non-existent target"""
+
+        test_profile = os.path.join(self.profile_dir, "non-existant-target.sd")
+        os.symlink('does-not-exist.sd', test_profile)
+        self._run_test(
+            test_profile,
+            "File {} not found, skipping...\n".format(test_profile),
+        )
+
+    def test_non_existant_symlink_target(self):
+        '''Basic symlink test that goes nowhere'''
+        self._test_non_existant_symlink_target()
+
+    def test_non_existant_symlink_target_j0(self):
+        '''Basic symlink test that goes nowhere with 0 jobs'''
+        self.cmd_prefix.append('-j0')
+        self._test_non_existant_symlink_target()
+
+    def test_non_existant_symlink_target_j1(self):
+        '''Basic symlink test that goes nowhere with 1 job arg'''
+        self.cmd_prefix.append('-j1')
+        self._test_non_existant_symlink_target()
+
+    def test_non_existant_symlink_target_j8(self):
+        '''Basic symlink test that goes nowhere with 8 job arg'''
+        self.cmd_prefix.append('-j8')
+        self._test_non_existant_symlink_target()
+
+    def test_non_existant_symlink_target_jauto(self):
+        '''Basic symlink test that goes nowhere with auto job arg'''
+        self.cmd_prefix.append('-jauto')
+        self._test_non_existant_symlink_target()
+
+    def test_non_existant_symlink_target_in_directory(self):
+        '''Symlink test passing a directory to the parser'''
+        test_profile = os.path.join(self.profile_dir, "non-existant-target.sd")
+        os.symlink('does-not-exist.sd', test_profile)
+        self._run_test(
+            self.profile_dir,
+            "There was an error while loading profiles from {}\n".format(self.profile_dir),
+        )
 
 def main():
     global config
     p = ArgumentParser()
     p.add_argument('-p', '--parser', default=testlib.DEFAULT_PARSER, action="store", dest='parser',
                    help="Specify path of apparmor parser to use [default = %(default)s]")
-    p.add_argument('-v', '--verbose', action="store_true", dest="verbose")
-    config = p.parse_args()
-
-    verbosity = 2 if config.verbose else 1
-
-    test_suite = unittest.TestSuite()
-    test_suite.addTest(unittest.TestLoader().loadTestsFromTestCase(AAErrorTests))
-    try:
-        result = unittest.TextTestRunner(verbosity=verbosity).run(test_suite)
-    except Exception:
-        rc = 1
-    else:
-        rc = 0 if result.wasSuccessful() else 1
-
-    return rc
+    config, args = p.parse_known_args()
 
+    unittest.main(argv=sys.argv[:1] + args)
 
 if __name__ == "__main__":
-    sys.exit(main())
+    main()

parser/tst/simple_tests/profile/flags/flags_bad47.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(enforce, prompt) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_bad48.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(complain, prompt) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_bad49.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(kill, prompt) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_bad50.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt, enforce) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_bad51.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt, complain) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_bad52.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt, kill) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_bad53.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt, unconfined) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_bad54.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(enforce, kill, prompt) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_bad55.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(complain, kill, prompt) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_bad56.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(enforce, complain, kill, unconfined, prompt) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_bad_disconnected_path1.sd

@@ -0,0 +1,13 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(attach_disconnected.path=foo) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
+

parser/tst/simple_tests/profile/flags/flags_bad_disconnected_path2.sd

@@ -0,0 +1,13 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(attach_disconnected.path=foo/) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
+

parser/tst/simple_tests/profile/flags/flags_bad_disconnected_path3.sd

@@ -0,0 +1,16 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+
+@{var}=bar
+
+/does/not/exist flags=(attach_disconnected.path=@{var}) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
+

parser/tst/simple_tests/profile/flags/flags_bad_disconnected_path4.sd

@@ -0,0 +1,16 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+
+@{var}=bar/
+
+/does/not/exist flags=(attach_disconnected.path=@{var}) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
+

parser/tst/simple_tests/profile/flags/flags_bad_disconnected_path5.sd

@@ -0,0 +1,16 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+
+@{var}=bar/
+
+/does/not/exist flags=(attach_disconnected.path=@{var}/) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
+

parser/tst/simple_tests/profile/flags/flags_ok27.sd

@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok28.sd

@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt audit) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok_disconnected_path1.sd

@@ -0,0 +1,13 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(attach_disconnected.path=/foo) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
+

parser/tst/simple_tests/profile/flags/flags_ok_disconnected_path2.sd

@@ -0,0 +1,13 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(attach_disconnected.path=/foo/) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
+

parser/tst/simple_tests/profile/flags/flags_ok_disconnected_path3.sd

@@ -0,0 +1,13 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(attach_disconnected.path=/foo//) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
+

parser/tst/simple_tests/profile/flags/flags_ok_disconnected_path4.sd

@@ -0,0 +1,13 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(attach_disconnected.path=/foo/bar) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
+

parser/tst/simple_tests/profile/flags/flags_ok_disconnected_path5.sd

@@ -0,0 +1,16 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+
+@{var}=/bar
+
+/does/not/exist flags=(attach_disconnected.path=/foo/@{var}) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
+

parser/tst/simple_tests/profile/flags/flags_ok_disconnected_path6.sd

@@ -0,0 +1,16 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+
+@{var}=/bar
+
+/does/not/exist flags=(attach_disconnected.path=/foo/@{var}/) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
+

parser/tst/simple_tests/profile/flags/flags_ok_disconnected_path7.sd

@@ -0,0 +1,16 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+
+@{var}=/bar
+
+/does/not/exist flags=(attach_disconnected.path=@{var}/foo) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
+

parser/tst/simple_tests/profile/flags/flags_ok_disconnected_path8.sd

@@ -0,0 +1,16 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+
+@{var}=/bar
+
+/does/not/exist flags=(attach_disconnected.path=@{var}) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
+

profiles/Makefile

@@ -119,7 +119,7 @@ CHECK_PROFILES=$(filter-out ${IGNORE_FILES} ${SUBDIRS}, $(wildcard ${PROFILES_SO
 CHECK_ABSTRACTIONS=$(shell find ${ABSTRACTIONS_SOURCE} -type f -print)
 
 .PHONY: check
-check: check-parser check-logprof check-abstractions.d check-extras
+check: check-parser check-logprof check-abstractions.d check-tunables.d check-extras
 
 .PHONY: check-parser
 check-parser: test-dependencies local
@@ -152,6 +152,15 @@ check-abstractions.d:
 		grep -q "^  include if exists <abstractions/$${file}.d>$$" $$file || { echo "$$file does not contain 'include if exists <abstractions/$${file}.d>'"; exit 1; } ; \
 	done
 
+.PHONY: check-tunables.d
+check-tunables.d:
+	@echo "*** Checking if all tunables (with a few exceptions) contain include if exists <tunables/*.d>"
+	$(Q)cd apparmor.d/tunables && for file in * ; do \
+		test -d "$$file" &&  continue ;  \
+		test "$$file" = 'sys' && continue ; \
+		grep -q "^include if exists <tunables/$${file}.d>$$" $$file || { echo "$$file does not contain 'include if exists <tunables/$${file}.d>'"; exit 1; } ; \
+	done
+
 .PHONY: check-extras
 check-extras:
 	@echo "*** Checking if all extra profiles contain include if exists <local/*>"

profiles/apparmor.d/tunables/alias

@@ -14,3 +14,6 @@
 #
 # Or if mysql databases are stored in /home:
 # alias /var/lib/mysql/ -> /home/mysql/,
+
+# Also, include files in tunables/alias.d for site-specific adjustments
+include if exists <tunables/alias.d>

profiles/apparmor.d/tunables/apparmorfs

@@ -9,3 +9,6 @@
 include <tunables/securityfs>
 
 @{apparmorfs}=@{securityfs}/apparmor/
+
+# Also, include files in tunables/apparmorfs.d for site-specific adjustments
+include if exists <tunables/apparmorfs.d>

profiles/apparmor.d/tunables/dovecot

@@ -18,3 +18,5 @@
 
 @{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ /var/vmail/ /var/mail/ /var/spool/mail/
 
+# Also, include files in tunables/dovecot.d for site-specific adjustments
+include if exists <tunables/dovecot.d>

profiles/apparmor.d/tunables/etc

@@ -24,6 +24,5 @@
 # For rules that only allows read access, use @{etc_ro}.
 @{etc_rw}=/etc/
 
-# Also, include files in tunables/etc.d/ for site-specific adjustments to
-# @{etc_ro} and @{etc_rw}.
+# Also, include files in tunables/etc.d for site-specific adjustments
 include if exists <tunables/etc.d>

profiles/apparmor.d/tunables/global

@@ -21,3 +21,6 @@ include <tunables/xdg-user-dirs>
 include <tunables/share>
 include <tunables/etc>
 include <tunables/run>
+
+# Also, include files in tunables/global.d for site-specific adjustments
+include if exists <tunables/global.d>

profiles/apparmor.d/tunables/home

@@ -20,6 +20,5 @@
 # refer to a specific home directory
 @{HOME}=@{HOMEDIRS}/*/ /root/
 
-# Also, include files in tunables/home.d for site-specific adjustments to
-# @{HOMEDIRS}.
-include <tunables/home.d>
+# Also, include files in tunables/home.d for site-specific adjustments
+include if exists <tunables/home.d>

profiles/apparmor.d/tunables/kernelvars

@@ -31,3 +31,6 @@
 
 # until kernel var is implemented
 @{sys}=/sys/
+
+# Also, include files in tunables/kernelvars.d for site-specific adjustments
+include if exists <tunables/kernelvars.d>

profiles/apparmor.d/tunables/multiarch

@@ -12,6 +12,5 @@
 # install prefixes.
 @{multiarch}=*-linux-gnu*
 
-# Also, include files in tunables/multiarch.d for site and packaging
-# specific adjustments to @{multiarch}.
-include <tunables/multiarch.d>
+# Also, include files in tunables/multiarch.d for site-specific adjustments
+include if exists <tunables/multiarch.d>

profiles/apparmor.d/tunables/ntpd

@@ -12,3 +12,6 @@
 #Add your ntpd devices here eg. if you have a DCF clock
 # @{NTPD_DEVICE}=/dev/ttyS*
 @{NTPD_DEVICE}="/dev/tty10"
+
+# Also, include files in tunables/ntpd.d for site-specific adjustments
+include if exists <tunables/ntpd.d>

profiles/apparmor.d/tunables/proc

@@ -10,3 +10,6 @@
 
 # @{PROC} is the location where procfs is mounted.
 @{PROC}=/proc/
+
+# Also, include files in tunables/proc.d for site-specific adjustments
+include if exists <tunables/proc.d>

profiles/apparmor.d/tunables/run

@@ -1 +1,4 @@
 @{run}=/run/ /var/run/
+
+# Also, include files in tunables/run.d for site-specific adjustments
+include if exists <tunables/run.d>

profiles/apparmor.d/tunables/securityfs

@@ -8,3 +8,6 @@
 
 # @{securityfs} is the location where securityfs is mounted.
 @{securityfs}=@{sys}/kernel/security/
+
+# Also, include files in tunables/securityfs.d for site-specific adjustments
+include if exists <tunables/securityfs.d>

profiles/apparmor.d/tunables/share

@@ -13,3 +13,6 @@
 # XDG_DATA_DIRS or XDG_DATA_HOME, and are the parent directory
 # for the same subdirectories as @{system_share_dirs}
 @{user_share_dirs} = @{HOME}/.local{,/share/@{flatpak_exports_root}}/share
+
+# Also, include files in tunables/share.d for site-specific adjustments
+include if exists <tunables/share.d>

profiles/apparmor.d/tunables/xdg-user-dirs

@@ -20,5 +20,4 @@
 @{XDG_VIDEOS_DIR}="Videos"
 
 # Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments
-# to the various XDG directories
-include <tunables/xdg-user-dirs.d>
+include if exists <tunables/xdg-user-dirs.d>

profiles/apparmor.d/usr.lib.dovecot.anvil

@@ -13,7 +13,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-profile dovecot-anvil /usr/lib/dovecot/anvil {
+profile dovecot-anvil /usr/lib*/dovecot/anvil {
   include <abstractions/base>
   include <abstractions/dovecot-common>
 
@@ -24,7 +24,7 @@ profile dovecot-anvil /usr/lib/dovecot/anvil {
 
   @{run}/dovecot/anvil rw,
   @{run}/dovecot/anvil-auth-penalty rw,
-  /usr/lib/dovecot/anvil mr,
+  /usr/lib*/dovecot/anvil mr,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/usr.lib.dovecot.anvil>

profiles/apparmor.d/usr.lib.dovecot.auth

@@ -14,7 +14,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-profile dovecot-auth /usr/lib/dovecot/auth {
+profile dovecot-auth /usr/lib*/dovecot/auth {
   include <abstractions/authentication>
   include <abstractions/base>
   include <abstractions/mysql>
@@ -34,7 +34,7 @@ profile dovecot-auth /usr/lib/dovecot/auth {
   /etc/my.cnf.d/*.cnf r,
 
   /etc/dovecot/* r,
-  /usr/lib/dovecot/auth mr,
+  /usr/lib*/dovecot/auth mr,
   /var/lib/dovecot/auth-chroot/* r,
 
   # kerberos replay cache

profiles/apparmor.d/usr.lib.dovecot.config

@@ -13,7 +13,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-profile dovecot-config /usr/lib/dovecot/config {
+profile dovecot-config /usr/lib*/dovecot/config {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/dovecot-common>
@@ -24,8 +24,8 @@ profile dovecot-config /usr/lib/dovecot/config {
 
   /etc/dovecot/** r,
   /usr/bin/doveconf rix,
-  /usr/lib/dovecot/config mr,
-  /usr/lib/dovecot/managesieve Px,
+  /usr/lib*/dovecot/config mr,
+  /usr/lib*/dovecot/managesieve Px,
   /usr/share/dovecot/** r,
   /var/lib/dovecot/ssl-parameters.dat r,
 

profiles/apparmor.d/usr.lib.dovecot.deliver

@@ -16,7 +16,7 @@ abi <abi/4.0>,
 include <tunables/global>
 include <tunables/dovecot>
 
-profile dovecot-deliver /usr/lib/dovecot/deliver {
+profile dovecot-deliver /usr/lib*/dovecot/deliver {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/dovecot-common>
@@ -32,7 +32,7 @@ profile dovecot-deliver /usr/lib/dovecot/deliver {
   /etc/dovecot/dovecot-postfix.conf r, # ???
 
   @{HOME} r, # ???
-  /usr/lib/dovecot/deliver mr,
+  /usr/lib*/dovecot/deliver mr,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/usr.lib.dovecot.deliver>

profiles/apparmor.d/usr.lib.dovecot.dict

@@ -13,7 +13,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-profile dovecot-dict /usr/lib/dovecot/dict {
+profile dovecot-dict /usr/lib*/dovecot/dict {
   include <abstractions/base>
   include <abstractions/mysql>
   include <abstractions/nameservice>
@@ -27,7 +27,7 @@ profile dovecot-dict /usr/lib/dovecot/dict {
   /etc/dovecot/dovecot-database.conf.ext r,
   /etc/dovecot/dovecot-dict-sql.conf.ext r,
   /etc/my.cnf r,
-  /usr/lib/dovecot/dict mr,
+  /usr/lib*/dovecot/dict mr,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/usr.lib.dovecot.dict>

profiles/apparmor.d/usr.lib.dovecot.director

@@ -11,7 +11,7 @@
 
 include <tunables/global>
 
-profile dovecot-director /usr/lib/dovecot/director flags=(attach_disconnected) {
+profile dovecot-director /usr/lib*/dovecot/director flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dovecot-common>
   include <abstractions/nameservice>
@@ -20,7 +20,7 @@ profile dovecot-director /usr/lib/dovecot/director flags=(attach_disconnected) {
   capability sys_chroot,
 
   /run/dovecot/login/proxy-notify rw,
-  /usr/lib/dovecot/director mr,
+  /usr/lib*/dovecot/director mr,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/usr.lib.dovecot.director>

profiles/apparmor.d/usr.lib.dovecot.doveadm-server

@@ -11,11 +11,11 @@
 
 include <tunables/global>
 
-profile dovecot-doveadm-server /usr/lib/dovecot/doveadm-server flags=(attach_disconnected) {
+profile dovecot-doveadm-server /usr/lib*/dovecot/doveadm-server flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dovecot-common>
 
-  /usr/lib/dovecot/doveadm-server mr,
+  /usr/lib*/dovecot/doveadm-server mr,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/usr.lib.dovecot.doveadm-server>

profiles/apparmor.d/usr.lib.dovecot.dovecot-auth

@@ -14,7 +14,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-profile dovecot-dovecot-auth /usr/lib/dovecot/dovecot-auth {
+profile dovecot-dovecot-auth /usr/lib*/dovecot/dovecot-auth {
   include <abstractions/authentication>
   include <abstractions/base>
   include <abstractions/nameservice>
@@ -25,7 +25,7 @@ profile dovecot-dovecot-auth /usr/lib/dovecot/dovecot-auth {
   capability dac_override,
 
   @{PROC}/@{pid}/mounts r,
-  /usr/lib/dovecot/dovecot-auth mr,
+  /usr/lib*/dovecot/dovecot-auth mr,
   @{run}/dovecot/** rw,
   # required for postfix+dovecot integration
   /var/spool/postfix/private/dovecot-auth w,

profiles/apparmor.d/usr.lib.dovecot.dovecot-lda

@@ -14,7 +14,7 @@ abi <abi/4.0>,
 include <tunables/global>
 include <tunables/dovecot>
 
-profile dovecot-dovecot-lda /usr/lib/dovecot/dovecot-lda flags=(attach_disconnected) {
+profile dovecot-dovecot-lda /usr/lib*/dovecot/dovecot-lda flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/dovecot-common>
@@ -30,7 +30,7 @@ profile dovecot-dovecot-lda /usr/lib/dovecot/dovecot-lda flags=(attach_disconnec
   @{run}/dovecot/mounts r,
   @{run}/dovecot/auth-userdb rw,
   /usr/bin/doveconf mrix,
-  /usr/lib/dovecot/dovecot-lda mrix,
+  /usr/lib*/dovecot/dovecot-lda mrix,
   /usr/{bin,sbin}/sendmail Cx -> sendmail,
   /usr/share/dovecot/protocols.d/ r,
   /usr/share/dovecot/protocols.d/** r,

profiles/apparmor.d/usr.lib.dovecot.imap

@@ -15,7 +15,7 @@ abi <abi/4.0>,
 include <tunables/global>
 include <tunables/dovecot>
 
-profile dovecot-imap /usr/lib/dovecot/imap {
+profile dovecot-imap /usr/lib*/dovecot/imap {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/dovecot-common>
@@ -37,7 +37,7 @@ profile dovecot-imap /usr/lib/dovecot/imap {
   @{PROC}/@{pid}/attr/{apparmor/,}current rw,
   @{PROC}/@{pid}/stat r,
   /usr/bin/doveconf rix,
-  /usr/lib/dovecot/imap mrix,
+  /usr/lib*/dovecot/imap mrix,
   /usr/share/dovecot/** r,
   @{run}/dovecot/login/imap rw,
   @{run}/dovecot/auth-master rw,

profiles/apparmor.d/usr.lib.dovecot.imap-login

@@ -14,7 +14,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-profile dovecot-imap-login /usr/lib/dovecot/imap-login {
+profile dovecot-imap-login /usr/lib*/dovecot/imap-login {
   include <abstractions/base>
   include <abstractions/dovecot-common>
   include <abstractions/openssl>
@@ -26,7 +26,7 @@ profile dovecot-imap-login /usr/lib/dovecot/imap-login {
   network inet6 stream,
   network unix stream,
 
-  /usr/lib/dovecot/imap-login mr,
+  /usr/lib*/dovecot/imap-login mr,
   @{run}/dovecot/anvil rw,
   @{run}/dovecot/login-master-notify* rw,
   @{run}/dovecot/login/ r,

profiles/apparmor.d/usr.lib.dovecot.lmtp

@@ -14,7 +14,7 @@ abi <abi/4.0>,
 include <tunables/global>
 include <tunables/dovecot>
 
-profile dovecot-lmtp /usr/lib/dovecot/lmtp {
+profile dovecot-lmtp /usr/lib*/dovecot/lmtp {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/dovecot-common>
@@ -35,7 +35,7 @@ profile dovecot-lmtp /usr/lib/dovecot/lmtp {
   owner @{PROC}/@{pid}/stat r,
   @{PROC}/*/mounts r,
   /tmp/dovecot.lmtp.* rw,
-  /usr/lib/dovecot/lmtp mr,
+  /usr/lib*/dovecot/lmtp mr,
   @{run}/dovecot/mounts r,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/usr.lib.dovecot.log

@@ -13,11 +13,11 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-profile dovecot-log /usr/lib/dovecot/log flags=(attach_disconnected) {
+profile dovecot-log /usr/lib*/dovecot/log flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dovecot-common>
 
-  /usr/lib/dovecot/log mr,
+  /usr/lib*/dovecot/log mr,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/usr.lib.dovecot.log>

profiles/apparmor.d/usr.lib.dovecot.managesieve

@@ -15,7 +15,7 @@ abi <abi/4.0>,
 include <tunables/global>
 include <tunables/dovecot>
 
-profile dovecot-managesieve /usr/lib/dovecot/managesieve {
+profile dovecot-managesieve /usr/lib*/dovecot/managesieve {
   include <abstractions/base>
   include <abstractions/dovecot-common>
 
@@ -29,7 +29,7 @@ profile dovecot-managesieve /usr/lib/dovecot/managesieve {
 
   /etc/dovecot/** r,
   /usr/bin/doveconf rix,
-  /usr/lib/dovecot/managesieve mrix,
+  /usr/lib*/dovecot/managesieve mrix,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/usr.lib.dovecot.managesieve>

profiles/apparmor.d/usr.lib.dovecot.managesieve-login

@@ -16,7 +16,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-profile dovecot-managesieve-login /usr/lib/dovecot/managesieve-login {
+profile dovecot-managesieve-login /usr/lib*/dovecot/managesieve-login {
   include <abstractions/base>
   include <abstractions/dovecot-common>
   include <abstractions/openssl>
@@ -28,7 +28,7 @@ profile dovecot-managesieve-login /usr/lib/dovecot/managesieve-login {
   network inet6 stream,
   network unix stream,
 
-  /usr/lib/dovecot/managesieve-login mr,
+  /usr/lib*/dovecot/managesieve-login mr,
   @{run}/dovecot/login-master-notify* rw,
   @{run}/dovecot/login/ r,
   @{run}/dovecot/login/* rw,

profiles/apparmor.d/usr.lib.dovecot.pop3

@@ -15,7 +15,7 @@ abi <abi/4.0>,
 include <tunables/global>
 include <tunables/dovecot>
 
-profile dovecot-pop3 /usr/lib/dovecot/pop3 {
+profile dovecot-pop3 /usr/lib*/dovecot/pop3 {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/dovecot-common>
@@ -27,7 +27,7 @@ profile dovecot-pop3 /usr/lib/dovecot/pop3 {
 
   @{HOME} r, # ???
   @{PROC}/@{pid}/stat r,
-  /usr/lib/dovecot/pop3 mr,
+  /usr/lib*/dovecot/pop3 mr,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/usr.lib.dovecot.pop3>

profiles/apparmor.d/usr.lib.dovecot.pop3-login

@@ -14,7 +14,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-profile dovecot-pop3-login /usr/lib/dovecot/pop3-login {
+profile dovecot-pop3-login /usr/lib*/dovecot/pop3-login {
   include <abstractions/base>
   include <abstractions/dovecot-common>
   include <abstractions/openssl>
@@ -26,7 +26,7 @@ profile dovecot-pop3-login /usr/lib/dovecot/pop3-login {
   network inet6 stream,
   network unix stream,
 
-  /usr/lib/dovecot/pop3-login mr,
+  /usr/lib*/dovecot/pop3-login mr,
   @{run}/dovecot/anvil rw,
   @{run}/dovecot/login-master-notify* rw,
   @{run}/dovecot/login/ r,

profiles/apparmor.d/usr.lib.dovecot.replicator

@@ -15,7 +15,7 @@
 include <tunables/dovecot>
 include <tunables/global>
 
-profile dovecot-replicator /usr/lib/dovecot/replicator {
+profile dovecot-replicator /usr/lib*/dovecot/replicator {
   include <abstractions/base>
   include <abstractions/dovecot-common>
   include <abstractions/nameservice>
@@ -25,7 +25,7 @@ profile dovecot-replicator /usr/lib/dovecot/replicator {
   /etc/dovecot/conf.d/ r,
   /etc/dovecot/conf.d/** r,
   /etc/dovecot/dovecot.conf r,
-  /usr/lib/dovecot/replicator mr,
+  /usr/lib*/dovecot/replicator mr,
   /usr/share/dovecot/** r,
   /{,var/}run/dovecot/auth-master rw,
   @{DOVECOT_MAILSTORE}/ rw,

profiles/apparmor.d/usr.lib.dovecot.script-login

@@ -14,14 +14,14 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-profile dovecot-script-login /usr/lib/dovecot/script-login {
+profile dovecot-script-login /usr/lib*/dovecot/script-login {
   include <abstractions/base>
   include <abstractions/dovecot-common>
   include <abstractions/nameservice>
 
   capability setuid,
 
-  /usr/lib/dovecot/script-login mrPx,
+  /usr/lib*/dovecot/script-login mrPx,
 
   # NOTE: You'll need to allow execution of your actual login script.
   # The recommended way is to add a rule for it in local/usr.lib.dovecot.script-login

profiles/apparmor.d/usr.lib.dovecot.ssl-params

@@ -13,13 +13,13 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-profile dovecot-ssl-params /usr/lib/dovecot/ssl-params {
+profile dovecot-ssl-params /usr/lib*/dovecot/ssl-params {
   include <abstractions/base>
   include <abstractions/dovecot-common>
 
   @{run}/dovecot/ssl-params rw,
   @{run}/dovecot/login/ssl-params rw,
-  /usr/lib/dovecot/ssl-params mr,
+  /usr/lib*/dovecot/ssl-params mr,
   /var/lib/dovecot/ssl-parameters.dat rw,
   /var/lib/dovecot/ssl-parameters.dat.tmp rwk,
 

profiles/apparmor.d/usr.lib.dovecot.stats

@@ -13,7 +13,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-profile dovecot-stats /usr/lib/dovecot/stats {
+profile dovecot-stats /usr/lib*/dovecot/stats {
   include <abstractions/base>
   include <abstractions/dovecot-common>
 
@@ -24,7 +24,7 @@ profile dovecot-stats /usr/lib/dovecot/stats {
   network inet stream,
   network inet6 stream,
 
-  /usr/lib/dovecot/stats mr,
+  /usr/lib*/dovecot/stats mr,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/usr.lib.dovecot.stats>

profiles/apparmor.d/usr.sbin.dovecot

@@ -33,10 +33,10 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
   capability sys_chroot,
   capability sys_resource,
 
-  signal send peer=/usr/lib/dovecot/*,
+  signal send peer=/usr/lib*/dovecot/*,
   signal send peer=dovecot-*,
 
-  unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil),
+  unix (receive, send) type=stream peer=(label=/usr/lib*/dovecot/anvil),
   unix (receive, send) type=stream peer=(label=dovecot-anvil),
 
   /etc/dovecot/** r,
@@ -46,26 +46,26 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
   @{PROC}/@{pid}/mounts r,
   @{PROC}/sys/fs/suid_dumpable r,
   /usr/bin/doveconf rix,
-  /usr/lib/dovecot/anvil mrPx,
-  /usr/lib/dovecot/auth mrPx,
-  /usr/lib/dovecot/config mrPx,
-  /usr/lib/dovecot/dict mrPx,
-  /usr/lib/dovecot/director mrPx,
-  /usr/lib/dovecot/doveadm-server mrPx,
-  /usr/lib/dovecot/dovecot-auth Pxmr,
-  /usr/lib/dovecot/imap Pxmr,
-  /usr/lib/dovecot/imap-login Pxmr,
-  /usr/lib/dovecot/lmtp mrPx,
-  /usr/lib/dovecot/log mrPx,
-  /usr/lib/dovecot/managesieve mrPx,
-  /usr/lib/dovecot/managesieve-login Pxmr,
-  /usr/lib/dovecot/pop3 mrPx,
-  /usr/lib/dovecot/pop3-login Pxmr,
-  /usr/lib/dovecot/replicator mrPx,
-  /usr/lib/dovecot/script-login Px,
-  /usr/lib/dovecot/ssl-build-param rix,
-  /usr/lib/dovecot/ssl-params mrPx,
-  /usr/lib/dovecot/stats Px,
+  /usr/lib*/dovecot/anvil mrPx,
+  /usr/lib*/dovecot/auth mrPx,
+  /usr/lib*/dovecot/config mrPx,
+  /usr/lib*/dovecot/dict mrPx,
+  /usr/lib*/dovecot/director mrPx,
+  /usr/lib*/dovecot/doveadm-server mrPx,
+  /usr/lib*/dovecot/dovecot-auth Pxmr,
+  /usr/lib*/dovecot/imap Pxmr,
+  /usr/lib*/dovecot/imap-login Pxmr,
+  /usr/lib*/dovecot/lmtp mrPx,
+  /usr/lib*/dovecot/log mrPx,
+  /usr/lib*/dovecot/managesieve mrPx,
+  /usr/lib*/dovecot/managesieve-login Pxmr,
+  /usr/lib*/dovecot/pop3 mrPx,
+  /usr/lib*/dovecot/pop3-login Pxmr,
+  /usr/lib*/dovecot/replicator mrPx,
+  /usr/lib*/dovecot/script-login Px,
+  /usr/lib*/dovecot/ssl-build-param rix,
+  /usr/lib*/dovecot/ssl-params mrPx,
+  /usr/lib*/dovecot/stats Px,
   /usr/{bin,sbin}/dovecot mrix,
   /usr/share/dovecot/dh.pem r,
   /usr/share/dovecot/protocols.d/   r,

profiles/apparmor/profiles/extras/firefox

@@ -22,7 +22,7 @@ include <tunables/global>
 #  /usr/lib/firefox-4.0b8/firefox
 # but not:
 #  /usr/lib/firefox-4.0b8/firefox.sh
-profile firefox @{MOZ_LIBDIR}/firefox{,*[^s][^h]} {
+profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   include <abstractions/audio>
   include <abstractions/cups-client>
   include <abstractions/dbus-strict>
@@ -279,11 +279,17 @@ profile firefox @{MOZ_LIBDIR}/firefox{,*[^s][^h]} {
        interface=org.gtk.vfs.Mount
        member={CreateFileMonitor,Enumerate,QueryInfo}
        peer=(label=unconfined),
+  dbus (receive)
+       bus=session
+       path=/org/gtk/vfs/mounttracker
+       interface=org.gtk.vfs.MountTracker
+       member=Mounted
+       peer=(label=unconfined),
   dbus (send)
        bus=session
        path=/org/gtk/vfs/mounttracker
        interface=org.gtk.vfs.MountTracker
-       member={ListMountableInfo,ListMounts2,LookupMount,Mounted}
+       member={ListMountableInfo,ListMounts2,LookupMount}
        peer=(label=unconfined),
 
   # Allow access to xdg-desktop-portal and xdg-document-portal (LP: #1974449)

tests/regression/apparmor/attach_disconnected.sh

@@ -102,10 +102,18 @@ create_dir="$new_root:w $put_old:w"
 # Ensure everything works as expected when unconfined
 do_test "attach_disconnected" pass $file $att_dis_client $socket $loop_device $new_root $put_old
 
+# TODO: adding attach_disconnected.path to a replaced unconfined
+
 genprofile $file_perm unix:create $socket:rw $att_dis_client:px -- image=$att_dis_client $file_perm unix:create $socket:rw $create_dir $cap "pivot_root:ALL" "mount:ALL" flag:attach_disconnected
 
 do_test "attach_disconnected" pass $file $att_dis_client $socket $loop_device $new_root $put_old
 
+genprofile $file_perm unix:create $socket:rw $att_dis_client:px -- image=$att_dis_client $file_perm unix:create $socket:rw $create_dir $cap "pivot_root:ALL" "mount:ALL" flag:attach_disconnected flag:attach_disconnected.path=/foo/
+
+do_test "attach_disconnected.path rule at /" fail $file $att_dis_client $socket $loop_device $new_root $put_old
+
+do_test "attach_disconnected.path" pass "/foo/$file" $att_dis_client $socket $loop_device $new_root $put_old
+
 genprofile $file_perm unix:create $socket:rw $att_dis_client:px -- image=$att_dis_client $file_perm unix:create $socket:rw $create_dir $cap "pivot_root:ALL" "mount:ALL" flag:no_attach_disconnected
 
 do_test "no_attach_disconnected" fail $file $att_dis_client $socket $loop_device $new_root $put_old

tests/regression/apparmor/prologue.inc

@@ -70,9 +70,14 @@ kernel_features()
 			# check if feature is in file
 			feature=$(basename "$features_dir/$f")
 			file=$(dirname "$features_dir/$f")
-			if ! grep -q $feature $file; then
+			if [ -f $file ]; then
+				if ! grep -q $feature $file; then
+					echo "Required feature '$f' not available."
+					return 2;
+				fi
+			else
 				echo "Required feature '$f' not available."
-				return 2;
+				return 3;
 			fi
 		fi
 	done

utils/aa-genprof

@@ -72,12 +72,13 @@ parser.add_argument('-j', '--json', action="store_true", help=_('Input and Outpu
 parser.add_argument('--configdir', type=str, help=argparse.SUPPRESS)
 args = parser.parse_args()
 
-if args.json:
-    aaui.set_json_mode()
-
 profiling = args.program
 
 apparmor.init_aa(confdir=args.configdir, profiledir=args.dir)
+
+if args.json:
+    aaui.set_json_mode(apparmor.cfg)
+
 apparmor.set_logfile(args.file)
 
 aa_mountpoint = apparmor.check_for_apparmor()

utils/aa-logprof

@@ -29,19 +29,20 @@ parser.add_argument('-f', '--file', type=str, help=_('path to logfile'))
 parser.add_argument('-m', '--mark', type=str, help=_('mark in the log to start processing after'))
 parser.add_argument('-j', '--json', action='store_true', help=_('Input and Output in JSON'))
 parser.add_argument('--configdir', type=str, help=argparse.SUPPRESS)
+parser.add_argument('--no-check-mountpoint', action='store_true', help=argparse.SUPPRESS)
 args = parser.parse_args()
 
-if args.json:
-    aaui.set_json_mode()
-
 logmark = args.mark or ''
 
 apparmor.init_aa(confdir=args.configdir, profiledir=args.dir)
 
+if args.json:
+    aaui.set_json_mode(apparmor.cfg)
+
 apparmor.set_logfile(args.file)
 
 aa_mountpoint = apparmor.check_for_apparmor()
-if not aa_mountpoint:
+if not aa_mountpoint and not args.no_check_mountpoint:
     raise AppArmorException(_('It seems AppArmor was not started. Please enable AppArmor and try again.'))
 
 apparmor.loadincludes()

utils/apparmor/aa.py

@@ -1031,7 +1031,7 @@ def ask_exec(hashlog):
                         if target_profile and hashlog[aamode].get(target_profile):
                             hashlog[aamode][target_profile]['final_name'] = profile
 
-                    elif re.search('^CMD_(px|nx|pix|nix)', ans):
+                    elif ans.startswith('CMD_px') or ans.startswith('CMD_pix'):
                         if to_name:
                             exec_target = to_name
 
@@ -1087,6 +1087,8 @@ def ask_exec(hashlog):
                     elif ans.startswith('CMD_ux'):
                         continue
 
+                    else:
+                        raise AppArmorBug('Unhandled ans %s, please open a bugreport!' % ans)
 
 def order_globs(globs, original_path):
     """Returns the globs in sorted order, more specific behind"""

utils/apparmor/ui.py

@@ -33,14 +33,20 @@ debug_logger = DebugLogger('UI')
 ARROWS = {'A': 'UP', 'B': 'DOWN', 'C': 'RIGHT', 'D': 'LEFT'}
 
 UI_mode = 'text'
+jsonlog = None
 
 
 def write_json(jsonout):
-    print(json.dumps(jsonout, sort_keys=False, separators=(',', ': ')))
+    jtxt = json.dumps(jsonout, sort_keys=False, separators=(',', ': '))
+
+    if jsonlog:
+        jsonlog.write('o ' + jtxt + '\n')
+
+    print(jtxt)
     sys.stdout.flush()
 
 
-def set_json_mode():
+def set_json_mode(cfg):
     """
     Currently this is only used by aa-genprof and aa-logprof, while e.g.
     aa-status generates its own JSON output.
@@ -50,8 +56,14 @@ def set_json_mode():
 
     Current known consumers of the JSON output:
     - YaST
+
+    The cfg parameter expects the parsed logprof.conf aka apparmor.aa.cfg.
     """
-    global UI_mode
+    global UI_mode, jsonlog
+
+    if int(cfg['settings'].get('json_log', False)):
+        jsonlog = NamedTemporaryFile('w', prefix='aa-jsonlog-', delete=False, encoding='utf-8')
+
     UI_mode = 'json'
     jsonout = {'dialog': 'apparmor-json-version', 'data': '2.12'}
     write_json(jsonout)
@@ -67,6 +79,10 @@ def set_text_mode():
 # for the dialog type
 def json_response(dialog_type):
     string = input('\n')
+
+    if jsonlog:
+        jsonlog.write('i ' + string + '\n')
+
     rh = json.loads(string.strip())
     if rh["dialog"] != dialog_type:
         raise AppArmorException('Expected response %s got %s.' % (dialog_type, string))

utils/logprof.conf

@@ -35,6 +35,10 @@
   # files.
   custom_includes =
 
+  # When called with --json, log all input and output to a tempfile (/tmp/aa-jsonlog-*)
+  # Only enable for debugging.
+  # Note that aa-logprof will not display any hint that aa-jsonlog-* gets written.
+  json_log = 0
 
 [qualifiers]
   # things will be painfully broken if bash has a profile

utils/test/Makefile

@@ -21,7 +21,7 @@ COMMONDIR=../../common/
 include $(COMMONDIR)/Make.rules
 
 # files that don't have 100% test coverage
-INCOMPLETE_COVERAGE=libraries/libapparmor/swig/python/.*/LibAppArmor/LibAppArmor.py|utils/apparmor/aa.py|utils/apparmor/common.py|utils/apparmor/config.py|utils/apparmor/easyprof.py|utils/apparmor/fail.py|utils/apparmor/logparser.py|utils/apparmor/profile_storage.py|utils/apparmor/rules.py|utils/apparmor/ui.py|minitools_test.py
+INCOMPLETE_COVERAGE=libraries/libapparmor/swig/python/.*/LibAppArmor/LibAppArmor.py|utils/aa-logprof|utils/apparmor/aa.py|utils/apparmor/common.py|utils/apparmor/config.py|utils/apparmor/easyprof.py|utils/apparmor/fail.py|utils/apparmor/logparser.py|utils/apparmor/profile_storage.py|utils/apparmor/rules.py|utils/apparmor/ui.py|minitools_test.py
 
 
 ifdef USE_SYSTEM

utils/test/logprof/ping.auditlog

@@ -0,0 +1,3 @@
+type=AVC msg=audit(1691930856.284:29963): apparmor="DENIED" operation="open" class="file" profile="ping" name="/proc/21622/cmdline" pid=9136 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
+type=SYSCALL msg=audit(1691930856.284:29963): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffc4539abf8 a2=0 a3=0 items=0 ppid=21622 pid=9136 auid=1000 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 tty=pts4 ses=2 comm="cat" exe="/usr/bin/cat" subj=ping key=(null)
+type=AVC msg=audit(1691930881.661:29975): apparmor="STATUS" operation="profile_replace" profile="apparmor_parser" name="ping" pid=10005 comm="apparmor_parser"

utils/test/logprof/ping.bin.ping

@@ -0,0 +1,33 @@
+abi <abi/4.0>,
+
+include <tunables/global>
+
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2002-2009 Novell/SUSE
+#    Copyright (C) 2010 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+
+profile ping /{usr/,}bin/{,iputils-}ping {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
+  include if exists <local/bin.ping>
+
+  capability net_raw,
+  capability setuid,
+
+  network inet raw,
+  network inet6 raw,
+
+  /etc/modules.conf r,
+  /proc/21622/cmdline r,
+  /{,usr/}bin/{,iputils-}ping mrix,
+
+}

utils/test/logprof/ping.jsonlog

@@ -0,0 +1,13 @@
+o {"dialog": "apparmor-json-version","data": "2.12"}
+o {"dialog": "info","data": "Updating AppArmor profiles in /etc/apparmor.d."}
+o {"dialog": "info","data": "Reading log entries from /var/log/audit/audit.log."}
+o {"dialog": "info","data": "Complain-mode changes:"}
+o {"dialog": "info","data": "Enforce-mode changes:"}
+o {"dialog": "promptuser","title": null,"headers": {"Profile": "ping","Path": "/proc/21622/cmdline","New Mode": "owner r","Severity": 6},"explanation": null,"options": ["owner /proc/*/cmdline r,","owner /proc/21622/cmdline r,"],"menu_items": ["(A)llow","[(D)eny]","(I)gnore","(G)lob","Glob with (E)xtension","(N)ew","Audi(t)","(O)wner permissions off","Abo(r)t","(F)inish"],"default_key": "d"}
+i {"dialog":"promptuser","selected":0,"response_key":"o"}
+o {"dialog": "promptuser","title": null,"headers": {"Profile": "ping","Path": "/proc/21622/cmdline","New Mode": "r","Severity": 6},"explanation": null,"options": ["/proc/*/cmdline r,","/proc/21622/cmdline r,"],"menu_items": ["(A)llow","[(D)eny]","(I)gnore","(G)lob","Glob with (E)xtension","(N)ew","Audi(t)","(O)wner permissions on","Abo(r)t","(F)inish"],"default_key": "d"}
+i {"dialog":"promptuser","selected":1,"response_key":"a"}
+o {"dialog": "info","data": "Adding /proc/21622/cmdline r, to profile."}
+o {"dialog": "promptuser","title": "Changed Local Profiles","headers": {},"explanation": "The following local profiles were changed. Would you like to save them?","options": ["ping"],"menu_items": ["(S)ave Changes","Save Selec(t)ed Profile","[(V)iew Changes]","View Changes b/w (C)lean profiles","Abo(r)t"],"default_key": "v"}
+i {"dialog":"promptuser","selected":0,"response_key":"t"}
+o {"dialog": "info","data": "Writing updated profile for ping."}

utils/test/severity.db

@@ -0,0 +1 @@
+../severity.db

utils/test/test-aa-cli-bootstrap.py

@@ -61,7 +61,7 @@ class AACliBootstrapTest(AATest):
         self.assertEqual(sys.stdout.getvalue(), 'Test string\n')
 
     def test_aa_ui_info_json(self):
-        aaui.set_json_mode()
+        aaui.set_json_mode({'settings': {}})
         sys.stdout.getvalue()
         aaui.UI_Info('Test string')
         self.assertEqual(

utils/test/test-logprof.py

@@ -0,0 +1,119 @@
+#! /usr/bin/python3
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2023 Christian Boltz <apparmor@cboltz.de>
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+import os
+import shutil
+import subprocess
+import sys
+import unittest
+
+# import apparmor.aa as aa  # see the setup_aa() call for details
+from common_test import AATest, read_file, setup_all_loops  # , setup_aa
+
+
+class TestLogprof(AATest):
+    # This test expects a set of files:
+    # - logprof/TESTNAME.auditlog - audit.log
+    # - logprof/TESTNAME.jsonlog - expected aa-logprof --json input and output (gathered with json_log=1 in logprof.conf)
+    # - logprof/TESTNAME.PROFILE - one or more profiles in the expected state
+    # where TESTNAME is the name given in the first column of 'tests'
+    tests = (
+        # test name         # profiles to verify
+        ('ping',            ['bin.ping']),
+    )
+
+    def AASetup(self):
+        self.createTmpdir()
+
+        # copy the local profiles to the test directory
+        self.profile_dir = self.tmpdir + '/profiles'
+        shutil.copytree('../../profiles/apparmor.d/', self.profile_dir, symlinks=True)
+
+    def AATeardown(self):
+        self._terminate()
+
+    def _startLogprof(self, auditlog):
+        exe = [sys.executable]
+
+        if 'coverage' in sys.modules:
+            exe = exe + ['-m', 'coverage', 'run', '--branch', '-p']
+
+        exe = exe + ['../aa-logprof', '--json', '--configdir', './', '-f', auditlog, '-d', self.profile_dir, '--no-check-mountpoint']
+
+        process = subprocess.Popen(
+            exe,
+            stdin=subprocess.PIPE,
+            stdout=subprocess.PIPE,
+            # stderr=subprocess.STDOUT,
+            env={'LANG': 'C',
+                 'PYTHONPATH': os.environ.get('PYTHONPATH', ''),
+                 'LD_LIBRARY_PATH': os.environ.get('LD_LIBRARY_PATH', ''),
+            },
+        )
+
+        return process
+
+    def _terminate(self):
+        self.process.stdin.close()
+        self.process.stdout.close()
+        self.process.terminate()
+        self.process.wait(timeout=0.2)
+
+    def _run_test(self, params, expected):
+        auditlog = './logprof/%s.auditlog' % params
+        jsonlog = './logprof/%s.jsonlog' % params
+
+        jlog = read_file(jsonlog)
+        jlog = jlog.replace('/etc/apparmor.d', self.profile_dir)
+        jlog = jlog.replace('/var/log/audit/audit.log', auditlog)
+        jlog = jlog.strip().split('\n')
+
+        self.process = self._startLogprof(auditlog)
+
+        for line in jlog:
+            if line.startswith('o '):  # read from stdout
+                output = self.process.stdout.readline().decode("utf-8").strip()
+                self.assertEqual(output, line[2:])
+
+            elif line.startswith('i '):  # send to stdin
+                # expect an empty prompt line
+                output = self.process.stdout.readline().decode("utf-8").strip()
+                self.assertEqual(output, '')
+
+                # "type" answer
+                self.process.stdin.write(line[2:].encode("utf-8") + b"\n")
+                self.process.stdin.flush()
+
+            else:
+                raise Exception('Unknown line in json log %s: %s' % (jsonlog, line))
+
+        # give logprof some time to write the updated profile and terminate
+        self.process.wait(timeout=0.2)
+        self.assertEqual(self.process.returncode, 0)
+
+        for file in expected:
+            exp = read_file('./logprof/%s.%s' % (params, file))
+            actual = read_file(os.path.join(self.profile_dir, file))
+
+            # remove '# Last Modified:' line from updated profile
+            actual = actual.split('\n')
+            if actual[0].startswith('# Last Modified:'):
+                actual = actual[1:]
+            actual = '\n'.join(actual)
+
+            self.assertEqual(actual, exp)
+
+
+# if you import apparmor.aa and call init_aa() in your tests, uncomment this
+# setup_aa(aa)
+setup_all_loops(__name__)
+if __name__ == '__main__':
+    unittest.main(verbosity=1)

utils/test/test-parser-simple-tests.py

@@ -154,6 +154,21 @@ exception_not_raised = (
     'profile/flags/flags_bad44.sd',
     'profile/flags/flags_bad45.sd',
     'profile/flags/flags_bad46.sd',
+    'profile/flags/flags_bad47.sd',
+    'profile/flags/flags_bad48.sd',
+    'profile/flags/flags_bad49.sd',
+    'profile/flags/flags_bad50.sd',
+    'profile/flags/flags_bad51.sd',
+    'profile/flags/flags_bad52.sd',
+    'profile/flags/flags_bad53.sd',
+    'profile/flags/flags_bad54.sd',
+    'profile/flags/flags_bad55.sd',
+    'profile/flags/flags_bad56.sd',
+    'profile/flags/flags_bad_disconnected_path1.sd',
+    'profile/flags/flags_bad_disconnected_path2.sd',
+    'profile/flags/flags_bad_disconnected_path3.sd',
+    'profile/flags/flags_bad_disconnected_path4.sd',
+    'profile/flags/flags_bad_disconnected_path5.sd',
     'profile/profile_ns_bad8.sd',  # 'profile :ns/t' without terminating ':'
     'ptrace/bad_05.sd',  # actually contains a capability rule with invalid (ptrace-related) keyword
     'ptrace/bad_06.sd',  # actually contains a capability rule with invalid (ptrace-related) keyword