Prepare for 4.1.0~beta1 release

- bump version

Signed-off-by: John Johansen <john.johansen@canonical.com>

.gitignore

@@ -1,4 +1,4 @@
-apparmor-*
+apparmor-
 cscope.*
 binutils/aa-enabled
 binutils/aa-enabled.1
@@ -16,6 +16,7 @@ parser/af_names.h
 parser/cap_names.h
 parser/generated_cap_names.h
 parser/generated_af_names.h
+parser/errnos.h
 parser/tst_lib
 parser/tst_misc
 parser/tst_regex
@@ -27,41 +28,9 @@ parser/parser_version.h
 parser/parser_yacc.c
 parser/parser_yacc.h
 parser/pod2htm*.tmp
-parser/af_rule.o
-parser/af_unix.o
-parser/common_optarg.o
-parser/dbus.o
-parser/default_features.o
-parser/lib.o
-parser/libapparmor_re/aare_rules.o
-parser/libapparmor_re/chfa.o
-parser/libapparmor_re/expr-tree.o
-parser/libapparmor_re/hfa.o
+parser/libapparmor_re/*.o
 parser/libapparmor_re/libapparmor_re.a
-parser/libapparmor_re/parse.o
-parser/mount.o
-parser/mqueue.o
-parser/network.o
-parser/parser_alias.o
-parser/parser_common.o
-parser/parser_include.o
-parser/parser_interface.o
-parser/parser_lex.o
-parser/parser_main.o
-parser/parser_merge.o
-parser/parser_misc.o
-parser/parser_policy.o
-parser/parser_regex.o
-parser/parser_symtab.o
-parser/parser_variable.o
-parser/parser_yacc.o
-parser/policy_cache.o
-parser/profile.o
-parser/ptrace.o
-parser/rule.o
-parser/signal.o
-parser/userns.o
-parser/io_uring.o
+parser/*.o
 parser/*.7
 parser/*.5
 parser/*.8
@@ -211,6 +180,7 @@ utils/apparmor/*.pyc
 utils/apparmor/rule/*.pyc
 utils/apparmor.egg-info/
 utils/build/
+!utils/emacs/apparmor-mode.el
 utils/htmlcov/
 utils/test/common_test.pyc
 utils/test/.coverage
@@ -263,7 +233,10 @@ tests/regression/apparmor/link_subset
 tests/regression/apparmor/mkdir
 tests/regression/apparmor/mmap
 tests/regression/apparmor/mount
+tests/regression/apparmor/move_mount
 tests/regression/apparmor/named_pipe
+tests/regression/apparmor/net_inet_rcv
+tests/regression/apparmor/net_inet_snd
 tests/regression/apparmor/net_raw
 tests/regression/apparmor/open
 tests/regression/apparmor/openat

.gitlab-ci.yml

@@ -17,7 +17,7 @@ stages:
     - uname -a
 
 .install-c-build-deps: &install-c-build-deps
-  - apt-get install --no-install-recommends -y build-essential apache2-dev autoconf automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev
+  - apt-get install --no-install-recommends -y build-essential apache2-dev autoconf autoconf-archive automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev
 
 build-all:
   stage: build
@@ -77,7 +77,8 @@ test-utils:
   extends:
     - .ubuntu-before_script
   script:
-    - apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter pyflakes3 python3-coverage python3-notify2 python3-psutil python3-setuptools
+    - apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter flake8 python3-coverage python3-notify2 python3-psutil python3-setuptools python3-tk python3-ttkthemes python3-gi
+
     # See apparmor/apparmor#221
     - make -C parser/tst gen_dbus
     - make -C parser/tst gen_xtrans
@@ -104,7 +105,7 @@ test-profiles:
   script:
     - make -C profiles check-parser
     - make -C profiles check-abstractions.d
-    - make -C profiles check-extras
+    - make -C profiles check-local
 
 shellcheck:
   stage: test
@@ -112,7 +113,7 @@ shellcheck:
   extends:
     - .ubuntu-before_script
   script:
-  - apt-get install --no-install-recommends -y file shellcheck xmlstarlet
+  - apt-get install --no-install-recommends -y python3-minimal file shellcheck xmlstarlet
   - shellcheck --version
   - './tests/bin/shellcheck-tree --format=checkstyle
        | xmlstarlet tr tests/checkstyle2junit.xslt

README.md

@@ -181,6 +181,9 @@ $ make check	# depends on the parser having been built first
 $ make install
 ```
 
+Note that the empty local/* profile sniplets no longer get created by default.
+If you want them, run `make local` before running `make check`.
+
 [Note that for the parser, binutils, and utils, if you only wish to build/use
  some of the locale languages, you can override the default by passing
  the LANGS arguments to make; e.g. make all install "LANGS=en_US fr".]
@@ -351,6 +354,9 @@ The aa-notify tool's Python dependencies can be satisfied by installing the
 following packages (Debian package names, other distros may vary):
 * python3-notify2
 * python3-psutil
+* python3-tk
+* python3-ttkthemes
+* python3-gi
 
 Perl is no longer needed since none of the utilities shipped to end users depend
 on it anymore.

binutils/aa_load.c

@@ -172,7 +172,8 @@ static int load_policy_dir(const char *dir_path)
 	while ((dir = readdir(d)) != NULL) {
 		/* Only check regular files for now */
 		if (dir->d_type == DT_REG) {
-			len = strnlen(dir->d_name, PATH_MAX);
+			/* As per POSIX dir->d_name has at most NAME_MAX characters */
+			len = strnlen(dir->d_name, NAME_MAX);
 			/* Ignores .features */
 			if (strncmp(dir->d_name, CACHE_FEATURES_FILE, len) == 0) {
 				continue;

binutils/aa_status.c

@@ -115,6 +115,7 @@ static void free_processes(struct process *processes, size_t n) {
 #define SHOW_PROCESSES 2
 
 static int verbose = 1;
+static bool quiet = false;
 int opt_show = SHOW_PROFILES | SHOW_PROCESSES;
 bool opt_json = false;
 bool opt_pretty = false;
@@ -127,15 +128,21 @@ const char *opt_exe = ".*";
 const char *profile_statuses[] = {"enforce", "complain", "prompt", "kill", "unconfined"};
 const char *process_statuses[] = {"enforce", "complain", "prompt", "kill", "unconfined", "mixed"};
 
-#define dprintf(...)                                                           \
+#define eprintf(...)                                                    \
+do {									\
+	if (!quiet)							\
+	  fprintf(stderr, __VA_ARGS__);					\
+} while (0)
+
+#define dprintf(...)							\
 do {									       \
-	if (verbose)							       \
+	if (verbose && !opt_json)					       \
 		printf(__VA_ARGS__);					       \
 } while (0)
 
 #define dfprintf(...)                                                          \
 do {									       \
-	if (verbose)							       \
+	if (verbose && !opt_json)					       \
 		fprintf(__VA_ARGS__);					       \
 } while (0)
 
@@ -149,14 +156,14 @@ static int open_profiles(FILE **fp)
 
 	ret = stat("/sys/module/apparmor", &st);
 	if (ret != 0) {
-		dfprintf(stderr, "apparmor not present.\n");
+		eprintf("apparmor not present.\n");
 		return AA_EXIT_DISABLED;
 	}
 	dprintf("apparmor module is loaded.\n");
 
 	ret = aa_find_mountpoint(&apparmorfs);
 	if (ret == -1) {
-		dfprintf(stderr, "apparmor filesystem is not mounted.\n");
+		eprintf("apparmor filesystem is not mounted.\n");
 		return AA_EXIT_NO_CONTROL;
 	}
 
@@ -169,9 +176,9 @@ static int open_profiles(FILE **fp)
 	*fp = fopen(apparmor_profiles, "r");
 	if (*fp == NULL) {
 		if (errno == EACCES) {
-			dfprintf(stderr, "You do not have enough privilege to read the profile set.\n");
+			eprintf("You do not have enough privilege to read the profile set.\n");
 		} else {
-			dfprintf(stderr, "Could not open %s: %s", apparmor_profiles, strerror(errno));
+			eprintf("Could not open %s: %s", apparmor_profiles, strerror(errno));
 		}
 		return AA_EXIT_NO_PERM;
 	}
@@ -201,7 +208,7 @@ static int get_profiles(FILE *fp, struct profile **profiles, size_t *n) {
 		char *tmpname = aa_splitcon(line, &status);
 
 		if (!tmpname) {
-			dfprintf(stderr, "Error: failed profile name split of '%s'.\n", line);
+			eprintf("Error: failed profile name split of '%s'.\n", line);
 			// skip this entry and keep processing
 			// else would be AA_EXIT_INTERNAL_ERROR;
 			continue;
@@ -344,7 +351,7 @@ static int get_processes(struct profile *profiles,
 			continue;
 		} else if (rc == -1 ||
 			   asprintf(&exe, "/proc/%s/exe", entry->d_name) == -1) {
-			fprintf(stderr, "ERROR: Failed to allocate memory\n");
+			eprintf("ERROR: Failed to allocate memory\n");
 			ret = AA_EXIT_INTERNAL_ERROR;
 			goto exit;
 		} else if (mode) {
@@ -367,7 +374,7 @@ static int get_processes(struct profile *profiles,
 			// ensure enough space for NUL terminator
 			real_exe = calloc(PATH_MAX + 1, sizeof(char));
 			if (real_exe == NULL) {
-				fprintf(stderr, "ERROR: Failed to allocate memory\n");
+				eprintf("ERROR: Failed to allocate memory\n");
 				ret = AA_EXIT_INTERNAL_ERROR;
 				goto exit;
 			}
@@ -575,7 +582,7 @@ static int detailed_profiles(FILE *outf, filters_t *filters, bool json,
 		 */
 		subfilters.mode = &mode_filter;
 		if (regcomp(&mode_filter, profile_statuses[i], REG_NOSUB) != 0) {
-			dfprintf(stderr, "Error: failed to compile sub filter '%s'\n",
+			eprintf("Error: failed to compile sub filter '%s'\n",
 				 profile_statuses[i]);
 			return AA_EXIT_INTERNAL_ERROR;
 		}
@@ -641,7 +648,7 @@ static int detailed_processes(FILE *outf, filters_t *filters, bool json,
 		 */
 		subfilters.mode = &mode_filter;
 		if (regcomp(&mode_filter, process_statuses[i], REG_NOSUB) != 0) {
-			dfprintf(stderr, "Error: failed to compile sub filter '%s'\n",
+			eprintf("Error: failed to compile sub filter '%s'\n",
 				 profile_statuses[i]);
 			return AA_EXIT_INTERNAL_ERROR;
 		}
@@ -765,8 +772,9 @@ static int print_usage(const char *command, bool error)
 	 "  --json          displays multiple data points in machine-readable JSON format\n"
 	 "  --pretty-json   same data as --json, formatted for human consumption as well\n"
 	 "  --verbose       (default) displays data points about loaded policy set\n"
-	 "  -h [(legacy|filter)]    this message, or info on the specified option\n"
-	 " --help[=(legacy|filter)] this message, or info on the specified option\n",
+	 "  --quiet         don't output error messages\n"
+	 "  -h[(legacy|filters)]      this message, or info on the specified option\n"
+	 "  --help[=(legacy|filters)] this message, or info on the specified option\n",
 	 command);
 
 	exit(status);
@@ -792,6 +800,7 @@ static int print_usage(const char *command, bool error)
 #define ARG_EXE		143
 #define ARG_PROMPT	144
 #define ARG_VERBOSE 'v'
+#define ARG_QUIET 'q'
 #define ARG_HELP 'h'
 
 static int parse_args(int argc, char **argv)
@@ -809,6 +818,7 @@ static int parse_args(int argc, char **argv)
 		{"json", no_argument, 0, ARG_JSON},
 		{"pretty-json", no_argument, 0, ARG_PRETTY},
 		{"verbose", no_argument, 0, ARG_VERBOSE},
+		{"quiet", no_argument, 0, ARG_QUIET},
 		{"help", 2, 0, ARG_HELP},
 		{"count", no_argument, 0, ARG_COUNT},
 		{"show", 1, 0, ARG_SHOW},
@@ -820,7 +830,7 @@ static int parse_args(int argc, char **argv)
 	};
 
 	// Using exit here is temporary
-	while ((opt = getopt_long(argc, argv, "+vh", long_opts, NULL)) != -1) {
+	while ((opt = getopt_long(argc, argv, "+vh::", long_opts, NULL)) != -1) {
 		switch (opt) {
 		case ARG_ENABLED:
 			exit(aa_is_enabled() == 1 ? 0 : AA_EXIT_DISABLED);
@@ -830,6 +840,9 @@ static int parse_args(int argc, char **argv)
 			/* default opt_mode */
 			/* default opt_show */
 			break;
+		case ARG_QUIET:
+			quiet = true;
+			break;
 		case ARG_HELP:
 			if (!optarg) {
 				print_usage(argv[0], false);
@@ -838,7 +851,7 @@ static int parse_args(int argc, char **argv)
 			} else if (strcmp(optarg, "filters") == 0) {
 				usage_filters();
 			} else {
-				dfprintf(stderr, "Error: Invalid --help option '%s'.\n", optarg);
+				eprintf("Error: Invalid --help option '%s'.\n", optarg);
 				print_usage(argv[0], true);
 				break;
 			}
@@ -906,7 +919,7 @@ static int parse_args(int argc, char **argv)
 			} else if (strcmp(optarg, "processes") == 0) {
 				opt_show = SHOW_PROCESSES;
 			} else {
-				dfprintf(stderr, "Error: Invalid --show option '%s'.\n", optarg);
+				eprintf("Error: Invalid --show option '%s'.\n", optarg);
 				print_usage(argv[0], true);
 				break;
 			}
@@ -928,7 +941,7 @@ static int parse_args(int argc, char **argv)
 			break;
 			
 		default:
-			dfprintf(stderr, "Error: Invalid command.\n");
+			eprintf("Error: Invalid command.\n");
 			print_usage(argv[0], true);
 			break;
 		}
@@ -953,7 +966,7 @@ int main(int argc, char **argv)
 	if (argc > 1) {
 		int pos = parse_args(argc, argv);
 		if (pos < argc) {
-			dfprintf(stderr, "Error: Unknown options.\n");
+			eprintf("Error: Unknown options.\n");
 			print_usage(progname, true);
 		}
 	} else {
@@ -965,24 +978,24 @@ int main(int argc, char **argv)
 
 	init_filters(&filters, &filter_set);
 	if (regcomp(filters.mode, opt_mode, REG_NOSUB) != 0) {
-		dfprintf(stderr, "Error: failed to compile mode filter '%s'\n",
+		eprintf("Error: failed to compile mode filter '%s'\n",
 			 opt_mode);
 		return AA_EXIT_INTERNAL_ERROR;
 	}
 	if (regcomp(filters.profile, opt_profiles, REG_NOSUB) != 0) {
-		dfprintf(stderr, "Error: failed to compile profiles filter '%s'\n",
+		eprintf("Error: failed to compile profiles filter '%s'\n",
 			 opt_profiles);
 		ret = AA_EXIT_INTERNAL_ERROR;
 		goto out;
 	}
 	if (regcomp(filters.pid, opt_pid, REG_NOSUB) != 0) {
-		dfprintf(stderr, "Error: failed to compile ps filter '%s'\n",
+		eprintf("Error: failed to compile ps filter '%s'\n",
 			 opt_pid);
 		ret = AA_EXIT_INTERNAL_ERROR;
 		goto out;
 	}
 	if (regcomp(filters.exe, opt_exe, REG_NOSUB) != 0) {
-		dfprintf(stderr, "Error: failed to compile exe filter '%s'\n",
+		eprintf("Error: failed to compile exe filter '%s'\n",
 			 opt_exe);
 		ret = AA_EXIT_INTERNAL_ERROR;
 		goto out;
@@ -997,7 +1010,7 @@ int main(int argc, char **argv)
 		outf_save = outf;
 		outf = open_memstream(&buffer, &buffer_size);
 		if (!outf) {
-			dfprintf(stderr, "Failed to open memstream: %m\n");
+			eprintf("Failed to open memstream: %m\n");
 			return AA_EXIT_INTERNAL_ERROR;
 		}
 	}
@@ -1008,7 +1021,7 @@ int main(int argc, char **argv)
 	 */
 	ret = get_profiles(fp, &profiles, &nprofiles);
 	if (ret != 0) {
-		dfprintf(stderr, "Failed to get profiles: %d....\n", ret);
+		eprintf("Failed to get profiles: %d....\n", ret);
 		goto out;
 	}
 
@@ -1032,7 +1045,7 @@ int main(int argc, char **argv)
 
 		ret = get_processes(profiles, nprofiles, &processes, &nprocesses);
 		if (ret != 0) {
-			dfprintf(stderr, "Failed to get processes: %d....\n", ret);
+			eprintf("Failed to get processes: %d....\n", ret);
 		} else if (opt_count) {
 			ret = simple_filtered_process_count(outf, &filters,
 							processes, nprocesses);
@@ -1058,14 +1071,14 @@ int main(int argc, char **argv)
 		outf = outf_save;
 		json = cJSON_Parse(buffer);
 		if (!json) {
-			dfprintf(stderr, "Failed to parse json output");
+			eprintf("Failed to parse json output");
 			ret = AA_EXIT_INTERNAL_ERROR;
 			goto out;
 		}
 
 		pretty = cJSON_Print(json);
 		if (!pretty) {
-			dfprintf(stderr, "Failed to print pretty json");
+			eprintf("Failed to print pretty json");
 			ret = AA_EXIT_INTERNAL_ERROR;
 			goto out;
 		}

changehat/pam_apparmor/README

@@ -67,10 +67,10 @@ to syslog.
 References
 ----------
 Project webpage:
-http://developer.novell.com/wiki/index.php/Novell_AppArmor
+https://apparmor.net/
 
 To provide feedback or ask questions please contact the
-apparmor-dev@forge.novell.com mail list. This is the development list
+apparmor@lists.ubuntu.com mail list. This is the development list
 for the AppArmor team.
 
 See also: change_hat(3), and the Linux-PAM online documentation at

changehat/tomcat_apparmor/tomcat_5_0/README.tomcat_apparmor

@@ -188,10 +188,9 @@ parent context.
 8. Feedback/Resources
    -----------------
 
-To provide feedback or ask questions please contact the 
-apparmor-dev@forge.novell.com mail list. This is the development list for the 
-AppArmor team.
-
-
-
+Project webpage:
+https://apparmor.net/
 
+To provide feedback or ask questions please contact the
+apparmor@lists.ubuntu.com mail list. This is the development list
+for the AppArmor team.

changehat/tomcat_apparmor/tomcat_5_5/README.tomcat_apparmor

@@ -188,10 +188,9 @@ parent context.
 8. Feedback/Resources
    -----------------
 
-To provide feedback or ask questions please contact the 
-apparmor-dev@forge.novell.com mail list. This is the development list for the 
-AppArmor team.
-
-
-
+Project webpage:
+https://apparmor.net/
 
+To provide feedback or ask questions please contact the
+apparmor@lists.ubuntu.com mail list. This is the development list
+for the AppArmor team.

common/Version

@@ -1 +1 @@
-4.0.0~alpha2
+4.1.0~beta1

libraries/libapparmor/configure.ac

@@ -92,6 +92,14 @@ if test "$ac_cv_prog_cc_c99" = "no"; then
   AC_MSG_ERROR([C99 mode is required to build libapparmor])
 fi
 
+m4_ifndef([AX_CHECK_COMPILE_FLAG], [AC_MSG_ERROR(['autoconf-archive' missing])])
+EXTRA_CFLAGS="-Wall $EXTRA_WARNINGS -fPIC"
+AX_CHECK_COMPILE_FLAG([-flto-partition=none], , , [-Werror])
+AS_VAR_IF([ax_cv_check_cflags__Werror__flto_partition_none], [yes],
+	[EXTRA_CFLAGS="$EXTRA_CFLAGS -flto-partition=none"]
+	,)
+AC_SUBST([AM_CFLAGS], ["$EXTRA_CFLAGS"])
+
 AC_OUTPUT(
 Makefile
 doc/Makefile

libraries/libapparmor/doc/aa_getcon.pod

@@ -116,6 +116,14 @@ The specified I<file/task> does not exist or is not visible.
 
 The confinement data is too large to fit in the supplied buffer.
 
+=item B<ENOPROTOOPT>
+
+The kernel doesn't support the SO_PEERLABEL option in sockets. This happens
+mainly when the kernel lacks 'fine grained unix mediation' support. It also
+can happen on LSM stacking kernels where another LSM has claimed this
+interface and decides to return this error, although this is really a
+corner case.
+
 =back
 
 =head1 NOTES

libraries/libapparmor/doc/aa_stack_profile.pod

@@ -109,12 +109,12 @@ To immediately stack a profile named "profile_a", as performed with
 aa_stack_profile("profile_a"), the equivalent of this shell command can be
 used:
 
- $ echo -n "stackprofile profile_a" > /proc/self/attr/current
+ $ echo -n "stack profile_a" > /proc/self/attr/current
 
 To stack a profile named "profile_a" at the next exec, as performed with
 aa_stack_onexec("profile_a"), the equivalent of this shell command can be used:
 
- $ echo -n "stackexec profile_a" > /proc/self/attr/exec
+ $ echo -n "stack profile_a" > /proc/self/attr/exec
 
 These raw AppArmor filesystem operations must only be used when using
 libapparmor is not a viable option.
@@ -184,6 +184,7 @@ with apparmor_parser(8):
      /etc/passwd               r,
 
      # Needed for aa_stack_profile()
+     change-profile -> &i_cant_be_trusted_anymore,
      /usr/lib/libapparmor*.so* mr,
      /proc/[0-9]*/attr/current w,
  }

libraries/libapparmor/include/aalogparse.h

@@ -148,6 +148,9 @@ typedef struct
 	unsigned long net_local_port;
 	char *net_foreign_addr;
 	unsigned long net_foreign_port;
+
+	char *execpath;
+
 	char *dbus_bus;
 	char *dbus_path;
 	char *dbus_interface;
@@ -161,6 +164,9 @@ typedef struct
 	char *src_name;
 
 	char *class;
+
+	char *net_addr;
+	char *peer_addr;
 } aa_log_record;
 
 /**

libraries/libapparmor/src/Makefile.am

@@ -32,10 +32,10 @@ INCLUDES = $(all_includes)
 #
 # After changing the AA_LIB_* variables, also update EXPECTED_SO_NAME.
 
-AA_LIB_CURRENT = 18
+AA_LIB_CURRENT = 20
 AA_LIB_REVISION = 0
-AA_LIB_AGE = 17
-EXPECTED_SO_NAME = libapparmor.so.1.17.0
+AA_LIB_AGE = 19
+EXPECTED_SO_NAME = libapparmor.so.1.19.0
 
 SUFFIXES = .pc.in .pc
 
@@ -45,7 +45,6 @@ include $(COMMONDIR)/Make.rules
 BUILT_SOURCES = grammar.h scanner.h af_protos.h
 AM_LFLAGS = -v
 AM_YFLAGS = -d -p aalogparse_
-AM_CFLAGS = -Wall $(EXTRA_WARNINGS) -fPIC -flto-partition=none
 AM_CPPFLAGS = -D_GNU_SOURCE -I$(top_srcdir)/include/
 scanner.h: scanner.l
 	$(LEX) -v $<

libraries/libapparmor/src/grammar.y

@@ -114,6 +114,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_PERIOD
 %token TOK_QUESTION_MARK
 %token TOK_SINGLE_QUOTE
+%token TOK_NONE
 
 %token TOK_TYPE_REJECT
 %token TOK_TYPE_AUDIT
@@ -187,6 +188,8 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_FSTYPE
 %token TOK_KEY_FLAGS
 %token TOK_KEY_SRCNAME
+%token TOK_KEY_UNIX_PEER_ADDR
+%token TOK_KEY_EXECPATH
 %token TOK_KEY_CLASS
 
 %token TOK_SOCKLOGD_KERNEL
@@ -354,6 +357,13 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->fsuid = $3;}
 	| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
 	{ ret_record->ouid = $3;}
+	| TOK_KEY_ADDR TOK_EQUALS TOK_QUESTION_MARK
+	| TOK_KEY_ADDR TOK_EQUALS TOK_NONE
+	| TOK_KEY_ADDR TOK_EQUALS safe_string
+	{ ret_record->net_addr = $3; }
+	| TOK_KEY_UNIX_PEER_ADDR TOK_EQUALS TOK_NONE
+	| TOK_KEY_UNIX_PEER_ADDR TOK_EQUALS safe_string
+	{ ret_record->peer_addr = $3; }
 	| TOK_KEY_FSUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
 	{ free($3);} /* Ignore - fsuid username */
 	| TOK_KEY_OUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
@@ -363,10 +373,7 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	| TOK_KEY_HOSTNAME TOK_EQUALS safe_string
 	{ free($3); /* Ignore - hostname from user AVC messages */ }
 	| TOK_KEY_HOSTNAME TOK_EQUALS TOK_QUESTION_MARK
-	| TOK_KEY_ADDR TOK_EQUALS TOK_QUESTION_MARK
 	| TOK_KEY_TERMINAL TOK_EQUALS TOK_QUESTION_MARK
-	| TOK_KEY_ADDR TOK_EQUALS safe_string
-	{ free($3); /* Ignore - IP address from user AVC messages */ }
 	| TOK_KEY_TERMINAL TOK_EQUALS safe_string
 	{ free($3); /* Ignore - TTY from user AVC messages */ }
 	| TOK_KEY_EXE TOK_EQUALS safe_string
@@ -419,14 +426,14 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->dbus_member = $3; }
 	| TOK_KEY_SIGNAL TOK_EQUALS TOK_ID
 	{ ret_record->signal = $3; }
-
 	| TOK_KEY_FSTYPE TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->fs_type = $3; }
 	| TOK_KEY_FLAGS TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->flags = $3; }
 	| TOK_KEY_SRCNAME TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->src_name = $3; }
-
+	| TOK_KEY_EXECPATH TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->execpath = $3; }
 	| TOK_MSG_REST
 	{
 		ret_record->event = AA_RECORD_INVALID;

libraries/libapparmor/src/libaalogparse.c

@@ -103,6 +103,13 @@ void free_record(aa_log_record *record)
 			free(record->flags);
 		if (record->src_name != NULL)
 			free(record->src_name);
+		if (record->net_addr != NULL)
+			free(record->net_addr);
+		if (record->peer_addr != NULL)
+			free(record->peer_addr);
+		if (record->execpath != NULL)
+			free(record->execpath);
+
 		if (record->class != NULL)
 			free(record->class);
 

libraries/libapparmor/src/libapparmor.map

@@ -127,6 +127,7 @@ APPARMOR_3.0 {
 APPARMOR_3.1 {
   global:
 	aa_features_check;
+	aa_split_overlay_str;
   local:
 	*;
 } APPARMOR_3.0;

libraries/libapparmor/src/scanner.l

@@ -90,6 +90,7 @@ question_mark	"?"
 single_quote	"'"
 mode_chars      ([RrWwaLlMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])|([Pp][Ii][Xx])
 modes		({mode_chars}+)|({mode_chars}+::{mode_chars}*)|(::{mode_chars}*)
+none		"none"
 /* New message types */
 
 aa_reject_type		"APPARMOR_DENIED"
@@ -157,9 +158,13 @@ key_capname		"capname"
 key_offset		"offset"
 key_target		"target"
 key_laddr		"laddr"
+key_saddr		"saddr"
 key_faddr		"faddr"
+key_daddr		"daddr"
 key_lport		"lport"
+key_srcport		"src"
 key_fport		"fport"
+key_destport		"dest"
 key_bus			"bus"
 key_dest		"dest"
 key_path		"path"
@@ -173,6 +178,8 @@ key_flags		"flags"
 key_srcname		"srcname"
 key_class		"class"
 key_tcontext		"tcontext"
+key_unix_peer_addr	"peer_addr"
+key_execpath		"execpath"
 audit			"audit"
 
 /* network addrs */
@@ -303,6 +310,8 @@ yy_flex_debug = 0;
 {period}		{ return(TOK_PERIOD); }
 {question_mark}		{ return(TOK_QUESTION_MARK); }
 {single_quote}		{ return(TOK_SINGLE_QUOTE); }
+{none}			{ return(TOK_NONE); }
+
 
 {key_apparmor}		{ BEGIN(audit_types); return(TOK_KEY_APPARMOR); }
 {key_type}		{ BEGIN(audit_types); return(TOK_KEY_TYPE); }
@@ -342,7 +351,7 @@ yy_flex_debug = 0;
 {key_sauid}		{ return(TOK_KEY_SAUID); }
 {key_ses}		{ return(TOK_KEY_SES); }
 {key_hostname}		{ return(TOK_KEY_HOSTNAME); }
-{key_addr}		{ return(TOK_KEY_ADDR); }
+{key_addr}		{ BEGIN(safe_string); return(TOK_KEY_ADDR); }
 {key_terminal}		{ return(TOK_KEY_TERMINAL); }
 {key_exe}		{ BEGIN(safe_string); return(TOK_KEY_EXE); }
 {key_comm}		{ BEGIN(safe_string); return(TOK_KEY_COMM); }
@@ -351,9 +360,13 @@ yy_flex_debug = 0;
 {key_offset}		{ return(TOK_KEY_OFFSET); }
 {key_target}		{ return(TOK_KEY_TARGET); }
 {key_laddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
+{key_saddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
 {key_faddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
+{key_daddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
 {key_lport}		{ return(TOK_KEY_LPORT); }
+{key_srcport}		{ return(TOK_KEY_LPORT); }
 {key_fport}		{ return(TOK_KEY_FPORT); }
+{key_destport}		{ return(TOK_KEY_FPORT); }
 {key_bus}		{ return(TOK_KEY_BUS); }
 {key_path}		{ return(TOK_KEY_PATH); }
 {key_interface}		{ return(TOK_KEY_INTERFACE); }
@@ -364,6 +377,8 @@ yy_flex_debug = 0;
 {key_fstype}		{ return(TOK_KEY_FSTYPE); }
 {key_flags}		{ BEGIN(safe_string); return(TOK_KEY_FLAGS); }
 {key_srcname}		{ BEGIN(safe_string); return(TOK_KEY_SRCNAME); }
+{key_unix_peer_addr}    { BEGIN(safe_string); return(TOK_KEY_UNIX_PEER_ADDR); }
+{key_execpath}		{ BEGIN(safe_string); return(TOK_KEY_EXECPATH); }
 {key_class}		{ BEGIN(safe_string); return(TOK_KEY_CLASS); }
 
 {socklogd_kernel}	{ BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }

libraries/libapparmor/src/tst_features.c

@@ -135,7 +135,7 @@ static int do_test_walk_one(const char **str, const struct component *component,
 
 static int test_walk_one(void)
 {
-	struct component c;
+	struct component c = (struct component) { NULL, 0 };
 	const char *str;
 	int rc = 0;
 

libraries/libapparmor/swig/SWIG/libapparmor.i

@@ -55,7 +55,7 @@ extern int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
 extern int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode);
 extern int aa_gettaskcon(pid_t target, char **label, char **mode);
 extern int aa_getcon(char **label, char **mode);
-extern int aa_getpeercon_raw(int fd, char *buf, int *len, char **mode);
+extern int aa_getpeercon_raw(int fd, char *buf, socklen_t *len, char **mode);
 extern int aa_getpeercon(int fd, char **label, char **mode);
 extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
 			  int *audit);

libraries/libapparmor/swig/python/Makefile.am

@@ -14,7 +14,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.py
 
 all-local: libapparmor_wrap.c setup.py
 	if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
-	CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS) $(EXTRA_WARNINGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS) $(LDFLAGS)" $(PYTHON) setup.py build
+	CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS) $(CFLAGS) $(EXTRA_WARNINGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS) $(LDFLAGS)" $(PYTHON) setup.py build
 
 install-exec-local:
 	$(PYTHON) setup.py install --root="/$(DESTDIR)" --prefix="$(prefix)"

libraries/libapparmor/swig/python/setup.py.in

@@ -2,7 +2,7 @@ from setuptools import setup, Extension
 import string
 
 setup(name          = 'LibAppArmor',
-      version       = '@VERSION@',
+      version       = '@VERSION@'.replace('~', '-'),
       author        = 'AppArmor Dev Team',
       author_email  = 'apparmor@lists.ubuntu.com',
       url           = 'https://wiki.apparmor.net',

libraries/libapparmor/testsuite/test_multi.c

@@ -1,5 +1,3 @@
-#define _GNU_SOURCE /* for glibc's basename version */
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -7,6 +5,12 @@
 
 #include <aalogparse.h>
 
+static const char *basename(const char *path)
+{
+	const char *p = strrchr(path, '/');
+	return p ? p + 1 : path;
+}
+
 int print_results(aa_log_record *record);
 
 int main(int argc, char **argv)
@@ -115,6 +119,8 @@ int print_results(aa_log_record *record)
 		print_long("Peer PID", record->peer_pid, 0);
 		print_string("Active hat", record->active_hat);
 
+		print_string("Net Addr", record->net_addr);
+		print_string("Peer Addr", record->peer_addr);
 		print_string("Network family", record->net_family);
 		print_string("Socket type", record->net_sock_type);
 		print_string("Protocol", record->net_protocol);
@@ -134,6 +140,8 @@ int print_results(aa_log_record *record)
 		print_string("Flags", record->flags);
 		print_string("Src name", record->src_name);
 
+		print_string("Execpath", record->execpath);
+
 		print_string("Class", record->class);
 
 		print_long("Epoch", record->epoch, 0);

libraries/libapparmor/testsuite/test_multi/file_inherit_network_lp1509030.profile

@@ -1,4 +1,4 @@
 /usr/lib/NetworkManager/nm-dhcp-client.action {
-  network inet6 dgram,
+  network inet6 dgram port=10580,
 
 }

libraries/libapparmor/testsuite/test_multi/file_perm_network_lp1466812.profile

@@ -1,4 +1,4 @@
 /usr/sbin/apache2 {
-  network inet6 stream,
+  network inet6 stream ip=::ffff:192.168.236.159 port=80 peer=(ip=::ffff:192.168.103.80 port=61985),
 
 }

libraries/libapparmor/testsuite/test_multi/file_perm_network_receive_lp1577051.profile

@@ -1,7 +1,7 @@
 /usr/sbin/apache2 {
 
   ^www.xxxxxxxxxx.co.uk {
-    network inet6 stream,
+    network (send) inet6 stream ip=::ffff:192.168.1.100 port=80 peer=(ip=::ffff:192.168.1.100 port=45658),
 
   }
 }

libraries/libapparmor/testsuite/test_multi/file_perm_network_receive_lp1582374.profile

@@ -1,7 +1,7 @@
 /usr/local/apache-tomcat-8.0.33/bin/catalina.sh {
 
   ^/usr/local/jdk1.8.0_92/bin/java {
-    network inet6 stream,
+    network (receive) inet6 stream ip=::ffff:127.0.0.1 port=8080 peer=(ip=::ffff:127.0.0.1 port=52308),
 
   }
 }

libraries/libapparmor/testsuite/test_multi/testcase_mount_01.profile

@@ -1,4 +1,4 @@
 /home/ubuntu/bzr/apparmor/tests/regression/apparmor/mount {
-  mount fstype=ext2 options="rw, mand" /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/,
+  mount fstype=(ext2) options=(mand, rw) /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1715045678.914:344186): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="steam" name="/newroot/dev/" pid=26487 comm="srt-bwrap" flags="rw, nosuid, nodev, remount, bind, silent, relatime"

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.out

@@ -0,0 +1,14 @@
+START
+File: testcase_mount_02.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1715045678.914:344186
+Operation: mount
+Profile: steam
+Name: /newroot/dev/
+Command: srt-bwrap
+Info: failed flags match
+ErrorCode: 13
+PID: 26487
+Flags: rw, nosuid, nodev, remount, bind, silent, relatime
+Epoch: 1715045678
+Audit subid: 344186

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.profile

@@ -0,0 +1,4 @@
+profile steam {
+  mount options=(bind, nodev, nosuid, relatime, remount, rw, silent) -> /newroot/dev/,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_01.profile

@@ -1,4 +1,4 @@
 /usr/bin/evince-thumbnailer {
-  network inet stream,
+  network inet stream ip=192.168.66.150 port=765 peer=(ip=192.168.66.200 port=2049),
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_network_02.profile

@@ -1,4 +1,4 @@
 /usr/bin/evince-thumbnailer {
-  network inet stream,
+  network inet stream port=765 peer=(port=2049),
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_network_03.profile

@@ -1,4 +1,4 @@
 /usr/lib/dovecot/imap-login {
-  network inet6 stream,
+  network inet6 stream port=143,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_network_04.profile

@@ -1,4 +1,4 @@
 /home/ubuntu/tmp/nc {
-  network inet6 stream,
+  network inet6 stream ip=::1 port=2048 peer=(ip=::1 port=33986),
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_network_05.profile

@@ -1,4 +1,4 @@
 /home/ubuntu/tmp/nc {
-  network inet6 stream,
+  network inet6 stream ip=::ffff:127.0.0.1 port=2048 peer=(ip=::ffff:127.0.0.1 port=59180),
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_network_06.in

@@ -0,0 +1 @@
+[319992.813426] audit: type=1400 audit(1716557137.764:477): apparmor="DENIED" operation="recvmsg" class="net" info="failed remote addr match" error=-13 profile="/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv" pid=22237 comm="net_inet_rcv" laddr=127.0.97.3 lport=3456 saddr=127.0.97.3 src=3456 family="inet" sock_type="dgram" protocol=17 requested="receive" denied="receive"

libraries/libapparmor/testsuite/test_multi/testcase_network_06.out

@@ -0,0 +1,20 @@
+START
+File: testcase_network_06.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1716557137.764:477
+Operation: recvmsg
+Mask: receive
+Denied Mask: receive
+Profile: /home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv
+Command: net_inet_rcv
+Info: failed remote addr match
+ErrorCode: 13
+PID: 22237
+Network family: inet
+Socket type: dgram
+Protocol: udp
+Local addr: 127.0.97.3
+Local port: 3456
+Class: net
+Epoch: 1716557137
+Audit subid: 477

libraries/libapparmor/testsuite/test_multi/testcase_network_06.profile

@@ -0,0 +1,4 @@
+/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv {
+  network (receive) inet dgram ip=127.0.97.3 port=3456,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_07.in

@@ -0,0 +1 @@
+[321266.557863] audit: type=1400 audit(1716558411.518:583): apparmor="DENIED" operation="bind" class="net" profile="/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv" pid=23602 comm="net_inet_rcv" saddr=127.0.97.3 src=3456 family="inet" sock_type="dgram" protocol=17 requested="bind" denied="bind"

libraries/libapparmor/testsuite/test_multi/testcase_network_07.out

@@ -0,0 +1,18 @@
+START
+File: testcase_network_07.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1716558411.518:583
+Operation: bind
+Mask: bind
+Denied Mask: bind
+Profile: /home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv
+Command: net_inet_rcv
+PID: 23602
+Network family: inet
+Socket type: dgram
+Protocol: udp
+Local addr: 127.0.97.3
+Local port: 3456
+Class: net
+Epoch: 1716558411
+Audit subid: 583

libraries/libapparmor/testsuite/test_multi/testcase_network_07.profile

@@ -0,0 +1,4 @@
+/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv {
+  network (bind) inet dgram ip=127.0.97.3 port=3456,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_08.in

@@ -0,0 +1 @@
+[321557.117710] audit: type=1400 audit(1716558702.097:793): apparmor="DENIED" operation="setsockopt" class="net" info="failed cmd selection match" error=-13 profile="/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv" pid=26135 comm="net_inet_rcv" family="inet" sock_type="dgram" protocol=17 requested="setopt" denied="setopt"

libraries/libapparmor/testsuite/test_multi/testcase_network_08.out

@@ -0,0 +1,18 @@
+START
+File: testcase_network_08.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1716558702.097:793
+Operation: setsockopt
+Mask: setopt
+Denied Mask: setopt
+Profile: /home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv
+Command: net_inet_rcv
+Info: failed cmd selection match
+ErrorCode: 13
+PID: 26135
+Network family: inet
+Socket type: dgram
+Protocol: udp
+Class: net
+Epoch: 1716558702
+Audit subid: 793

libraries/libapparmor/testsuite/test_multi/testcase_network_08.profile

@@ -0,0 +1,4 @@
+/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv {
+  network (setopt) inet dgram,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_09.in

@@ -0,0 +1 @@
+[338728.513756] audit: type=1400 audit(1716575873.613:1160): apparmor="DENIED" operation="sendmsg" class="net" profile="/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_snd" pid=31340 comm="net_inet_snd" laddr=127.187.243.54 lport=3457 saddr=127.187.243.54 src=3457 daddr=127.0.97.3 dest=3456 family="inet" sock_type="dgram" protocol=17 requested="send" denied="send"

libraries/libapparmor/testsuite/test_multi/testcase_network_09.out

@@ -0,0 +1,20 @@
+START
+File: testcase_network_09.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1716575873.613:1160
+Operation: sendmsg
+Mask: send
+Denied Mask: send
+Profile: /home/ubuntu/apparmor/tests/regression/apparmor/net_inet_snd
+Command: net_inet_snd
+PID: 31340
+Network family: inet
+Socket type: dgram
+Protocol: udp
+Local addr: 127.187.243.54
+Foreign addr: 127.0.97.3
+Local port: 3457
+Foreign port: 3456
+Class: net
+Epoch: 1716575873
+Audit subid: 1160

libraries/libapparmor/testsuite/test_multi/testcase_network_09.profile

@@ -0,0 +1,4 @@
+/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_snd {
+  network (send) inet dgram ip=127.187.243.54 port=3457 peer=(ip=127.0.97.3 port=3456),
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_10.in

@@ -0,0 +1 @@
+[341455.536270] audit: type=1400 audit(1716578600.733:1467): apparmor="DENIED" operation="bind" class="net" profile="/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv" pid=35013 comm="net_inet_rcv" saddr=fd74:1820:b03a:b361::cf32 src=3456 family="inet6" sock_type="dgram" protocol=17 requested="bind" denied="bind"

libraries/libapparmor/testsuite/test_multi/testcase_network_10.out

@@ -0,0 +1,18 @@
+START
+File: testcase_network_10.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1716578600.733:1467
+Operation: bind
+Mask: bind
+Denied Mask: bind
+Profile: /home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv
+Command: net_inet_rcv
+PID: 35013
+Network family: inet6
+Socket type: dgram
+Protocol: udp
+Local addr: fd74:1820:b03a:b361::cf32
+Local port: 3456
+Class: net
+Epoch: 1716578600
+Audit subid: 1467

libraries/libapparmor/testsuite/test_multi/testcase_network_10.profile

@@ -0,0 +1,4 @@
+/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv {
+  network (bind) inet6 dgram ip=fd74:1820:b03a:b361::cf32 port=3456,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_11.in

@@ -0,0 +1 @@
+[342092.040080] audit: type=1400 audit(1716579237.240:2187): apparmor="DENIED" operation="sendmsg" class="net" profile="/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_snd" pid=43431 comm="net_inet_snd" laddr=fd74:1820:b03a:b361::a0f9 lport=3457 saddr=fd74:1820:b03a:b361::a0f9 src=3457 daddr=fd74:1820:b03a:b361::cf32 dest=3456 family="inet6" sock_type="dgram" protocol=17 requested="send" denied="send"

libraries/libapparmor/testsuite/test_multi/testcase_network_11.out

@@ -0,0 +1,20 @@
+START
+File: testcase_network_11.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1716579237.240:2187
+Operation: sendmsg
+Mask: send
+Denied Mask: send
+Profile: /home/ubuntu/apparmor/tests/regression/apparmor/net_inet_snd
+Command: net_inet_snd
+PID: 43431
+Network family: inet6
+Socket type: dgram
+Protocol: udp
+Local addr: fd74:1820:b03a:b361::a0f9
+Foreign addr: fd74:1820:b03a:b361::cf32
+Local port: 3457
+Foreign port: 3456
+Class: net
+Epoch: 1716579237
+Audit subid: 2187

libraries/libapparmor/testsuite/test_multi/testcase_network_11.profile

@@ -0,0 +1,4 @@
+/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_snd {
+  network (send) inet6 dgram ip=fd74:1820:b03a:b361::a0f9 port=3457 peer=(ip=fd74:1820:b03a:b361::cf32 port=3456),
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.profile

@@ -1,7 +1,7 @@
 /usr/bin/nginx-amplify-agent.py {
 
   ^null-/bin/dash {
-    network inet stream,
+    network (receive, send) inet stream ip=192.168.10.3 port=50758 peer=(ip=54.153.70.241 port=443),
 
   }
 }

libraries/libapparmor/testsuite/test_multi/testcase_remount_01.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1709108389.303:12383): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="/home/user/test/testmount" name="/tmp/foo/" pid=14155 comm="testmount" flags="ro, remount"

libraries/libapparmor/testsuite/test_multi/testcase_remount_01.out

@@ -0,0 +1,15 @@
+START
+File: testcase_remount_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1709108389.303:12383
+Operation: mount
+Profile: /home/user/test/testmount
+Name: /tmp/foo/
+Command: testmount
+Info: failed mntpnt match
+ErrorCode: 13
+PID: 14155
+Flags: ro, remount
+Class: mount
+Epoch: 1709108389
+Audit subid: 12383

libraries/libapparmor/testsuite/test_multi/testcase_remount_01.profile

@@ -0,0 +1,4 @@
+/home/user/test/testmount {
+  mount options=(remount, ro) -> /tmp/foo/,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_umount_01.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1709025786.045:43147): apparmor="DENIED" operation="umount" class="mount" profile="/home/user/test/testmount" name="/mnt/a/" pid=26697 comm="testmount"

libraries/libapparmor/testsuite/test_multi/testcase_umount_01.out

@@ -0,0 +1,12 @@
+START
+File: testcase_umount_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1709025786.045:43147
+Operation: umount
+Profile: /home/user/test/testmount
+Name: /mnt/a/
+Command: testmount
+PID: 26697
+Class: mount
+Epoch: 1709025786
+Audit subid: 43147

libraries/libapparmor/testsuite/test_multi/testcase_umount_01.profile

@@ -0,0 +1,4 @@
+/home/user/test/testmount {
+  umount /mnt/a/,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_unix_01.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1711454639.955:322): apparmor="DENIED" operation="connect" class="net" profile="/home/user/test/client.py" pid=80819 comm="client.py" family="unix" sock_type="stream" protocol=0 requested="send receive connect" denied="send receive connect" addr=none peer_addr="@test_abstract_socket" peer="/home/user/test/server.py"

libraries/libapparmor/testsuite/test_multi/testcase_unix_01.out

@@ -0,0 +1,18 @@
+START
+File: testcase_unix_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1711454639.955:322
+Operation: connect
+Mask: send receive connect
+Denied Mask: send receive connect
+Profile: /home/user/test/client.py
+Peer: /home/user/test/server.py
+Command: client.py
+PID: 80819
+Peer Addr: @test_abstract_socket
+Network family: unix
+Socket type: stream
+Protocol: ip
+Class: net
+Epoch: 1711454639
+Audit subid: 322

libraries/libapparmor/testsuite/test_multi/testcase_unix_01.profile

@@ -0,0 +1,4 @@
+/home/user/test/client.py {
+  unix (connect, receive, send) type=stream peer=(addr=@test_abstract_socket),
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_unix_02.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1711214183.107:298): apparmor="DENIED" operation="connect" class="net" profile="/home/user/test/client.py" pid=65262 comm="server.py" family="unix" sock_type="stream" protocol=0 requested="send receive accept" denied="send accept" addr="@test_abstract_socket" peer_addr=none peer="unconfined"

libraries/libapparmor/testsuite/test_multi/testcase_unix_02.out

@@ -0,0 +1,18 @@
+START
+File: testcase_unix_02.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1711214183.107:298
+Operation: connect
+Mask: send receive accept
+Denied Mask: send accept
+Profile: /home/user/test/client.py
+Peer: unconfined
+Command: server.py
+PID: 65262
+Net Addr: @test_abstract_socket
+Network family: unix
+Socket type: stream
+Protocol: ip
+Class: net
+Epoch: 1711214183
+Audit subid: 298

libraries/libapparmor/testsuite/test_multi/testcase_unix_02.profile

@@ -0,0 +1,4 @@
+/home/user/test/client.py {
+  unix (accept, send) type=stream addr=@test_abstract_socket,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_unix_03.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1711214069.931:292): apparmor="DENIED" operation="bind" class="net" profile="/home/user/test/client.py" pid=64952 comm="client.py" family="unix" sock_type="stream" protocol=0 requested="bind" denied="bind" addr="@test_abstract_socket"

libraries/libapparmor/testsuite/test_multi/testcase_unix_03.out

@@ -0,0 +1,17 @@
+START
+File: testcase_unix_03.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1711214069.931:292
+Operation: bind
+Mask: bind
+Denied Mask: bind
+Profile: /home/user/test/client.py
+Command: client.py
+PID: 64952
+Net Addr: @test_abstract_socket
+Network family: unix
+Socket type: stream
+Protocol: ip
+Class: net
+Epoch: 1711214069
+Audit subid: 292

libraries/libapparmor/testsuite/test_multi/testcase_unix_03.profile

@@ -0,0 +1,4 @@
+/home/user/test/client.py {
+  unix (bind) type=stream addr=@test_abstract_socket,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_userns_02.in

@@ -0,0 +1 @@
+[  429.272003] audit: type=1400 audit(1720613712.153:168): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=5630 comm="unshare" requested="userns_create" target="unprivileged_userns" execpath="/usr/bin/unshare"

libraries/libapparmor/testsuite/test_multi/testcase_userns_02.out

@@ -0,0 +1,15 @@
+START
+File: testcase_userns_02.in
+Event type: AA_RECORD_AUDIT
+Audit ID: 1720613712.153:168
+Operation: userns_create
+Mask: userns_create
+Profile: unconfined
+Command: unshare
+Name2: unprivileged_userns
+Info: Userns create - transitioning profile
+PID: 5630
+Execpath: /usr/bin/unshare
+Class: namespace
+Epoch: 1720613712
+Audit subid: 168

libraries/libapparmor/testsuite/test_multi/testcase_userns_02.profile

@@ -0,0 +1,4 @@
+/usr/bin/unshare {
+  audit userns create,
+
+}

parser/Makefile

@@ -70,7 +70,10 @@ CFLAGS = -g -pg -fprofile-arcs -ftest-coverage
 endif
 endif #CFLAGS
 
-CFLAGS	+= -flto-partition=none
+HAVE_FLTO_PARTITION_NONE:=$(shell ${CC} -E -flto-partition=none /dev/null 1>/dev/null 2>&1 && echo true)
+ifeq ($(HAVE_FLTO_PARTITION_NONE),true)
+	CFLAGS += -flto-partition=none
+endif
 
 EXTRA_CXXFLAGS = ${CFLAGS} ${CPPFLAGS} ${CXX_WARNINGS} -std=gnu++0x
 EXTRA_CFLAGS = ${EXTRA_CXXFLAGS} ${CPP_WARNINGS}
@@ -99,19 +102,19 @@ EXTRA_CFLAGS+=-DPACKAGE=\"${NAME}\" -DLOCALEDIR=\"${LOCALEDIR}\"
 SRCS = parser_common.c parser_include.c parser_interface.c parser_lex.c \
        parser_main.c parser_misc.c parser_merge.c parser_symtab.c \
        parser_yacc.c parser_regex.c parser_variable.c parser_policy.c \
-       parser_alias.c common_optarg.c lib.c network.c \
+       parser_alias.c common_optarg.c lib.c network.cc \
        mount.cc dbus.cc profile.cc rule.cc signal.cc ptrace.cc \
        af_rule.cc af_unix.cc policy_cache.c default_features.c userns.cc \
-       mqueue.cc io_uring.cc
+       mqueue.cc io_uring.cc all_rule.cc cond_expr.cc
 STATIC_HDRS = af_rule.h af_unix.h capability.h common_optarg.h dbus.h \
        file_cache.h immunix.h lib.h mount.h network.h parser.h \
        parser_include.h parser_version.h policy_cache.h policydb.h \
        profile.h ptrace.h rule.h signal.h userns.h mqueue.h io_uring.h \
-       common_flags.h
+       common_flags.h bignum.h all_rule.h cond_expr.h
 
 SPECIAL_HDRS = parser_yacc.h unit_test.h base_cap_names.h
 GENERATED_HDRS = af_names.h generated_af_names.h \
-       cap_names.h generated_cap_names.h parser_version.h
+       cap_names.h generated_cap_names.h parser_version.h errnos.h
 LIBAA_HDRS = libapparmor_re/apparmor_re.h libapparmor_re/aare_rules.h
 
 TOOLS = apparmor_parser
@@ -295,7 +298,7 @@ signal.o: signal.cc $(HDRS)
 ptrace.o: ptrace.cc $(HDRS)
 	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
-network.o: network.c $(HDRS)
+network.o: network.cc $(HDRS)
 	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 default_features.o: default_features.c $(HDRS)
@@ -322,6 +325,12 @@ mqueue.o: mqueue.cc $(HDRS)
 io_uring.o: io_uring.cc $(HDRS)
 	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
+all_rule.o: all_rule.cc $(HDRS)
+	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
+
+cond_expr.o: cond_expr.cc $(HDRS)
+	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
+
 parser_version.h: Makefile
 	@echo \#define PARSER_VERSION \"$(VERSION)\" > .ver
 	@mv -f .ver $@
@@ -361,6 +370,11 @@ tst_lib: lib.c parser.h $(filter-out lib.o, ${TEST_OBJECTS})
 tst_%: parser_%.c parser.h $(filter-out parser_%.o, ${TEST_OBJECTS})
 	$(CXX) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS) $(TEST_LDLIBS)
 
+errnos.h:
+	echo '#include <errno.h>' > dump.c
+	$(CC) -E -dD dump.c | awk '/^#define E/ { printf "{ \"%s\", %s },\n", $$2, $$2 }' > errnos.h
+	rm -f dump.c
+
 .SILENT: check
 .PHONY: check
 check: check_pod_files tests
@@ -373,13 +387,8 @@ tests: apparmor_parser ${TESTS}
 $(AAREOBJECT): FORCE
 	$(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)"
 
-.PHONY: install-rhel4
-install-rhel4: install-redhat
-
 .PHONY: install-redhat
-install-redhat:
-	install -m 755 -d $(DESTDIR)/etc/init.d
-	install -m 755 rc.apparmor.$(subst install-,,$@) $(DESTDIR)/etc/init.d/apparmor
+install-redhat: install-systemd
 
 .PHONY: install-suse
 install-suse: install-systemd
@@ -410,9 +419,9 @@ DISTRO=$(shell if [ -f /etc/slackware-version ] ; then \
 	         if [ "$$(rpm --eval '0%{?suse_version}')" != "0" ] ; then \
 	             echo suse ;\
 	         elif [ "$$(rpm --eval '%{_host_vendor}')" = redhat ] ; then \
-	            echo rhel4 ;\
+	            echo redhat ;\
 	         elif [ "$$(rpm --eval '0%{?fedora}')" != "0" ] ; then \
-	            echo rhel4 ;\
+	            echo redhat ;\
 	         else \
 	            echo unknown ;\
 	         fi ;\
@@ -439,7 +448,6 @@ install-arch: $(INSTALLDEPS)
 install-indep: indep
 	install -m 755 -d $(INSTALL_CONFDIR)
 	install -m 644 parser.conf $(INSTALL_CONFDIR)
-	install -m 755 -d ${DESTDIR}/var/lib/apparmor
 	install -m 755 -d $(APPARMOR_BIN_PREFIX)
 	install -m 755 rc.apparmor.functions $(APPARMOR_BIN_PREFIX)
 	install -m 755 profile-load $(APPARMOR_BIN_PREFIX)

parser/af_unix.cc

@@ -33,7 +33,7 @@
 /* See unix(7) for autobind address definition */
 #define autobind_address_pattern "\\x00[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]";
 
-int parse_unix_perms(const char *str_perms, perms_t *perms, int fail)
+int parse_unix_perms(const char *str_perms, perm32_t *perms, int fail)
 {
 	return parse_X_perms("unix", AA_VALID_NET_PERMS, str_perms, perms, fail);
 }
@@ -108,9 +108,12 @@ unix_rule::unix_rule(unsigned int type_p, audit_t audit_p, rule_mode_t rule_mode
 	perms = AA_VALID_NET_PERMS;
 	audit = audit_p;
 	rule_mode = rule_mode_p;
+	/* if this constructor is used, then there's already a
+	 * downgraded network_rule in profile */
+	downgrade = false;
 }
 
-unix_rule::unix_rule(perms_t perms_p, struct cond_entry *conds,
+unix_rule::unix_rule(perm32_t perms_p, struct cond_entry *conds,
 		     struct cond_entry *peer_conds):
 	af_rule(AF_UNIX), addr(NULL), peer_addr(NULL)
 {
@@ -188,9 +191,9 @@ static void writeu16(std::ostringstream &o, int v)
 #define CMD_OPT		4
 
 void unix_rule::downgrade_rule(Profile &prof) {
-	perms_t mask = (perms_t) -1;
+	perm32_t mask = (perm32_t) -1;
 
-	if (!prof.net.allow && !prof.alloc_net_table())
+	if (!prof.net.allow && !prof.net.alloc_net_table())
 		yyerror(_("Memory allocation error."));
 	if (sock_type_n != -1)
 		mask = 1 << sock_type_n;
@@ -198,6 +201,11 @@ void unix_rule::downgrade_rule(Profile &prof) {
 		prof.net.allow[AF_UNIX] |= mask;
 		if (audit == AUDIT_FORCE)
 			prof.net.audit[AF_UNIX] |= mask;
+		const char *error;
+		network_rule *netv8 = new network_rule(perms, AF_UNIX, sock_type_n);
+		if(!netv8->add_prefix({0, audit, rule_mode, owner}, error))
+			yyerror(error);
+		prof.rule_ents.push_back(netv8);
 	} else {
 		/* deny rules have to be dropped because the downgrade makes
 		 * the rule less specific meaning it will make the profile more
@@ -310,14 +318,15 @@ int unix_rule::gen_policy_re(Profile &prof)
 	std::ostringstream buffer;
 	std::string buf;
 
-	perms_t mask = perms;
+	perm32_t mask = perms;
 
 	/* always generate a downgraded rule. This doesn't change generated
 	 * policy size and allows the binary policy to be loaded against
 	 * older kernels and be enforced to the best of the old network
 	 * rules ability
 	 */
-	downgrade_rule(prof);
+	if (downgrade)
+		downgrade_rule(prof);
 	if (!features_supports_unix) {
 		if (features_supports_network || features_supports_networkv8) {
 			/* only warn if we are building against a kernel
@@ -335,7 +344,8 @@ int unix_rule::gen_policy_re(Profile &prof)
 	write_to_prot(buffer);
 	if ((mask & AA_NET_CREATE) && !has_peer_conds()) {
 		buf = buffer.str();
-		if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY,
+		if (!prof.policy.rules->add_rule(buf.c_str(), priority,
+						 rule_mode,
 						 map_perms(AA_NET_CREATE),
 						 map_perms(audit == AUDIT_FORCE ? AA_NET_CREATE : 0),
 						 parseopts))
@@ -360,7 +370,8 @@ int unix_rule::gen_policy_re(Profile &prof)
 		tmp << "\\x00";
 
 		buf = tmp.str();
-		if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY,
+		if (!prof.policy.rules->add_rule(buf.c_str(), priority,
+						 rule_mode,
 						 map_perms(AA_NET_BIND),
 						 map_perms(audit == AUDIT_FORCE ? AA_NET_BIND : 0),
 						 parseopts))
@@ -385,7 +396,8 @@ int unix_rule::gen_policy_re(Profile &prof)
 					AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD;
 		if (mask & local_mask) {
 			buf = buffer.str();
-			if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY,
+			if (!prof.policy.rules->add_rule(buf.c_str(), priority,
+							 rule_mode,
 							 map_perms(mask & local_mask),
 							 map_perms(audit == AUDIT_FORCE ? mask & local_mask : 0),
 							 parseopts))
@@ -399,7 +411,9 @@ int unix_rule::gen_policy_re(Profile &prof)
 			/* TODO: backlog conditional: for now match anything*/
 			tmp << "..";
 			buf = tmp.str();
-			if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY,
+			if (!prof.policy.rules->add_rule(buf.c_str(),
+							 priority,
+							 rule_mode,
 							 map_perms(AA_NET_LISTEN),
 							 map_perms(audit == AUDIT_FORCE ? AA_NET_LISTEN : 0),
 							 parseopts))
@@ -412,10 +426,13 @@ int unix_rule::gen_policy_re(Profile &prof)
 			/* TODO: sockopt conditional: for now match anything */
 			tmp << "..";
 			buf = tmp.str();
-			if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY,
-							 map_perms(mask & AA_NET_OPT),
-							 map_perms(audit == AUDIT_FORCE ? AA_NET_OPT : 0),
-							 parseopts))
+			if (!prof.policy.rules->add_rule(buf.c_str(),
+						priority,
+						rule_mode,
+						map_perms(mask & AA_NET_OPT),
+						map_perms(audit == AUDIT_FORCE ?
+							  AA_NET_OPT : 0),
+						parseopts))
 				goto fail;
 		}
 		mask &= ~AA_LOCAL_NET_PERMS | AA_NET_ACCEPT;
@@ -433,7 +450,10 @@ int unix_rule::gen_policy_re(Profile &prof)
 			goto fail;
 
 		buf = buffer.str();
-		if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit == AUDIT_FORCE ? perms & AA_PEER_NET_PERMS : 0), parseopts))
+		if (!prof.policy.rules->add_rule(buf.c_str(), priority,
+				rule_mode, map_perms(perms & AA_PEER_NET_PERMS),
+				map_perms(audit == AUDIT_FORCE ? perms & AA_PEER_NET_PERMS : 0),
+				parseopts))
 			goto fail;
 	}
 

parser/af_unix.h

@@ -24,7 +24,7 @@
 #include "profile.h"
 #include "af_rule.h"
 
-int parse_unix_perms(const char *str_mode, perms_t *perms, int fail);
+int parse_unix_perms(const char *str_mode, perm32_t *perms, int fail);
 
 class unix_rule: public af_rule {
 	void write_to_prot(std::ostringstream &buffer);
@@ -36,9 +36,10 @@ class unix_rule: public af_rule {
 public:
 	char *addr;
 	char *peer_addr;
+	bool downgrade = true;
 
 	unix_rule(unsigned int type_p, audit_t audit_p, rule_mode_t rule_mode_p);
-	unix_rule(perms_t perms, struct cond_entry *conds,
+	unix_rule(perm32_t perms, struct cond_entry *conds,
 		  struct cond_entry *peer_conds);
 	virtual ~unix_rule()
 	{
@@ -47,6 +48,9 @@ public:
 	};
 
 	virtual bool valid_prefix(const prefixes &p, const char *&error) {
+		// priority is partially supported for unix rules
+		// rules that get downgraded to just network socket
+		// won't support them but the fine grained do.
 		if (p.owner) {
 			error = "owner prefix not allowed on unix rules";
 			return false;

parser/all_rule.cc

@@ -0,0 +1,156 @@
+/*
+ *   Copyright (c) 2023
+ *   Canonical Ltd. (All rights reserved)
+ *
+ *   This program is free software; you can redistribute it and/or
+ *   modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, contact Canonical Ltd.
+ */
+
+#include "profile.h"
+#include "all_rule.h"
+#include "af_unix.h"
+#include "dbus.h"
+#include "io_uring.h"
+#include "mqueue.h"
+#include "ptrace.h"
+#include "signal.h"
+#include "userns.h"
+#include "mount.h"
+#include "parser.h"
+
+#include <iomanip>
+#include <string>
+#include <iostream>
+#include <sstream>
+
+
+
+void all_rule::add_implied_rules(Profile &prof)
+{
+	prefix_rule_t *rule;
+	const prefixes *prefix = this;
+
+	rule = new unix_rule(0xffffffff, audit, rule_mode);
+	(void) rule->add_prefix(*prefix);
+	prof.rule_ents.push_back(rule);
+
+	rule = new dbus_rule(0, NULL, NULL);
+	(void) rule->add_prefix(*prefix);
+	prof.rule_ents.push_back(rule);
+
+	rule = new io_uring_rule(0, NULL, NULL);
+	(void) rule->add_prefix(*prefix);
+	prof.rule_ents.push_back(rule);
+
+	rule = new mqueue_rule(0, NULL);
+	(void) rule->add_prefix(*prefix);
+	prof.rule_ents.push_back(rule);
+
+	rule = new ptrace_rule(0, NULL);
+	(void) rule->add_prefix(*prefix);
+	prof.rule_ents.push_back(rule);
+
+	rule = new signal_rule(0, NULL);
+	(void) rule->add_prefix(*prefix);
+	prof.rule_ents.push_back(rule);
+
+	rule = new userns_rule(0, NULL);
+	(void) rule->add_prefix(*prefix);
+	prof.rule_ents.push_back(rule);
+
+	rule = new mnt_rule(NULL, NULL, NULL, NULL, AA_MAY_MOUNT);
+	(void) rule->add_prefix(*prefix);
+	prof.rule_ents.push_back(rule);
+
+	rule = new mnt_rule(NULL, NULL, NULL, NULL, AA_DUMMY_REMOUNT);
+	(void) rule->add_prefix(*prefix);
+	prof.rule_ents.push_back(rule);
+
+	rule = new mnt_rule(NULL, NULL, NULL, NULL, AA_MAY_UMOUNT);
+	(void) rule->add_prefix(*prefix);
+	prof.rule_ents.push_back(rule);
+
+	rule = new mnt_rule(NULL, NULL, NULL, NULL, AA_MAY_PIVOTROOT);
+	(void) rule->add_prefix(*prefix);
+	prof.rule_ents.push_back(rule);
+
+	rule = new network_rule(0, (struct cond_entry *)NULL, (struct cond_entry *)NULL);
+	(void) rule->add_prefix(*prefix);
+	prof.rule_ents.push_back(rule);
+	
+	/* rules that have not been converted to use rule.h */
+
+	//file no x
+	{
+		const char *error;
+		struct cod_entry *entry;
+		char *path = strdup("/{**,}");
+		int perms = (AA_BASE_PERMS & ~(AA_EXEC_TYPE | AA_MAY_EXEC));
+		if (rule_mode != RULE_DENY)
+		/* duplicate to other permission set */
+		perms |= perms << AA_OTHER_SHIFT;
+		if (!path)
+			yyerror(_("Memory allocation error."));
+		entry = new_entry(path, perms, NULL);
+		if (!entry_add_prefix(entry, *prefix, error)) {
+			yyerror(_("%s"), error);
+		}
+		add_entry_to_policy(&prof, entry);
+	}
+	// lower priority ix
+	{
+		const char *error;
+		struct cod_entry *entry;
+		char *path = strdup("/{**,}");
+		int perms = AA_MAY_EXEC;
+		prefixes ix_prefix;
+
+		// TODO:
+		// need a better way to make sure the prefix is intialized
+		// without a constructor or copy constructor
+		ix_prefix.priority = prefix->priority -1;
+		ix_prefix.audit = prefix->audit;
+		ix_prefix.rule_mode = prefix->rule_mode;
+		ix_prefix.owner = prefix->owner;
+
+		ix_prefix.priority -= 1;
+		if (rule_mode != RULE_DENY)
+			perms |= AA_EXEC_INHERIT;
+		/* duplicate to other permission set */
+		perms |= perms << AA_OTHER_SHIFT;
+		if (!path)
+			yyerror(_("Memory allocation error."));
+		entry = new_entry(path, perms, NULL);
+		if (!entry_add_prefix(entry, ix_prefix, error)) {
+			yyerror(_("%s"), error);
+		}
+		add_entry_to_policy(&prof, entry);
+	}
+	// caps
+	{
+		if (prefix->owner)
+			yyerror(_("owner prefix not allowed on capability rules"));
+
+		if (rule_mode == RULE_DENY && audit == AUDIT_FORCE) {
+			prof.caps.deny |= 0xffffffffffffffff;
+		} else if (rule_mode == RULE_DENY) {
+			prof.caps.deny |= 0xffffffffffffffff;
+			prof.caps.quiet |= 0xffffffffffffffff;
+		} else {
+			prof.caps.allow |= 0xffffffffffffffff;
+			if (audit != AUDIT_UNSPECIFIED)
+				prof.caps.audit |= 0xffffffffffffffff;
+		}
+	}
+	
+	// TODO: rlimit
+}

parser/all_rule.h

@@ -0,0 +1,72 @@
+/*
+ *   Copyright (c) 2023
+ *   Canonical Ltd. (All rights reserved)
+ *
+ *   This program is free software; you can redistribute it and/or
+ *   modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, contact Canonical Ltd.
+ */
+
+#ifndef __AA_ALL_H
+#define __AA_ALL_H
+
+#include "rule.h"
+
+#define AA_IO_URING_OVERRIDE_CREDS AA_MAY_APPEND
+#define AA_IO_URING_SQPOLL AA_MAY_CREATE
+
+#define AA_VALID_IO_URING_PERMS (AA_IO_URING_OVERRIDE_CREDS | \
+				 AA_IO_URING_SQPOLL)
+
+class all_rule: public prefix_rule_t {
+	void move_conditionals(struct cond_entry *conds);
+public:
+	all_rule(void): prefix_rule_t(RULE_TYPE_ALL) { }
+
+	virtual bool valid_prefix(const prefixes &p, const char *&error) {
+		if (p.priority != 0) {
+			error = _("priority prefix not allowed on all rules");
+			return false;
+		}
+		if (p.owner) {
+			error = _("owner prefix not allowed on all rules");
+			return false;
+		}
+		return true;
+	};
+
+	int expand_variables(void)
+	{
+		return 0;
+	}
+	virtual ostream &dump(ostream &os) {
+		prefix_rule_t::dump(os);
+
+		os << "all";
+
+		return os;
+	}
+	virtual bool is_mergeable(void) { return true; }
+	virtual int cmp(rule_t const &rhs) const
+	{
+		return prefix_rule_t::cmp(rhs);
+	};
+
+	virtual void add_implied_rules(Profile &prof);
+
+	virtual int gen_policy_re(Profile &prof unused) { return RULE_OK; };
+
+protected:
+  virtual void warn_once(const char *name unused, const char *msg unused) { };
+  virtual void warn_once(const char *name unused)  { };
+};
+
+#endif /* __AA_ALL_H */

parser/apparmor.d.pod

@@ -115,9 +115,11 @@ B<PROFILE FLAG CONDS> =  [ 'flags=' ] '(' comma or white space separated list of
 
 B<PROFILE FLAGS> = I<PROFILE MODE> | I<AUDIT_MODE> | 'mediate_deleted'
 | 'attach_disconnected' | 'attach_disconneced.path='I<ABS PATH> | 'chroot_relative'
-| 'debug'
+| 'debug' | 'interruptible' | 'kill.signal='I<SIGNAL> | 'error='I<ERROR CODE>
 
-B<PROFILE MODE> = 'enforce' | 'complain' | 'kill' | 'unconfined' | 'prompt'
+B<ERROR CODE> = (case insensitive error code name starting with 'E'; see errno(3))
+
+B<PROFILE MODE> = 'enforce' | 'complain' | 'kill' | 'default_allow' | 'unconfined' | 'prompt'
 
 B<AUDIT MODE> = 'audit'
 
@@ -125,7 +127,7 @@ B<RULES> = [ ( I<LINE RULES> | I<COMMA RULES> ',' | I<BLOCK RULES> )
 
 B<LINE RULES> = ( I<COMMENT> | I<INCLUDE> ) [ '\r' ] '\n'
 
-B<COMMA RULES> = ( I<CAPABILITY RULE> | I<NETWORK RULE> | I<MOUNT RULE> | I<PIVOT ROOT RULE> | I<UNIX RULE> | I<FILE RULE> | I<LINK RULE> | I<CHANGE_PROFILE RULE> | I<RLIMIT RULE> | I<DBUS RULE> | I<MQUEUE RULE> )
+B<COMMA RULES> = ( I<CAPABILITY RULE> | I<NETWORK RULE> | I<MOUNT RULE> | I<PIVOT ROOT RULE> | I<UNIX RULE> | I<FILE RULE> | I<LINK RULE> | I<CHANGE_PROFILE RULE> | I<RLIMIT RULE> | I<DBUS RULE> | I<MQUEUE RULE> | I<IO_URING RULE> | I<USERNS RULE> | I<ALL RULE>)
 
 B<BLOCK RULES> = ( I<SUBPROFILE> | I<HAT> | I<QUALIFIER BLOCK> )
 
@@ -137,9 +139,11 @@ B<HATNAME> = (must start with alphanumeric character. See aa_change_hat(2) for a
 
 B<QUALIFIER BLOCK> = I<QUALIFIERS> I<BLOCK>
 
+B<INTEGER> = (+ | -)? [[:digit:]]+
+
 B<ACCESS TYPE> = ( 'allow' | 'deny' )
 
-B<QUALIFIERS> = [ 'audit' ] [ I<ACCESS TYPE> ]
+B<QUALIFIERS> = [ 'priority' '=' <INTEGER> ] [ 'audit' ] [ I<ACCESS TYPE> ]
 
 B<CAPABILITY RULE> = [ I<QUALIFIERS> ] 'capability' [ I<CAPABILITY LIST> ]
 
@@ -148,7 +152,14 @@ B<CAPABILITY LIST> = ( I<CAPABILITY> )+
 B<CAPABILITY> = (lowercase capability name without 'CAP_' prefix; see
 capabilities(7))
 
-B<NETWORK RULE> = [ I<QUALIFIERS> ] 'network' [ I<DOMAIN> ] [ I<TYPE> | I<PROTOCOL> ]
+B<NETWORK RULE> = [ I<QUALIFIERS> ] 'network' [ I<NETWORK ACCESS EXPR> ] [ I<DOMAIN> ] [ I<TYPE> | I<PROTOCOL> ] [ I<NETWORK LOCAL EXPR> ] [ I<NETWORK PEER EXPR> ]
+
+B<NETWORK ACCESS EXPR> = ( I<NETWORK ACCESS> | I<NETWORK ACCESS LIST> )
+
+B<NETWORK ACCESS> = ( 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' )
+  Some access modes are incompatible with some rules.
+
+B<NETWORK ACCESS LIST> = '(' I<NETWORK ACCESS> ( [','] I<NETWORK ACCESS> )* ')'
 
 B<DOMAIN> = ( 'unix' | 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'netlink' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'rds' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'llc' | 'ib' | 'mpls' | 'can' | 'tipc' | 'bluetooth' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'kcm' | 'qipcrtr' | 'smc' | 'xdp' | 'mctp' ) ','
 
@@ -156,6 +167,22 @@ B<TYPE> = ( 'stream' | 'dgram' | 'seqpacket' |  'rdm' | 'raw' | 'packet' )
 
 B<PROTOCOL> = ( 'tcp' | 'udp' | 'icmp' )
 
+B<NETWORK LOCAL EXPR> = ( I<NETWORK IP COND> | I<NETWORK PORT COND> )*
+  Each cond can appear at most once.
+
+B<NETWORK PEER EXPR> = 'peer' '=' '(' ( I<NETWORK IP COND> | I<NETWORK PORT COND> )+ ')'
+  Each cond can appear at most once.
+
+B<NETWORK IP COND> = 'ip' '=' ( 'none' | I<NETWORK IPV4> | I<NETWORK IPV6> )
+
+B<NETWORK PORT COND> = 'port' '=' ( I<NETWORK PORT> )
+
+B<NETWORK IPV4> = IPv4, represented by four 8-bit decimal numbers separated by '.'
+
+B<NETWORK IPV6> = IPv6, represented by eight groups of four hexadecimal numbers separated by ':'. Shortened representation of contiguous zeros is allowed by using '::'
+
+B<NETWORK PORT> = 16-bit number ranging from 0 to 65535
+
 B<MOUNT RULE> = ( I<MOUNT> | I<REMOUNT> | I<UMOUNT> )
 
 B<MOUNT> = [ I<QUALIFIERS> ] 'mount' [ I<MOUNT CONDITIONS> ] [ I<SOURCE FILEGLOB> ] [ '-E<gt>' [ I<MOUNTPOINT FILEGLOB> ]
@@ -192,6 +219,16 @@ B<MQUEUE LABEL> = 'label' '=' '(' '"' I<AARE> '"' | I<AARE> ')'
 
 B<MQUEUE NAME> = I<AARE>
 
+B<USERNS RULE> = [ I<QUALIFIERS> ] 'userns' [ I<USERNS ACCESS PERMISSIONS> ]
+
+B<USERNS ACCESS PERMISSIONS> = ( 'create' )
+
+B<IO_URING RULE> = [ I<QUALIFIERS> ] 'io_uring' [ I<IO_URING ACCESS PERMISSIONS> [ I<IO_URING LABEL> ]
+
+B<IO_URING ACCESS PERMISSIONS> = ( 'sqpoll' | 'override_creds' )
+
+B<IO_URING LABEL> = 'label' '=' '(' '"' I<AARE> '"' | I<AARE> ')'
+
 B<PIVOT ROOT RULE> = [ I<QUALIFIERS> ] pivot_root [ oldroot=I<OLD PUT FILEGLOB> ] [ I<NEW ROOT FILEGLOB> ] [ '-E<gt>' I<PROFILE NAME> ]
 
 B<SOURCE FILEGLOB> = I<FILEGLOB>
@@ -220,9 +257,9 @@ B<SIGNAL ACCESS> = ( 'r' | 'w' | 'rw' | 'read' | 'write' | 'send' | 'receive' )
 
 B<SIGNAL SET> = 'set' '=' '(' I<SIGNAL LIST> ')'
 
-B<SIGNAL LIST> = Comma or space separated list of I<SIGNALS>
+B<SIGNAL LIST> = Comma or space separated list of I<SIGNAL>s
 
-B<SIGNALS> = ( 'hup' | 'int' | 'quit' | 'ill' | 'trap' | 'abrt' | 'bus' | 'fpe' | 'kill' | 'usr1' | 'segv' | 'usr2' | 'pipe' | 'alrm' | 'term' | 'stkflt' | 'chld' | 'cont' | 'stop' | 'stp' | 'ttin' | 'ttou' | 'urg' | 'xcpu' | 'xfsz' | 'vtalrm' | 'prof' | 'winch' | 'io' | 'pwr' | 'sys' | 'emt' | 'exists' | 'rtmin+0' ... 'rtmin+32' )
+B<SIGNAL> = ( 'hup' | 'int' | 'quit' | 'ill' | 'trap' | 'abrt' | 'bus' | 'fpe' | 'kill' | 'usr1' | 'segv' | 'usr2' | 'pipe' | 'alrm' | 'term' | 'stkflt' | 'chld' | 'cont' | 'stop' | 'stp' | 'ttin' | 'ttou' | 'urg' | 'xcpu' | 'xfsz' | 'vtalrm' | 'prof' | 'winch' | 'io' | 'pwr' | 'sys' | 'emt' | 'exists' | 'rtmin+0' ... 'rtmin+32' )
 
 B<SIGNAL PEER> = 'peer' '=' I<AARE>
 
@@ -336,6 +373,8 @@ B<EXEC_MODE> = ( 'safe' | 'unsafe' )
 
 B<EXEC COND> = I<FILEGLOB>
 
+B<ALL RULE> = 'all'
+
 =back
 
 All resources and programs need a full path. There may be any number of
@@ -454,12 +493,36 @@ a signal to kill it.
 permission the action will be allowed, but the violation will be logged
 with a tag of the access being B<ALLOWED>.
 
+=item B<default_allow> This mode changes the default behavior of
+apparmor from default deny to default allow. When default_allow is
+specified the resulting profile will allow operations that the profile
+does not have a rule for. This mode is similar to I<unconfined> but
+allows for allow and deny rules, specifying audit, and domain
+transitions.  Profiles in this mode may be be reported as being in
+I<enforce> mode or I<allow> mode when introspected from the kernel.
+
+Note: default_allow is similar and for many profiles will be equivalent
+to specifying an I<allow all,> rule in the profile. The default_allow
+flag does not provide all the same option that the I<allow all,> rule
+provides.
+
 =item B<unconfined> This mode allows a task confined by the profile to
-behave as though they are I<unconfined>. This mode allow for an
-unconfined behavior that can be later changed to confinement by using
-profile replacement. This mode is should not be used under regular
-deployment but can be useful during debugging and some system
-initialization scenarios.
+behave as though it is I<unconfined>. The unconfined behavior can be
+later changed to confinement by using profile replacement. This mode
+should not be used under regular deployment but can be useful during
+debugging and some system initialization scenarios.
+
+This mode is similar to default_allow and may be emulated by
+default_allow in kernels that no longer support a true unconfined
+mode. It does not generally allow for specifying deny rules, or allow
+rules that override the default behavior, except in a few custom
+kernels where unconfined restricts a few operations. It relies on
+special customized behavior of the unconfined profile in the kernel
+and as such should only be used for debugging.
+
+Note: true unconfined is being phased out, with unconfined becoming a
+replaceable profile. As such unconfined mode will be emulated by a
+special profile compiled with the default_allow flag in newer kernels.
 
 =item B<prompt> This mode allows task mediation to send an up call to
 userspace to ask for a decision when there isn't a rule covering the
@@ -506,6 +569,14 @@ flags to control what messages will be output. Its effect is kernel
 dependent, and it should never appear in policy except when trying
 to debug kernel or policy problems.
 
+=item B<interruptible> Enables interrupts for prompt upcall to userspace.
+
+=item B<kill.signal>=I<SIGNAL> This changes the signal that will be
+sent by AppArmor when in kill mode or a kill rule has been violated.
+
+=item B<error>=I<ERROR CODE> This changes the error code returned by
+AppArmor when a rule has been violated.
+
 =back
 
 =head2 Access Modes
@@ -871,11 +942,10 @@ and other operations that are typically reserved for the root user.
 
 =head2 Network Rules
 
-AppArmor supports simple coarse grained network mediation.  The network
-rule restrict all socket(2) based operations.  The mediation done is
-a coarse-grained check on whether a socket of a given type and family
-can be created, read, or written.  There is no mediation based of port
-number or protocol beyond tcp, udp, and raw.  Network netlink(7) rules may
+AppArmor supports simple coarse grained network mediation.  The
+network rule restrict all socket(2) based operations.  The mediation
+done is a coarse-grained check on whether a socket of a given type and
+family can be created, read, or written. Network netlink(7) rules may
 only specify type 'dgram' and 'raw'.
 
 AppArmor network rules are accumulated so that the granted network
@@ -892,6 +962,48 @@ eg.
  network inet6 tcp,	#allow access to tcp only for inet6 addresses
  network netlink raw,	#allow access to AF_NETLINK SOCK_RAW
 
+=head3 Network permissions
+
+Network rule permissions are implied when a rule does not explicitly
+state an access list. By default if a rule does not have an access
+list all permissions that are compatible with the specified set of
+local and peer conditionals are implied.
+
+The create, bind, listen, shutdown, getattr, setattr, getopt, and
+setopt permissions are local socket permissions. They are only applied
+to the local socket and can't be specified in rules that have a peer
+conditional. The accept permission applies to the combination of a
+local and peer socket. The connect, send, and receive permissions are
+peer socket permissions.
+
+=head3 Mediation of inet/inet6 family
+
+AppArmor supports fine grained mediation of the inet and inet6
+families by using the ip and port conditionals. The ip conditional
+accepts both IPv4 and IPv6 using the regular representation of four
+octets separated by '.' for IPv4 and eight groups of four hexadecimal
+numbers separated by ':' for IPv6. Contiguous leading zeros can be
+replaced by '::' once. On a connected socket, the sender and receiver
+don't need to be specified in the recvfrom and sendto system calls. In
+that case, and with unbounded sockets, the IP address is none, or
+unknown. Unknown or Unbound IP addresses are represented in policy by the
+'none' keyword. When the ip conditional is omitted, then all IP
+addresses will be allowed: IPv4, IPv6 and none. If INADDR_ANY or
+in6addr_any is used, then the ip conditional can be omitted or they
+can be represented by:
+
+ network ip=::,		#allow in6addr_any
+ network ip=0.0.0.0;	#allow INADDR_ANY
+
+The network rules support the specification of local and remote IP
+addresses and ports.
+
+ network ip=127.0.0.1 port=8080,
+ network peer=(ip=10.139.15.23 port=8081),
+ network ip=fd74:1820:b03a:b361::cf32 peer=(ip=fd74:1820:b03a:b361::a0f9),
+ network port=8080 peer=(port=8081),
+ network ip=127.0.0.1 port=8080 peer=(ip=10.139.15.23 port=8081),
+
 =head2 Mount Rules
 
 AppArmor supports mount mediation and allows specifying filesystem types and
@@ -1133,6 +1245,89 @@ Example AppArmor Message Queue rules:
     # Allow create permission for a SYSV queue of label foo
     mqueue create label=foo 123,
 
+=head2 User Namespace Rules
+
+User namespaces are part of many sandboxing and containerization
+solutions.  They provide a way for a non-system root process to be
+root within the container. Unfortunately this opens up attack surface
+in the kernel and has been part of several exploit chains. As such
+AppArmor can be used to restrict the creation of user namespaces to
+select processes.
+
+User namespace permission are implied when a rule does not explicitly
+state an access list. The rule becomes more restrictive as further
+information is specified.
+
+Note: user namespace creation may be restricted so that it is not
+available to unprivieged unconfined processes. If this is the case any
+process trying to create user namespaces will require a profile that
+allows the necessary permissions.
+
+=over 4
+
+=item B<create>
+
+Allow creation of user namespaces.
+
+=back
+
+Example userns rules:
+
+=over 4
+
+  # Allow all userns perms
+  userns,
+
+  # Allow creation of a userns
+  userns create,
+
+=back
+
+=head2 IO_URing Rules
+
+AppArmor supports mediation of the new Linux high speed IO interface.
+There is limited mediation at this time to just a few permissions at
+the moment.
+
+IO Uring permission are implied when a rule does not explicitly state
+an access list. The rule becomes more restrictive as further
+information is specified.
+
+Note: io_uring access may be restricted so that it is not available to
+unprivileged unconfined processes. If this is the case any process
+trying to use io_uring will require a profile that allows the
+necessary io_uring permissions.
+
+=over 4
+
+=item B<sqpoll>
+
+All the task confined by the profile to spawn a io_uring polling
+thread.
+
+=item B<override_creds>
+
+Grants the task confined by the profile to override (change) its
+credentials to the specified label, when executing an io_uring
+operation.
+
+=back
+
+Example IO_URING rules:
+
+=over 4
+
+  # Allow io_uring operations
+  io_ring,
+
+  # Allow creation of a polling thread
+  io_uring sqpoll,
+
+  # Allow task to override credentials during io_uring operation
+  io_uring override_creds label=new_creds,
+
+=back
+
 =head2 Pivot Root Rules
 
 AppArmor mediates changing of the root filesystem through the pivot_root(2)
@@ -1506,6 +1701,26 @@ Not all kernels support B<safe> mode and the parser will downgrade rules to
 B<unsafe> mode in that situation. If no exec mode is specified, the default is
 B<safe> mode in kernels that support it.
 
+=head2 all rule
+
+The all rule is used to add a generic rule for all supported rule types.
+This is useful when policy wants to define a black list instead of
+white list, but can also be useful to add an access qualifier to all
+rules.
+
+Eg. Black list
+
+  allow all,
+  # begin blacklist
+  deny file,
+  deny unix,
+
+
+Eg. Adding audit qualifier
+
+  audit access all,
+
+
 =head2 rlimit rules
 
 AppArmor can set and control the resource limits associated with a
@@ -1665,6 +1880,17 @@ Rule qualifiers can modify the rule and/or permissions within the rule.
 
 =over 4
 
+=item B<priority>
+
+Specifies the priority of the rule. Currently the allowed range is
+-1000 to 1000 with the default priority of rule is 0.  Rules with
+higher priority are given preferences and will completely override
+permissions of lower priority rules where they overlap. When rules
+partially overlap the permissions of the higher priority rule will
+completely override lower priority rules within in overlap. Within a
+given priority level rules that overlap will accumulate permissions in
+the standard apparmor fashion.
+
 =item B<allow>
 
 Specifies that permissions requests that match the rule are allowed. This
@@ -1893,8 +2119,6 @@ An example AppArmor profile:
 
 =over 4
 
-=item F</etc/init.d/boot.apparmor>
-
 =item F</etc/apparmor.d/>
 
 =back

parser/apparmor.pod

@@ -36,12 +36,11 @@ of resources. AppArmor's unique security model is to bind access control
 attributes to programs rather than to users.
 
 AppArmor confinement is provided via I<profiles> loaded into the kernel
-via apparmor_parser(8), typically through the F</etc/init.d/apparmor>
-SysV initscript, which is used like this:
+via apparmor_parser(8), typically through the F<apparmor.service>
+systemd unit, which is used like this:
 
-	# /etc/init.d/apparmor start
-	# /etc/init.d/apparmor stop
-	# /etc/init.d/apparmor restart
+	# systemctl start apparmor
+	# systemctl reload apparmor
 
 AppArmor can operate in two modes: I<enforcement>, and I<complain or learning>:
 
@@ -110,7 +109,7 @@ I<Turn off deny audit quieting> if this is a problem).
 
 Complain mode can be used to develop profiles incrementally as an
 application is exercised. The logged accesses can be added to the
-profile and then can the application further excercised to discover further
+profile and then can the application further exercised to discover further
 additions that are needed. Because AppArmor allows the accesses the
 application will behave as it would if AppArmor was not confining it.
 
@@ -147,9 +146,9 @@ or to set it on boot add:
 
 	apparmor.mode=complain
 
-as a kernel boot paramenter.
+as a kernel boot parameter.
 
-B<Warning> Setting complain mode gloabally disables all apparmor
+B<Warning> Setting complain mode globally disables all apparmor
 security protections. It can be useful during debugging or profile
 development, but setting it selectively on a per profile basis is
 safer.
@@ -218,7 +217,7 @@ or to set it on boot add:
 
 	apparmor.debug=1
 
-as a kernel boot paramenter.
+as a kernel boot parameter.
 
 =head2 Turn off deny audit quieting
 
@@ -233,7 +232,7 @@ or to set it on boot add:
 
 	apparmor.audit=noquiet
 
-as a kernel boot paramenter.
+as a kernel boot parameter.
 
 =head2 Force audit mode
 
@@ -255,7 +254,7 @@ or to set it on boot add:
 
 	apparmor.audit=all
 
-as a kernel boot paramenter.
+as a kernel boot parameter.
 
 B<Audit Rate Limiting>
 
@@ -273,11 +272,9 @@ Else, if auditd is running, see auditd(8) and auditd.conf(5).
 
 =over 4
 
-=item F</etc/init.d/apparmor>
-
 =item F</etc/apparmor.d/>
 
-=item F</var/lib/apparmor/>
+=item F</var/cache/apparmor/>
 
 =item F</var/log/audit/audit.log>
 

parser/apparmor.service

@@ -6,6 +6,8 @@ After=systemd-journald-audit.socket
 # profile cache: /var/cache/apparmor/ and /usr/share/apparmor/cache/
 After=var.mount var-cache.mount usr.mount usr-share.mount
 ConditionSecurity=apparmor
+Documentation=man:apparmor(7)
+Documentation=https://gitlab.com/apparmor/apparmor/wikis/home/
 
 [Service]
 Type=oneshot

parser/apparmor.systemd

@@ -17,6 +17,8 @@
 
 APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions
 
+# This function is used in rc.apparmor.functions
+# shellcheck disable=SC2317
 aa_action()
 {
     echo "$1"
@@ -25,36 +27,50 @@ aa_action()
     return $?
 }
 
+# This function is used in rc.apparmor.functions
+# shellcheck disable=SC2317
 aa_log_warning_msg()
 {
     echo "Warning: $*"
 }
 
+# This function is used in rc.apparmor.functions
+# shellcheck disable=SC2317
 aa_log_failure_msg()
 {
     echo "Error: $*"
 }
 
+# This function is used in rc.apparmor.functions
+# shellcheck disable=SC2317
 aa_log_action_start()
 {
     echo "$@"
 }
 
+# This function is used in rc.apparmor.functions
+# shellcheck disable=SC2317
 aa_log_action_end()
 {
     printf ""
 }
 
+# This function is used in rc.apparmor.functions
+# shellcheck disable=SC2317
 aa_log_daemon_msg()
 {
     echo "$@"
 }
 
+# This function is used in rc.apparmor.functions
+# shellcheck disable=SC2317
 aa_log_skipped_msg()
 {
     echo "Skipped: $*"
 }
 
+# This function is used in rc.apparmor.functions
+# shellcheck disable=SC2317
 aa_log_end_msg()
 {
     printf ""

parser/apparmor_parser.pod

@@ -299,11 +299,11 @@ Enable various warnings during policy compilation. A single warn flag
 can be specified per --warn option, but the --warn flag can be passed
 multiple times.
 
-  apparmor_parser --warn=rules-not-enforced ...
+  apparmor_parser --warn=rule-not-enforced ...
 
 A specific warning can be disabled by prepending I<no>- to the flag
 
-  apparmor_parser --warn=no-rules-not-enforced ...
+  apparmor_parser --warn=no-rule-not-enforced ...
 
 Use --help=warn to see a full list of which warn flags are supported.
 
@@ -397,7 +397,7 @@ failure, instead the parser continues on with processing the remaining
 profiles.
 
 =item --estimated-compile-size
-Adjust the internal parameter used to estimate how agressive the parser
+Adjust the internal parameter used to estimate how aggressive the parser
 can be when compiling policy. This may include changes to how or when
 caches are dropped or how many compile units (jobs) are launched. The
 value should slightly larger than the largest Resident Set Size (RSS)
@@ -451,7 +451,7 @@ Eg.
 
 would result in Optimize=minimize being set.
 
-The Include, Dump, and Optimize options accululate except for the inversion
+The Include, Dump, and Optimize options accumulate except for the inversion
 option (no-X vs. X), and a couple options that work by setting/clearing
 multiple options (compress-small).  In that case the option will override
 the flags it sets but will may accumulate with others.

parser/bignum.h

@@ -0,0 +1,233 @@
+/*
+ *   Copyright (c) 2023
+ *   Canonical Ltd. (All rights reserved)
+ *
+ *   This program is free software; you can redistribute it and/or
+ *   modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, contact Canonical Ltd.
+ */
+
+#ifndef __AA_BIGNUM_H
+#define __AA_BIGNUM_H
+
+#include <iostream>
+#include <vector>
+#include <sstream>
+#include <algorithm>
+#include <string>
+
+class bignum
+{
+public:
+	std::vector<uint8_t> data;
+	uint8_t base;
+	bool negative = false;
+	bignum () : base(0) {}
+
+	bignum (unsigned long val) {
+		if (val == 0)
+			data.push_back(val);
+		else {
+			while(val > 0) {
+				data.push_back(val % 10);
+				val /= 10;
+			}
+		}
+		base = 10;
+	}
+
+	bignum (const char *val) {
+		while (*val) {
+			data.push_back(*val - 48);
+			val++;
+		}
+		std::reverse(data.begin(), data.end());
+		base = 10;
+	}
+
+	bignum (const uint8_t val[16]) {
+		size_t i;
+		bool flag = true;
+		for (i = 0; i < 16; i++) {
+			if (flag && (val[i] & 0xF0) >> 4 != 0)
+				flag = false;
+			if (!flag)
+				data.push_back((val[i] & 0xF0) >> 4);
+			if (flag && (val[i] & 0x0F) != 0)
+				flag = false;
+			if (!flag)
+				data.push_back(val[i] & 0x0F);
+		}
+		std::reverse(data.begin(), data.end());
+		base = 16;
+	}
+
+	bignum operator+(const bignum &brhs) const {
+		bignum b1 = this->size() < brhs.size() ? *this : brhs;
+		bignum b2 = this->size() < brhs.size() ? brhs : *this;
+		bignum result;
+		result.base = this->base;
+		uint8_t carryover = 0;
+		uint8_t sum;
+		size_t i;
+		for (i = 0; i < b1.size(); i++) {
+			sum = b1[i] + b2[i] + carryover;
+			if (sum > base - 1)
+				carryover = 1;
+			else
+				carryover = 0;
+			result.data.push_back(sum % base);
+		}
+		for (; i < b2.size(); i++) {
+			sum = b2[i] + carryover;
+			if (sum > base - 1)
+				carryover = 1;
+			else
+				carryover = 0;
+			result.data.push_back(sum % base);
+		}
+		if (carryover != 0)
+			result.data.push_back(carryover);
+		return result;
+	}
+
+	bignum operator-(const bignum &brhs) const {
+		bignum b1 = this->size() < brhs.size() ? *this : brhs;
+		bignum b2 = this->size() < brhs.size() ? brhs : *this;
+		bignum result;
+		result.negative = *this < brhs;
+		result.base = this->base;
+		int8_t borrow = 0;
+		int8_t sub;
+		size_t i;
+		for (i = 0; i < b1.size(); i++) {
+			sub = b2[i] - b1[i] - borrow;
+			if (sub < 0) {
+				sub += base;
+				borrow = 1;
+			} else
+				borrow = 0;
+			result.data.push_back(sub);
+		}
+		for (; i < b2.size(); i++) {
+			sub = b2[i] - borrow;
+			if (sub < 0) {
+				sub += base;
+				borrow = 1;
+			} else
+				borrow = 0;
+			result.data.push_back(sub);
+		}
+		if (borrow) {
+			int8_t tmp = result.data[result.size() - 1] -= base;
+			tmp *= -1;
+			result.data[result.size() - 1] = tmp;
+		}
+		while (result.size() > 1 && result.data[result.size() - 1] == 0)
+			result.data.pop_back();
+
+		return result;
+	}
+	bool operator>=(const bignum &rhs) const {
+		return cmp_bignum(this->data, rhs.data) >= 0;
+	}
+	bool operator<=(const bignum &rhs) const {
+		return cmp_bignum(this->data, rhs.data) <= 0;
+	}
+	bool operator>(const bignum &rhs) const {
+		return cmp_bignum(this->data, rhs.data) > 0;
+	}
+	bool operator<(const bignum &rhs) const {
+		return cmp_bignum(this->data, rhs.data) < 0;
+	}
+	int operator[](int index) const {
+		return this->data[index];
+	}
+	friend std::ostream &operator<<(std::ostream &os, bignum &bn);
+	size_t size() const {
+		return data.size();
+	}
+
+	/*
+	  returns:
+	  - 0, if the lhs and rhs are equal;
+	  - a negative value if lhs is less than rhs;
+	  - a positive value if lhs is greater than rhs.
+	*/
+	int cmp_bignum(std::vector<uint8_t> lhs, std::vector<uint8_t> rhs) const
+	{
+		if (lhs.size() > rhs.size())
+			return 1;
+		else if (lhs.size() < rhs.size())
+			return -1;
+		else {
+			/* assumes the digits are stored in reverse order */
+			std::reverse(lhs.begin(), lhs.end());
+			std::reverse(rhs.begin(), rhs.end());
+			for (size_t i = 0; i < lhs.size(); i++) {
+				if (lhs[i] > rhs[i])
+					return 1;
+				if (lhs[i] < rhs[i])
+					return -1;
+			}
+		}
+		return 0;
+	}
+
+	static bignum lower_bound_regex(bignum val)
+	{
+		/* single digit numbers reduce to 0 */
+		if (val.size() == 1) {
+			val.data[0] = 0;
+			return val;
+		}
+
+		for (auto& j : val.data) {
+			uint8_t tmp = j;
+			j = 0;
+			if (tmp != val.base - 1) {
+				break;
+			}
+			if (&j == &val.data[val.size()-2]) {
+				val.data[val.size()-1] = 1;
+				break;
+			}
+		}
+		return val;
+
+	}
+
+	static bignum upper_bound_regex(bignum val)
+	{
+		for (auto& j : val.data) {
+			uint8_t tmp = j;
+			j = val.base - 1;
+			if (tmp != 0) {
+				break;
+			}
+		}
+		return val;
+	}
+
+};
+
+inline std::ostream &operator<<(std::ostream &os, bignum &bn)
+{
+	std::stringstream ss;
+	bignum tmp = bn;
+	std::reverse(tmp.data.begin(), tmp.data.end());
+	for (auto i : tmp.data)
+		ss << std::hex << (int) i;
+	os << ss.str();
+	return os;
+};
+
+#endif /* __AA_BIGNUM_H */

parser/common_optarg.c

@@ -71,6 +71,10 @@ optflag_table_t dumpflag_table[] = {
 	{ 1, "diff-progress", "Dump progress of differential encoding",
 	  DUMP_DFA_DIFF_PROGRESS | DUMP_DFA_DIFF_STATS },
 	{ 1, "rule-merge", "dump information about rule merging", DUMP_RULE_MERGE},
+	{ 1, "state32", "Dump encoding 32 bit states",
+	  DUMP_DFA_STATE32 },
+	{ 1, "flags_table", "Dump encoding flags table",
+	  DUMP_DFA_FLAGS_TABLE },
 	{ 0, NULL, NULL, 0 },
 };
 
@@ -78,7 +82,8 @@ optflag_table_t dfaoptflag_table[] = {
 	{ 2, "0", "no optimizations",
 	  CONTROL_DFA_TREE_NORMAL | CONTROL_DFA_TREE_SIMPLE |
 	  CONTROL_DFA_MINIMIZE | CONTROL_DFA_REMOVE_UNREACHABLE |
-	  CONTROL_DFA_DIFF_ENCODE
+	  CONTROL_DFA_DIFF_ENCODE | CONTROL_DFA_STATE32 |
+	  CONTROL_DFA_FLAGS_TABLE
 	},
 	{ 1, "equiv", "use equivalent classes", CONTROL_DFA_EQUIV },
 	{ 1, "expr-normalize", "expression tree normalization",
@@ -102,6 +107,10 @@ optflag_table_t dfaoptflag_table[] = {
 	{ 1, "diff-encode", "Differentially encode transitions",
 	  CONTROL_DFA_DIFF_ENCODE },
 	{ 1, "rule-merge", "turn on rule merging", CONTROL_RULE_MERGE},
+	{ 1, "state32", "use 32 bit state transitions",
+	  CONTROL_DFA_STATE32 },
+	{ 1, "flags-table", "use independent flags table",
+	  CONTROL_DFA_FLAGS_TABLE },
 	{ 0, NULL, NULL, 0 },
 };
 

parser/cond_expr.cc

@@ -0,0 +1,45 @@
+/*
+ *   Copyright (c) 2024
+ *   Canonical Ltd. (All rights reserved)
+ *
+ *   This program is free software; you can redistribute it and/or
+ *   modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, contact Novell, Inc. or Canonical
+ *   Ltd.
+ */
+
+#include "cond_expr.h"
+#include "parser.h"
+
+cond_expr::cond_expr(bool result):
+	result(result)
+{
+}
+
+cond_expr::cond_expr(const char *var, bool defined)
+{
+	char *var_name = process_var(var);
+
+	if (!defined) {
+		int ret = get_boolean_var(var_name);
+		if (ret < 0) {
+			/* FIXME check for set var */
+			free(var_name);
+			yyerror(_("Unset boolean variable %s used in if-expression"), var);
+		}
+		result = ret;
+	} else {
+		void *set_value = get_set_var(var_name);
+		PDEBUG("Matched: defined set expr %s value %lx\n", var_name, (long) set_value);
+		result = !! (long) set_value;
+	}
+	free(var_name);
+}

parser/cond_expr.h

@@ -0,0 +1,35 @@
+/*
+ *   Copyright (c) 2024
+ *   Canonical Ltd. (All rights reserved)
+ *
+ *   This program is free software; you can redistribute it and/or
+ *   modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, contact Novell, Inc. or Canonical
+ *   Ltd.
+ */
+
+#ifndef __AA_COND_EXPR_H
+#define __AA_COND_EXPR_H
+
+class cond_expr {
+private:
+	bool result;
+public:
+	cond_expr(bool result);
+	cond_expr(const char *var, bool defined);
+	virtual ~cond_expr()
+	{
+	};
+
+	bool eval(void) { return result; }
+};
+
+#endif /* __AA_COND_EXPR_H */