Prepare for AppArmor 4.0 release

- update version file

Signed-off-by: John Johansen <john.johansen@canonical.com>

.gitignore

@@ -264,7 +264,10 @@ tests/regression/apparmor/link_subset
 tests/regression/apparmor/mkdir
 tests/regression/apparmor/mmap
 tests/regression/apparmor/mount
+tests/regression/apparmor/move_mount
 tests/regression/apparmor/named_pipe
+tests/regression/apparmor/net_inet_rcv
+tests/regression/apparmor/net_inet_snd
 tests/regression/apparmor/net_raw
 tests/regression/apparmor/open
 tests/regression/apparmor/openat

.gitlab-ci.yml

@@ -17,7 +17,7 @@ stages:
     - uname -a
 
 .install-c-build-deps: &install-c-build-deps
-  - apt-get install --no-install-recommends -y build-essential apache2-dev autoconf automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev
+  - apt-get install --no-install-recommends -y build-essential apache2-dev autoconf autoconf-archive automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev
 
 build-all:
   stage: build

binutils/aa_status.c

@@ -773,8 +773,8 @@ static int print_usage(const char *command, bool error)
 	 "  --pretty-json   same data as --json, formatted for human consumption as well\n"
 	 "  --verbose       (default) displays data points about loaded policy set\n"
 	 "  --quiet         don't output error messages\n"
-	 "  -h [(legacy|filter)]    this message, or info on the specified option\n"
-	 " --help[=(legacy|filter)] this message, or info on the specified option\n",
+	 "  -h[(legacy|filters)]      this message, or info on the specified option\n"
+	 "  --help[=(legacy|filters)] this message, or info on the specified option\n",
 	 command);
 
 	exit(status);
@@ -830,7 +830,7 @@ static int parse_args(int argc, char **argv)
 	};
 
 	// Using exit here is temporary
-	while ((opt = getopt_long(argc, argv, "+vh", long_opts, NULL)) != -1) {
+	while ((opt = getopt_long(argc, argv, "+vh::", long_opts, NULL)) != -1) {
 		switch (opt) {
 		case ARG_ENABLED:
 			exit(aa_is_enabled() == 1 ? 0 : AA_EXIT_DISABLED);

changehat/pam_apparmor/README

@@ -67,10 +67,10 @@ to syslog.
 References
 ----------
 Project webpage:
-http://developer.novell.com/wiki/index.php/Novell_AppArmor
+https://apparmor.net/
 
 To provide feedback or ask questions please contact the
-apparmor-dev@forge.novell.com mail list. This is the development list
+apparmor@lists.ubuntu.com mail list. This is the development list
 for the AppArmor team.
 
 See also: change_hat(3), and the Linux-PAM online documentation at

changehat/tomcat_apparmor/tomcat_5_0/README.tomcat_apparmor

@@ -188,10 +188,9 @@ parent context.
 8. Feedback/Resources
    -----------------
 
-To provide feedback or ask questions please contact the 
-apparmor-dev@forge.novell.com mail list. This is the development list for the 
-AppArmor team.
-
-
-
+Project webpage:
+https://apparmor.net/
 
+To provide feedback or ask questions please contact the
+apparmor@lists.ubuntu.com mail list. This is the development list
+for the AppArmor team.

changehat/tomcat_apparmor/tomcat_5_5/README.tomcat_apparmor

@@ -188,10 +188,9 @@ parent context.
 8. Feedback/Resources
    -----------------
 
-To provide feedback or ask questions please contact the 
-apparmor-dev@forge.novell.com mail list. This is the development list for the 
-AppArmor team.
-
-
-
+Project webpage:
+https://apparmor.net/
 
+To provide feedback or ask questions please contact the
+apparmor@lists.ubuntu.com mail list. This is the development list
+for the AppArmor team.

common/Version

@@ -1 +1 @@
-4.0.0~alpha3
+4.0.0

libraries/libapparmor/configure.ac

@@ -92,6 +92,14 @@ if test "$ac_cv_prog_cc_c99" = "no"; then
   AC_MSG_ERROR([C99 mode is required to build libapparmor])
 fi
 
+m4_ifndef([AX_CHECK_COMPILE_FLAG], [AC_MSG_ERROR(['autoconf-archive' missing])])
+EXTRA_CFLAGS="-Wall $EXTRA_WARNINGS -fPIC"
+AX_CHECK_COMPILE_FLAG([-flto-partition=none], , , [-Werror])
+AS_VAR_IF([ax_cv_check_cflags__Werror__flto_partition_none], [yes],
+	[EXTRA_CFLAGS="$EXTRA_CFLAGS -flto-partition=none"]
+	,)
+AC_SUBST([AM_CFLAGS], ["$EXTRA_CFLAGS"])
+
 AC_OUTPUT(
 Makefile
 doc/Makefile

libraries/libapparmor/doc/aa_getcon.pod

@@ -116,6 +116,14 @@ The specified I<file/task> does not exist or is not visible.
 
 The confinement data is too large to fit in the supplied buffer.
 
+=item B<ENOPROTOOPT>
+
+The kernel doesn't support the SO_PEERLABEL option in sockets. This happens
+mainly when the kernel lacks 'fine grained unix mediation' support. It also
+can happen on LSM stacking kernels where another LSM has claimed this
+interface and decides to return this error, although this is really a
+corner case.
+
 =back
 
 =head1 NOTES

libraries/libapparmor/doc/aa_stack_profile.pod

@@ -109,12 +109,12 @@ To immediately stack a profile named "profile_a", as performed with
 aa_stack_profile("profile_a"), the equivalent of this shell command can be
 used:
 
- $ echo -n "stackprofile profile_a" > /proc/self/attr/current
+ $ echo -n "stack profile_a" > /proc/self/attr/current
 
 To stack a profile named "profile_a" at the next exec, as performed with
 aa_stack_onexec("profile_a"), the equivalent of this shell command can be used:
 
- $ echo -n "stackexec profile_a" > /proc/self/attr/exec
+ $ echo -n "stack profile_a" > /proc/self/attr/exec
 
 These raw AppArmor filesystem operations must only be used when using
 libapparmor is not a viable option.
@@ -184,6 +184,7 @@ with apparmor_parser(8):
      /etc/passwd               r,
 
      # Needed for aa_stack_profile()
+     change-profile -> &i_cant_be_trusted_anymore,
      /usr/lib/libapparmor*.so* mr,
      /proc/[0-9]*/attr/current w,
  }

libraries/libapparmor/src/Makefile.am

@@ -33,9 +33,9 @@ INCLUDES = $(all_includes)
 # After changing the AA_LIB_* variables, also update EXPECTED_SO_NAME.
 
 AA_LIB_CURRENT = 18
-AA_LIB_REVISION = 0
+AA_LIB_REVISION = 1
 AA_LIB_AGE = 17
-EXPECTED_SO_NAME = libapparmor.so.1.17.0
+EXPECTED_SO_NAME = libapparmor.so.1.17.1
 
 SUFFIXES = .pc.in .pc
 
@@ -45,7 +45,6 @@ include $(COMMONDIR)/Make.rules
 BUILT_SOURCES = grammar.h scanner.h af_protos.h
 AM_LFLAGS = -v
 AM_YFLAGS = -d -p aalogparse_
-AM_CFLAGS = -Wall $(EXTRA_WARNINGS) -fPIC -flto-partition=none
 AM_CPPFLAGS = -D_GNU_SOURCE -I$(top_srcdir)/include/
 scanner.h: scanner.l
 	$(LEX) -v $<

libraries/libapparmor/testsuite/test_multi/testcase_remount_01.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1709108389.303:12383): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="/home/user/test/testmount" name="/tmp/foo/" pid=14155 comm="testmount" flags="ro, remount"

libraries/libapparmor/testsuite/test_multi/testcase_remount_01.out

@@ -0,0 +1,15 @@
+START
+File: testcase_remount_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1709108389.303:12383
+Operation: mount
+Profile: /home/user/test/testmount
+Name: /tmp/foo/
+Command: testmount
+Info: failed mntpnt match
+ErrorCode: 13
+PID: 14155
+Flags: ro, remount
+Class: mount
+Epoch: 1709108389
+Audit subid: 12383

libraries/libapparmor/testsuite/test_multi/testcase_remount_01.profile

@@ -0,0 +1,4 @@
+/home/user/test/testmount {
+  mount options=(remount, ro) -> /tmp/foo/,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_umount_01.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1709025786.045:43147): apparmor="DENIED" operation="umount" class="mount" profile="/home/user/test/testmount" name="/mnt/a/" pid=26697 comm="testmount"

libraries/libapparmor/testsuite/test_multi/testcase_umount_01.out

@@ -0,0 +1,12 @@
+START
+File: testcase_umount_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1709025786.045:43147
+Operation: umount
+Profile: /home/user/test/testmount
+Name: /mnt/a/
+Command: testmount
+PID: 26697
+Class: mount
+Epoch: 1709025786
+Audit subid: 43147

libraries/libapparmor/testsuite/test_multi/testcase_umount_01.profile

@@ -0,0 +1,4 @@
+/home/user/test/testmount {
+  umount /mnt/a/,
+
+}

parser/Makefile

@@ -70,7 +70,10 @@ CFLAGS = -g -pg -fprofile-arcs -ftest-coverage
 endif
 endif #CFLAGS
 
-CFLAGS	+= -flto-partition=none
+HAVE_FLTO_PARTITION_NONE:=$(shell ${CC} -E -flto-partition=none /dev/null 1>/dev/null 2>&1 && echo true)
+ifeq ($(HAVE_FLTO_PARTITION_NONE),true)
+	CFLAGS += -flto-partition=none
+endif
 
 EXTRA_CXXFLAGS = ${CFLAGS} ${CPPFLAGS} ${CXX_WARNINGS} -std=gnu++0x
 EXTRA_CFLAGS = ${EXTRA_CXXFLAGS} ${CPP_WARNINGS}
@@ -437,7 +440,6 @@ install-arch: $(INSTALLDEPS)
 install-indep: indep
 	install -m 755 -d $(INSTALL_CONFDIR)
 	install -m 644 parser.conf $(INSTALL_CONFDIR)
-	install -m 755 -d ${DESTDIR}/var/lib/apparmor
 	install -m 755 -d $(APPARMOR_BIN_PREFIX)
 	install -m 755 rc.apparmor.functions $(APPARMOR_BIN_PREFIX)
 	install -m 755 profile-load $(APPARMOR_BIN_PREFIX)

parser/af_unix.cc

@@ -202,7 +202,7 @@ void unix_rule::downgrade_rule(Profile &prof) {
 		if (audit == AUDIT_FORCE)
 			prof.net.audit[AF_UNIX] |= mask;
 		const char *error;
-		network_rule *netv8 = new network_rule(AF_UNIX, sock_type_n);
+		network_rule *netv8 = new network_rule(perms, AF_UNIX, sock_type_n);
 		if(!netv8->add_prefix({audit, rule_mode, owner}, error))
 			yyerror(error);
 		prof.rule_ents.push_back(netv8);

parser/all_rule.cc

@@ -83,7 +83,7 @@ void all_rule::add_implied_rules(Profile &prof)
 	(void) rule->add_prefix(*prefix);
 	prof.rule_ents.push_back(rule);
 
-	rule = new network_rule(NULL);
+	rule = new network_rule(0, (struct cond_entry *)NULL, (struct cond_entry *)NULL);
 	(void) rule->add_prefix(*prefix);
 	prof.rule_ents.push_back(rule);
 	

parser/all_rule.h

@@ -29,8 +29,6 @@
 class all_rule: public prefix_rule_t {
 	void move_conditionals(struct cond_entry *conds);
 public:
-	char *label;
-
 	all_rule(void): prefix_rule_t(RULE_TYPE_ALL) { }
 
 	virtual bool valid_prefix(const prefixes &p, const char *&error) {

parser/apparmor.d.pod

@@ -117,7 +117,7 @@ B<PROFILE FLAGS> = I<PROFILE MODE> | I<AUDIT_MODE> | 'mediate_deleted'
 | 'attach_disconnected' | 'attach_disconneced.path='I<ABS PATH> | 'chroot_relative'
 | 'debug' | 'interruptible' | 'kill.signal='I<SIGNAL>
 
-B<PROFILE MODE> = 'enforce' | 'complain' | 'kill' | 'unconfined' | 'prompt'
+B<PROFILE MODE> = 'enforce' | 'complain' | 'kill' | 'default_allow' | 'unconfined' | 'prompt'
 
 B<AUDIT MODE> = 'audit'
 
@@ -148,7 +148,14 @@ B<CAPABILITY LIST> = ( I<CAPABILITY> )+
 B<CAPABILITY> = (lowercase capability name without 'CAP_' prefix; see
 capabilities(7))
 
-B<NETWORK RULE> = [ I<QUALIFIERS> ] 'network' [ I<DOMAIN> ] [ I<TYPE> | I<PROTOCOL> ]
+B<NETWORK RULE> = [ I<QUALIFIERS> ] 'network' [ I<NETWORK ACCESS EXPR> ] [ I<DOMAIN> ] [ I<TYPE> | I<PROTOCOL> ] [ I<NETWORK LOCAL EXPR> ] [ I<NETWORK PEER EXPR> ]
+
+B<NETWORK ACCESS EXPR> = ( I<NETWORK ACCESS> | I<NETWORK ACCESS LIST> )
+
+B<NETWORK ACCESS> = ( 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' )
+  Some access modes are incompatible with some rules.
+
+B<NETWORK ACCESS LIST> = '(' I<NETWORK ACCESS> ( [','] I<NETWORK ACCESS> )* ')'
 
 B<DOMAIN> = ( 'unix' | 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'netlink' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'rds' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'llc' | 'ib' | 'mpls' | 'can' | 'tipc' | 'bluetooth' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'kcm' | 'qipcrtr' | 'smc' | 'xdp' | 'mctp' ) ','
 
@@ -156,6 +163,22 @@ B<TYPE> = ( 'stream' | 'dgram' | 'seqpacket' |  'rdm' | 'raw' | 'packet' )
 
 B<PROTOCOL> = ( 'tcp' | 'udp' | 'icmp' )
 
+B<NETWORK LOCAL EXPR> = ( I<NETWORK IP COND> | I<NETWORK PORT COND> )*
+  Each cond can appear at most once.
+
+B<NETWORK PEER EXPR> = 'peer' '=' '(' ( I<NETWORK IP COND> | I<NETWORK PORT COND> )+ ')'
+  Each cond can appear at most once.
+
+B<NETWORK IP COND> = 'ip' '=' ( 'none' | I<NETWORK IPV4> | I<NETWORK IPV6> )
+
+B<NETWORK PORT COND> = 'port' '=' ( I<NETWORK PORT> )
+
+B<NETWORK IPV4> = IPv4, represented by four 8-bit decimal numbers separated by '.'
+
+B<NETWORK IPV6> = IPv6, represented by eight groups of four hexadecimal numbers separated by ':'. Shortened representation of contiguous zeros is allowed by using '::'
+
+B<NETWORK PORT> = 16-bit number ranging from 0 to 65535
+
 B<MOUNT RULE> = ( I<MOUNT> | I<REMOUNT> | I<UMOUNT> )
 
 B<MOUNT> = [ I<QUALIFIERS> ] 'mount' [ I<MOUNT CONDITIONS> ] [ I<SOURCE FILEGLOB> ] [ '-E<gt>' [ I<MOUNTPOINT FILEGLOB> ]
@@ -466,12 +489,36 @@ a signal to kill it.
 permission the action will be allowed, but the violation will be logged
 with a tag of the access being B<ALLOWED>.
 
+=item B<default_allow> This mode changes the default behavior of
+apparmor from default deny to default allow. When default_allow is
+specified the resulting profile will allow operations that the profile
+does not have a rule for. This mode is similar to I<unconfined> but
+allows for allow and deny rules, specifying audit, and domain
+transitions.  Profiles in this mode may be be reported as being in
+I<enforce> mode or I<allow> mode when introspected from the kernel.
+
+Note: default_allow is similar and for many profiles will be equivalent
+to specifying an I<allow all,> rule in the profile. The default_allow
+flag does not provide all the same option that the I<allow all,> rule
+provides.
+
 =item B<unconfined> This mode allows a task confined by the profile to
-behave as though they are I<unconfined>. This mode allow for an
-unconfined behavior that can be later changed to confinement by using
-profile replacement. This mode is should not be used under regular
-deployment but can be useful during debugging and some system
-initialization scenarios.
+behave as though it is I<unconfined>. The unconfined behavior can be
+later changed to confinement by using profile replacement. This mode
+should not be used under regular deployment but can be useful during
+debugging and some system initialization scenarios.
+
+This mode is similar to default_allow and may be emulated by
+default_allow in kernels that no longer support a true unconfined
+mode. It does not generally allow for specifying deny rules, or allow
+rules that override the default behavior, except in a few custom
+kernels where unconfined restricts a few operations. It relies on
+special customized behavior of the unconfined profile in the kernel
+and as such should only be used for debugging.
+
+Note: true unconfined is being phased out, with unconfined becoming a
+replaceable profile. As such unconfined mode will be emulated by a
+special profile compiled with the default_allow flag in newer kernels.
 
 =item B<prompt> This mode allows task mediation to send an up call to
 userspace to ask for a decision when there isn't a rule covering the
@@ -888,11 +935,10 @@ and other operations that are typically reserved for the root user.
 
 =head2 Network Rules
 
-AppArmor supports simple coarse grained network mediation.  The network
-rule restrict all socket(2) based operations.  The mediation done is
-a coarse-grained check on whether a socket of a given type and family
-can be created, read, or written.  There is no mediation based of port
-number or protocol beyond tcp, udp, and raw.  Network netlink(7) rules may
+AppArmor supports simple coarse grained network mediation.  The
+network rule restrict all socket(2) based operations.  The mediation
+done is a coarse-grained check on whether a socket of a given type and
+family can be created, read, or written. Network netlink(7) rules may
 only specify type 'dgram' and 'raw'.
 
 AppArmor network rules are accumulated so that the granted network
@@ -909,6 +955,48 @@ eg.
  network inet6 tcp,	#allow access to tcp only for inet6 addresses
  network netlink raw,	#allow access to AF_NETLINK SOCK_RAW
 
+=head3 Network permissions
+
+Network rule permissions are implied when a rule does not explicitly
+state an access list. By default if a rule does not have an access
+list all permissions that are compatible with the specified set of
+local and peer conditionals are implied.
+
+The create, bind, listen, shutdown, getattr, setattr, getopt, and
+setopt permissions are local socket permissions. They are only applied
+to the local socket and can't be specified in rules that have a peer
+conditional. The accept permission applies to the combination of a
+local and peer socket. The connect, send, and receive permissions are
+peer socket permissions.
+
+=head3 Mediation of inet/inet6 family
+
+AppArmor supports fine grained mediation of the inet and inet6
+families by using the ip and port conditionals. The ip conditional
+accepts both IPv4 and IPv6 using the regular representation of four
+octets separated by '.' for IPv4 and eight groups of four hexadecimal
+numbers separated by ':' for IPv6. Contiguous leading zeros can be
+replaced by '::' once. On a connected socket, the sender and receiver
+don't need to be specified in the recvfrom and sendto system calls. In
+that case, and with unbounded sockets, the IP address is none, or
+unknown. Unknown or Unbound IP addresses are represented in policy by the
+'none' keyword. When the ip conditional is omitted, then all IP
+addresses will be allowed: IPv4, IPv6 and none. If INADDR_ANY or
+in6addr_any is used, then the ip conditional can be omitted or they
+can be represented by:
+
+ network ip=::,		#allow in6addr_any
+ network ip=0.0.0.0;	#allow INADDR_ANY
+
+The network rules support the specification of local and remote IP
+addresses and ports.
+
+ network ip=127.0.0.1 port=8080,
+ network peer=(ip=10.139.15.23 port=8081),
+ network ip=fd74:1820:b03a:b361::cf32 peer=(ip=fd74:1820:b03a:b361::a0f9),
+ network port=8080 peer=(port=8081),
+ network ip=127.0.0.1 port=8080 peer=(ip=10.139.15.23 port=8081),
+
 =head2 Mount Rules
 
 AppArmor supports mount mediation and allows specifying filesystem types and
@@ -2013,8 +2101,6 @@ An example AppArmor profile:
 
 =over 4
 
-=item F</etc/init.d/boot.apparmor>
-
 =item F</etc/apparmor.d/>
 
 =back

parser/apparmor.pod

@@ -36,12 +36,11 @@ of resources. AppArmor's unique security model is to bind access control
 attributes to programs rather than to users.
 
 AppArmor confinement is provided via I<profiles> loaded into the kernel
-via apparmor_parser(8), typically through the F</etc/init.d/apparmor>
-SysV initscript, which is used like this:
+via apparmor_parser(8), typically through the F<apparmor.service>
+systemd unit, which is used like this:
 
-	# /etc/init.d/apparmor start
-	# /etc/init.d/apparmor stop
-	# /etc/init.d/apparmor restart
+	# systemctl start apparmor
+	# systemctl reload apparmor
 
 AppArmor can operate in two modes: I<enforcement>, and I<complain or learning>:
 
@@ -273,11 +272,9 @@ Else, if auditd is running, see auditd(8) and auditd.conf(5).
 
 =over 4
 
-=item F</etc/init.d/apparmor>
-
 =item F</etc/apparmor.d/>
 
-=item F</var/lib/apparmor/>
+=item F</var/cache/apparmor/>
 
 =item F</var/log/audit/audit.log>
 

parser/apparmor.service

@@ -6,6 +6,8 @@ After=systemd-journald-audit.socket
 # profile cache: /var/cache/apparmor/ and /usr/share/apparmor/cache/
 After=var.mount var-cache.mount usr.mount usr-share.mount
 ConditionSecurity=apparmor
+Documentation=man:apparmor(7)
+Documentation=https://gitlab.com/apparmor/apparmor/wikis/home/
 
 [Service]
 Type=oneshot

parser/apparmor_parser.pod

@@ -299,11 +299,11 @@ Enable various warnings during policy compilation. A single warn flag
 can be specified per --warn option, but the --warn flag can be passed
 multiple times.
 
-  apparmor_parser --warn=rules-not-enforced ...
+  apparmor_parser --warn=rule-not-enforced ...
 
 A specific warning can be disabled by prepending I<no>- to the flag
 
-  apparmor_parser --warn=no-rules-not-enforced ...
+  apparmor_parser --warn=no-rule-not-enforced ...
 
 Use --help=warn to see a full list of which warn flags are supported.
 

parser/bignum.h

@@ -12,8 +12,7 @@
  *   GNU General Public License for more details.
  *
  *   You should have received a copy of the GNU General Public License
- *   along with this program; if not, contact Novell, Inc. or Canonical
- *   Ltd.
+ *   along with this program; if not, contact Canonical Ltd.
  */
 
 #ifndef __AA_BIGNUM_H
@@ -29,10 +28,9 @@ class bignum
 {
 public:
 	std::vector<uint8_t> data;
-	uint64_t sad = 543;
 	uint8_t base;
 	bool negative = false;
-	bignum () {}
+	bignum () : base(0) {}
 
 	bignum (unsigned long val) {
 		if (val == 0)

parser/libapparmor_re/parse.y

@@ -72,6 +72,7 @@ static inline Chars* insert_char_range(Chars* cset, transchar a, transchar b)
  * parsing succeeds!
  */
 %destructor { $$->release(); } expr terms0 terms qterm term
+%destructor { delete $$; } charset cset_chars
 
 %%
 

parser/mount.cc

@@ -234,6 +234,7 @@ struct mnt_keyword_table {
 	unsigned int clear;
 };
 
+// keep in sync with utils/apparmor/rule/mount.py flags_keywords
 static struct mnt_keyword_table mnt_opts_table[] = {
 	{"ro",			MS_RDONLY, 0},
 	{"r",			MS_RDONLY, 0},

parser/mqueue.cc

@@ -231,10 +231,10 @@ int mqueue_rule::gen_policy_re(Profile &prof)
 			/* store perms at name match so label doesn't need
 			 * to be checked
 			 */
-			if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, parseopts, false))
+			if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1, vec, parseopts, false))
 				goto fail;
 			/* also provide label match with perm */
-			if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, parseopts, false))
+			if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, size, vec, parseopts, false))
 				goto fail;
 		}
 	}
@@ -266,10 +266,10 @@ int mqueue_rule::gen_policy_re(Profile &prof)
 		}
 
 		if (perms & AA_VALID_SYSV_MQ_PERMS) {
-			if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, parseopts, false))
+			if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1, vec, parseopts, false))
 				goto fail;
 			/* also provide label match with perm */
-			if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, parseopts, false))
+			if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, size, vec, parseopts, false))
 				goto fail;
 		}
 	}

parser/mqueue.h

@@ -52,13 +52,13 @@
  * kernel doesn't allow for us to control
  * - posix
  *   - notify
- *   - getattr/setattr
  *   - labels at anything other than mqueue label, via mqueue inode.
  */
 
 #define AA_VALID_POSIX_MQ_PERMS (AA_MQUEUE_WRITE | AA_MQUEUE_READ |    \
 				 AA_MQUEUE_CREATE | AA_MQUEUE_DELETE | \
-				 AA_MQUEUE_OPEN)
+				 AA_MQUEUE_OPEN |		       \
+				 AA_MQUEUE_SETATTR | AA_MQUEUE_GETATTR)
 
  /* TBD - for now make it wider than posix */
 #define AA_VALID_SYSV_MQ_PERMS (AA_MQUEUE_WRITE | AA_MQUEUE_READ |    \
@@ -78,6 +78,11 @@ typedef enum mqueue_type {
 	mqueue_sysv
 } mqueue_type;
 
+static inline uint32_t map_mqueue_perms(uint32_t mask)
+{
+	return (mask & 0x7f) |
+		((mask & (AA_MQUEUE_GETATTR | AA_MQUEUE_SETATTR)) << (AA_OTHER_SHIFT - 8));
+}
 
 int parse_mqueue_perms(const char *str_perms, perms_t *perms, int fail);
 

parser/network.cc

@@ -20,6 +20,7 @@
 #include <string>
 #include <sstream>
 #include <map>
+#include <arpa/inet.h>
 
 #include "lib.h"
 #include "parser.h"
@@ -251,6 +252,19 @@ const char *net_find_af_name(unsigned int af)
 	return NULL;
 }
 
+const char *net_find_protocol_name(unsigned int protocol)
+{
+	size_t i;
+
+	for (i = 0; i < sizeof(network_mappings) / sizeof(*network_mappings); i++) {
+		if (network_mappings[i].protocol == protocol) {
+			return network_mappings[i].protocol_name;
+		}
+	}
+
+	return NULL;
+}
+
 const struct network_tuple *net_find_mapping(const struct network_tuple *map,
 					     const char *family,
 					     const char *type,
@@ -298,7 +312,63 @@ const struct network_tuple *net_find_mapping(const struct network_tuple *map,
 	return NULL;
 }
 
-void network_rule::move_conditionals(struct cond_entry *conds)
+bool parse_ipv4_address(const char *input, struct ip_address *result)
+{
+	struct in_addr addr;
+	if (inet_pton(AF_INET, input, &addr) == 1) {
+		result->family = AF_INET;
+		result->address.address_v4 = addr.s_addr;
+		return true;
+	}
+	return false;
+}
+
+bool parse_ipv6_address(const char *input, struct ip_address *result)
+{
+	struct in6_addr addr;
+	if (inet_pton(AF_INET6, input, &addr) == 1) {
+		result->family = AF_INET6;
+		memcpy(result->address.address_v6, addr.s6_addr, 16);
+		return true;
+	}
+	return false;
+}
+
+bool parse_ip(const char *ip, struct ip_address *result)
+{
+	return parse_ipv6_address(ip, result) ||
+		parse_ipv4_address(ip, result);
+}
+
+bool parse_port_number(const char *port_entry, uint16_t *port) {
+	char *eptr;
+	unsigned long port_tmp = strtoul(port_entry, &eptr, 10);
+
+	if (port_entry != eptr && *eptr == '\0' &&
+	    port_tmp <= UINT16_MAX) {
+		*port = port_tmp;
+		return true;
+	}
+	return false;
+}
+
+bool network_rule::parse_port(ip_conds &entry)
+{
+	entry.is_port = true;
+	return parse_port_number(entry.sport, &entry.port);
+}
+
+bool network_rule::parse_address(ip_conds &entry)
+{
+	if (strcmp(entry.sip, "none") == 0) {
+		entry.is_none = true;
+		return true;
+	}
+	entry.is_ip = true;
+	return parse_ip(entry.sip, &entry.ip);
+}
+
+void network_rule::move_conditionals(struct cond_entry *conds, ip_conds &ip_cond)
 {
 	struct cond_entry *cond_ent;
 
@@ -306,64 +376,139 @@ void network_rule::move_conditionals(struct cond_entry *conds)
 		/* for now disallow keyword 'in' (list) */
 		if (!cond_ent->eq)
 			yyerror("keyword \"in\" is not allowed in network rules\n");
-
-		/* no valid conditionals atm */
-		yyerror("invalid network rule conditional \"%s\"\n",
-			cond_ent->name);
+		if (strcmp(cond_ent->name, "ip") == 0) {
+			move_conditional_value("network", &ip_cond.sip, cond_ent);
+			if (!parse_address(ip_cond))
+				yyerror("network invalid ip='%s'\n", ip_cond.sip);
+		} else if (strcmp(cond_ent->name, "port") == 0) {
+			move_conditional_value("network", &ip_cond.sport, cond_ent);
+			if (!parse_port(ip_cond))
+				yyerror("network invalid port='%s'\n", ip_cond.sport);
+		} else {
+			yyerror("invalid network rule conditional \"%s\"\n",
+				cond_ent->name);
+		}
 	}
 }
 
-void network_rule::set_netperm(unsigned int family, unsigned int type)
+void network_rule::set_netperm(unsigned int family, unsigned int type, unsigned int protocol)
 {
 	if (type > SOCK_PACKET) {
 		/* setting mask instead of a bit */
-		network_perms[family] |= type;
+		network_perms[family].first |= type;
 	} else
-		network_perms[family] |= 1 << type;
+		network_perms[family].first |= 1 << type;
+	network_perms[family].second |= protocol;
 }
 
-network_rule::network_rule(struct cond_entry *conds):
-	dedup_perms_rule_t(AA_CLASS_NETV8)
+network_rule::network_rule(perms_t perms_p, struct cond_entry *conds,
+			   struct cond_entry *peer_conds):
+	dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
 {
-	size_t family_index;
-	for (family_index = AF_UNSPEC; family_index < get_af_max(); family_index++) {
-		network_map[family_index].push_back({ family_index, 0xFFFFFFFF, 0xFFFFFFFF });
-		set_netperm(family_index, 0xFFFFFFFF);
+	size_t family_index, i;
+
+	move_conditionals(conds, local);
+	move_conditionals(peer_conds, peer);
+	free_cond_list(conds);
+	free_cond_list(peer_conds);
+
+	if (has_local_conds() || has_peer_conds()) {
+		const char *family[] = { "inet", "inet6" };
+		for (i = 0; i < sizeof(family)/sizeof(family[0]); i++) {
+			const struct network_tuple *mapping = NULL;
+			while ((mapping = net_find_mapping(mapping, family[i], NULL, NULL))) {
+				network_map[mapping->family].push_back({ mapping->family, mapping->type, mapping->protocol });
+				set_netperm(mapping->family, mapping->type, mapping->protocol);
+			}
+		}
+	} else {
+		for (family_index = AF_UNSPEC; family_index < get_af_max(); family_index++) {
+			network_map[family_index].push_back({ family_index, 0xFFFFFFFF, 0xFFFFFFFF });
+			set_netperm(family_index, 0xFFFFFFFF, 0xFFFFFFFF);
+		}
 	}
 
-	move_conditionals(conds);
-	free_cond_list(conds);
+
+
+	if (perms_p) {
+		perms = perms_p;
+		if (perms & ~AA_VALID_NET_PERMS)
+			yyerror("perms contains invalid permissions for network rules\n");
+		else if ((perms & ~AA_PEER_NET_PERMS) && has_peer_conds())
+			yyerror("network 'create', 'shutdown', 'setattr', 'getattr', 'bind', 'listen', 'setopt', and/or 'getopt' accesses cannot be used with peer socket conditionals\n");
+	} else {
+		perms = AA_VALID_NET_PERMS;
+	}
 }
 
-network_rule::network_rule(const char *family, const char *type,
-			   const char *protocol, struct cond_entry *conds):
-	dedup_perms_rule_t(AA_CLASS_NETV8)
+network_rule::network_rule(perms_t perms_p, const char *family, const char *type,
+			   const char *protocol, struct cond_entry *conds,
+			   struct cond_entry *peer_conds):
+	dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
 {
 	const struct network_tuple *mapping = NULL;
+
+	move_conditionals(conds, local);
+	move_conditionals(peer_conds, peer);
+	free_cond_list(conds);
+	free_cond_list(peer_conds);
+
 	while ((mapping = net_find_mapping(mapping, family, type, protocol))) {
+		/* if inet conds and family are specified, fail if
+		 * family is not af_inet or af_inet6
+		 */
+		if ((has_local_conds() || has_peer_conds()) &&
+		    mapping->family != AF_INET && mapping->family != AF_INET6) {
+			yyerror("network family does not support local or peer conditionals\n");
+		}
 		network_map[mapping->family].push_back({ mapping->family, mapping->type, mapping->protocol });
-		set_netperm(mapping->family, mapping->type);
+		set_netperm(mapping->family, mapping->type, mapping->protocol);
 	}
 
 	if (type == NULL && network_map.empty()) {
 		while ((mapping = net_find_mapping(mapping, type, family, protocol))) {
+			/* if inet conds and type/protocol are
+			 * specified, only add rules for af_inet and
+			 * af_inet6
+			 */
+			if ((has_local_conds() || has_peer_conds()) &&
+			    mapping->family != AF_INET && mapping->family != AF_INET6)
+				continue;
+
 			network_map[mapping->family].push_back({ mapping->family, mapping->type, mapping->protocol });
-			set_netperm(mapping->family, mapping->type);
+			set_netperm(mapping->family, mapping->type, mapping->protocol);
 		}
 	}
 
 	if (network_map.empty())
 		yyerror(_("Invalid network entry."));
 
-	move_conditionals(conds);
-	free_cond_list(conds);
+	if (perms_p) {
+		perms = perms_p;
+		if (perms & ~AA_VALID_NET_PERMS)
+			yyerror("perms contains invalid permissions for network rules\n");
+		else if ((perms & ~AA_PEER_NET_PERMS) && has_peer_conds())
+			yyerror("network 'create', 'shutdown', 'setattr', 'getattr', 'bind', 'listen', 'setopt', and/or 'getopt' accesses cannot be used with peer socket conditionals\n");
+	} else {
+		perms = AA_VALID_NET_PERMS;
+	}
 }
 
-network_rule::network_rule(unsigned int family, unsigned int type):
-	dedup_perms_rule_t(AA_CLASS_NETV8)
+network_rule::network_rule(perms_t perms_p, unsigned int family, unsigned int type):
+	dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
 {
 	network_map[family].push_back({ family, type, 0xFFFFFFFF });
-	set_netperm(family, type);
+	set_netperm(family, type, 0xFFFFFFFF);
+
+	if (perms_p) {
+		perms = perms_p;
+		if (perms & ~AA_VALID_NET_PERMS)
+			yyerror("perms contains invalid permissions for network rules\n");
+		else if ((perms & ~AA_PEER_NET_PERMS) && has_peer_conds())
+			yyerror("network 'create', 'shutdown', 'setattr', 'getattr', 'bind', 'listen', 'setopt', and/or 'getopt' accesses cannot be used with peer socket conditionals\n");
+	} else {
+		perms = AA_VALID_NET_PERMS;
+	}
 }
 
 ostream &network_rule::dump(ostream &os)
@@ -382,7 +527,8 @@ ostream &network_rule::dump(ostream &os)
 
 	for (const auto& perm : network_perms) {
 		unsigned int family = perm.first;
-		unsigned int type = perm.second;
+		unsigned int type = perm.second.first;
+		unsigned int protocol = perm.second.second;
 
 		const char *family_name = net_find_af_name(family);
 		if (family_name)
@@ -410,6 +556,12 @@ ostream &network_rule::dump(ostream &os)
 			os << " #" << std::hex << (type & mask);
 
 		printf(" }");
+
+		const char *protocol_name = net_find_protocol_name(protocol);
+		if (protocol_name)
+			os << " " << protocol_name;
+		else
+			os << " #" << protocol;
 	}
 
 	os << ",\n";
@@ -428,7 +580,146 @@ void network_rule::warn_once(const char *name)
 	rule_t::warn_once(name, "network rules not enforced");
 }
 
-bool network_rule::gen_net_rule(Profile &prof, u16 family, unsigned int type_mask) {
+std::string gen_ip_cond(const struct ip_address ip)
+{
+	std::ostringstream oss;
+	int i;
+	if (ip.family == AF_INET) {
+		/* add a byte containing the size of the following ip */
+		oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << IPV4_SIZE;
+
+		u8 *byte = (u8 *) &ip.address.address_v4; /* in network byte order */
+		for (i = 0; i < 4; i++)
+			oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << static_cast<unsigned int>(byte[i]);
+	} else {
+		/* add a byte containing the size of the following ip */
+		oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << IPV6_SIZE;
+		for (i = 0; i < 16; ++i)
+			oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << static_cast<unsigned int>(ip.address.address_v6[i]);
+	}
+	return oss.str();
+}
+
+std::string gen_port_cond(uint16_t port)
+{
+	std::ostringstream oss;
+	if (port > 0) {
+		oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << ((port & 0xff00) >> 8);
+		oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << (port & 0xff);
+	} else {
+		oss << "..";
+	}
+	return oss.str();
+}
+
+std::list<std::ostringstream> gen_all_ip_options(std::ostringstream &oss) {
+
+	std::list<std::ostringstream> all_streams;
+	std::ostringstream none, ipv4, ipv6;
+	int i;
+	none << oss.str();
+	ipv4 << oss.str();
+	ipv6 << oss.str();
+
+	none << "\\x" << std::setfill('0') << std::setw(2) << std::hex << NONE_SIZE;
+
+	/* add a byte containing the size of the following ip */
+	ipv4 << "\\x" << std::setfill('0') << std::setw(2) << std::hex << IPV4_SIZE;
+	for (i = 0; i < 4; i++)
+		ipv4 << ".";
+
+	/* add a byte containing the size of the following ip */
+	ipv6 << "\\x" << std::setfill('0') << std::setw(2) << std::hex << IPV6_SIZE;
+	for (i = 0; i < 16; ++i)
+		ipv6 << ".";
+
+	all_streams.push_back(std::move(none));
+	all_streams.push_back(std::move(ipv4));
+	all_streams.push_back(std::move(ipv6));
+
+	return all_streams;
+}
+
+std::list<std::ostringstream> copy_streams_list(std::list<std::ostringstream> &streams)
+{
+	std::list<std::ostringstream> streams_copy;
+	for (auto &oss : streams) {
+		std::ostringstream oss_copy(oss.str());
+		streams_copy.push_back(std::move(oss_copy));
+	}
+	return streams_copy;
+}
+
+bool network_rule::gen_ip_conds(Profile &prof, std::list<std::ostringstream> &streams, ip_conds &entry, bool is_peer, bool is_cmd)
+{
+	std::string buf;
+	perms_t cond_perms;
+	std::list<std::ostringstream> ip_streams;
+
+	for (auto &oss : streams) {
+		if (entry.is_port && !(entry.is_ip && entry.is_none)) {
+			/* encode port type (privileged - 1, remote - 2, unprivileged - 0) */
+			if (!is_peer && perms & AA_NET_BIND && entry.port < IPPORT_RESERVED)
+				oss << "\\x01";
+			else if (is_peer)
+				oss << "\\x02";
+			else
+				oss << "\\x00";
+
+			oss << gen_port_cond(entry.port);
+		} else {
+			/* port type + port number */
+			oss << "...";
+		}
+	}
+
+	ip_streams = std::move(streams);
+	streams.clear();
+
+	for (auto &oss : ip_streams) {
+		if (entry.is_ip) {
+			oss << gen_ip_cond(entry.ip);
+			streams.push_back(std::move(oss));
+		} else if (entry.is_none) {
+			oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << NONE_SIZE;
+			streams.push_back(std::move(oss));
+		} else {
+			streams.splice(streams.end(), gen_all_ip_options(oss));
+		}
+	}
+
+	cond_perms = map_perms(perms);
+	if (!is_cmd && (label || is_peer))
+		cond_perms = (AA_CONT_MATCH << 1);
+
+	for (auto &oss : streams) {
+		oss << "\\x00"; /* null transition */
+
+		buf = oss.str();
+		/* AA_CONT_MATCH mapping (cond_perms) only applies to perms, not audit */
+		if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, cond_perms,
+						 dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
+						 parseopts))
+			return false;
+
+		if (label || is_peer) {
+			if (!is_peer)
+				cond_perms = map_perms(perms);
+
+			oss << default_match_pattern; /* label - not used for now */
+			oss << "\\x00"; /* null transition */
+
+			buf = oss.str();
+			if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, cond_perms,
+							 dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
+							 parseopts))
+				return false;
+		}
+	}
+	return true;
+}
+
+bool network_rule::gen_net_rule(Profile &prof, u16 family, unsigned int type_mask, unsigned int protocol) {
 	std::ostringstream buffer;
 	std::string buf;
 
@@ -441,13 +732,97 @@ bool network_rule::gen_net_rule(Profile &prof, u16 family, unsigned int type_mas
 		buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << ((type_mask & 0xff00) >> 8);
 		buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << (type_mask & 0xff);
 	}
-	buf = buffer.str();
 
-	if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(AA_VALID_NET_PERMS),
-					 dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(AA_VALID_NET_PERMS) : 0,
-					 parseopts))
+	if (!features_supports_inet || (family != AF_INET && family != AF_INET6)) {
+		buf = buffer.str();
+		if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms),
+						 dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
+						 parseopts))
+			return false;
+		return true;
+	}
+
+	buf = buffer.str();
+	/* create perms need to be generated excluding the rest of the perms */
+	if (perms & AA_NET_CREATE) {
+		if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms & AA_NET_CREATE) | (AA_CONT_MATCH << 1),
+						 dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms & AA_NET_CREATE) : 0,
+						 parseopts))
+			return false;
+	}
+
+	/* encode protocol */
+	if (protocol > 0xffff) {
+		buffer << "..";
+	} else {
+		buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << ((protocol & 0xff00) >> 8);
+		buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << (protocol & 0xff);
+	}
+
+	if (perms & AA_PEER_NET_PERMS) {
+		std::list<std::ostringstream> streams;
+		std::ostringstream cmd_buffer;
+
+		cmd_buffer << buffer.str();
+		streams.push_back(std::move(cmd_buffer));
+
+		if (!gen_ip_conds(prof, streams, peer, true, false))
+			return false;
+
+		for (auto &oss : streams) {
+			oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_ADDR;
+		}
+
+		if (!gen_ip_conds(prof, streams, local, false, true))
+			return false;
+	}
+
+	std::list<std::ostringstream> streams;
+	std::ostringstream common_buffer;
+
+	common_buffer << buffer.str();
+	streams.push_back(std::move(common_buffer));
+
+	if (!gen_ip_conds(prof, streams, local, false, false))
 		return false;
 
+	if (perms & AA_NET_LISTEN) {
+		std::list<std::ostringstream> cmd_streams;
+		cmd_streams = copy_streams_list(streams);
+
+		for (auto &cmd_buffer : streams) {
+			std::ostringstream listen_buffer;
+			listen_buffer << cmd_buffer.str();
+			listen_buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_LISTEN;
+			/* length of queue allowed - not used for now */
+			listen_buffer << "..";
+			buf = listen_buffer.str();
+			if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms),
+							 dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
+							 parseopts))
+				return false;
+		}
+	}
+	if (perms & AA_NET_OPT) {
+		std::list<std::ostringstream> cmd_streams;
+		cmd_streams = copy_streams_list(streams);
+
+		for (auto &cmd_buffer : streams) {
+			std::ostringstream opt_buffer;
+			opt_buffer << cmd_buffer.str();
+			opt_buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_OPT;
+			/* level - not used for now */
+			opt_buffer << "..";
+			/* socket mapping - not used for now */
+			opt_buffer << "..";
+			buf = opt_buffer.str();
+			if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms),
+							 dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
+							 parseopts))
+				return false;
+		}
+	}
+
 	return true;
 }
 
@@ -463,17 +838,18 @@ int network_rule::gen_policy_re(Profile &prof)
 
 	for (const auto& perm : network_perms) {
 		unsigned int family = perm.first;
-		unsigned int type = perm.second;
+		unsigned int type = perm.second.first;
+		unsigned int protocol = perm.second.second;
 
 		if (type > 0xffff) {
-			if (!gen_net_rule(prof, family, type))
+			if (!gen_net_rule(prof, family, type, protocol))
 				goto fail;
 		} else {
 			int t;
 			/* generate rules for types that are set */
 			for (t = 0; t < 16; t++) {
 				if (type & (1 << t)) {
-					if (!gen_net_rule(prof, family, t))
+					if (!gen_net_rule(prof, family, t, protocol))
 						goto fail;
 				}
 			}
@@ -544,13 +920,27 @@ void network_rule::update_compat_net(void)
 	}
 }
 
-static int cmp_network_map(std::unordered_map<unsigned int, perms_t> lhs,
-			   std::unordered_map<unsigned int, perms_t> rhs)
+static int cmp_ip_conds(ip_conds const &lhs, ip_conds const &rhs)
+{
+	int res = null_strcmp(lhs.sip, rhs.sip);
+	if (res)
+		return res;
+	res = null_strcmp(lhs.sport, rhs.sport);
+	if (res)
+		return res;
+	return lhs.is_none - rhs.is_none;
+}
+
+static int cmp_network_map(std::unordered_map<unsigned int, std::pair<unsigned int, unsigned int>> lhs,
+			   std::unordered_map<unsigned int, std::pair<unsigned int, unsigned int>> rhs)
 {
 	int res;
 	size_t family_index;
 	for (family_index = AF_UNSPEC; family_index < get_af_max(); family_index++) {
-		res = lhs[family_index] - rhs[family_index];
+		res = lhs[family_index].first - rhs[family_index].first;
+		if (res)
+			return res;
+		res = lhs[family_index].second - rhs[family_index].second;
 		if (res)
 			return res;
 	}
@@ -563,5 +953,14 @@ int network_rule::cmp(rule_t const &rhs) const
 	if (res)
 		return res;
 	network_rule const &nrhs = rule_cast<network_rule const &>(rhs);
-	return cmp_network_map(network_perms, nrhs.network_perms);
+	res = cmp_network_map(network_perms, nrhs.network_perms);
+	if (res)
+		return res;
+	res = cmp_ip_conds(local, nrhs.local);
+	if (res)
+		return res;
+	res = cmp_ip_conds(peer, nrhs.peer);
+	if (res)
+		return res;
+	return null_strcmp(label, nrhs.label);
 };

parser/network.h

@@ -26,6 +26,7 @@
 #include <arpa/inet.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <list>
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
@@ -75,6 +76,14 @@
 #define AA_PEER_NET_PERMS (AA_VALID_NET_PERMS & (~AA_LOCAL_NET_PERMS | \
 						 AA_NET_ACCEPT))
 
+#define CMD_ADDR	1
+#define CMD_LISTEN	2
+#define CMD_OPT		4
+
+#define NONE_SIZE	0
+#define IPV4_SIZE	1
+#define IPV6_SIZE	2
+
 struct network_tuple {
 	const char *family_name;
 	unsigned int family;
@@ -104,22 +113,61 @@ int net_find_type_val(const char *type);
 const char *net_find_type_name(int type);
 const char *net_find_af_name(unsigned int af);
 
+struct ip_address {
+	union {
+		uint8_t address_v6[16];
+		uint32_t address_v4;
+	} address;
+	uint16_t family;
+};
+
+class ip_conds {
+public:
+	char *sip = NULL;
+	char *sport = NULL;
+
+	bool is_ip = false;
+	bool is_port = false;
+
+	uint16_t port;
+	struct ip_address ip;
+
+	bool is_none = false;
+
+	void free_conds() {
+		if (sip)
+			free(sip);
+		if (sport)
+			free(sport);
+	}
+};
+
 class network_rule: public dedup_perms_rule_t {
-	void move_conditionals(struct cond_entry *conds);
+	void move_conditionals(struct cond_entry *conds, ip_conds &ip_cond);
 public:
 	std::unordered_map<unsigned int, std::vector<struct aa_network_entry>> network_map;
-	std::unordered_map<unsigned int, perms_t> network_perms;
+	std::unordered_map<unsigned int, std::pair<unsigned int, unsigned int>> network_perms;
 
+	ip_conds peer;
+	ip_conds local;
+	char *label;
+
+	bool has_local_conds(void) { return local.sip || local.sport; }
+	bool has_peer_conds(void) { return peer.sip || peer.sport; }
 	/* empty constructor used only for the profile to access
 	 * static elements to maintain compatibility with
 	 * AA_CLASS_NET */
-	network_rule(): dedup_perms_rule_t(AA_CLASS_NETV8) { }
-	network_rule(struct cond_entry *conds);
-	network_rule(const char *family, const char *type,
-		     const char *protocol, struct cond_entry *conds);
-	network_rule(unsigned int family, unsigned int type);
+	network_rule(): dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL) { }
+	network_rule(perms_t perms_p, struct cond_entry *conds,
+		     struct cond_entry *peer_conds);
+	network_rule(perms_t perms_p, const char *family, const char *type,
+		     const char *protocol, struct cond_entry *conds,
+		     struct cond_entry *peer_conds);
+	network_rule(perms_t perms_p, unsigned int family, unsigned int type);
 	virtual ~network_rule()
 	{
+		peer.free_conds();
+		local.free_conds();
 		if (allow) {
 			free(allow);
 			allow = NULL;
@@ -138,9 +186,12 @@ public:
 		}
 	};
 
-	bool gen_net_rule(Profile &prof, u16 family, unsigned int type_mask);
-	void set_netperm(unsigned int family, unsigned int type);
+	bool gen_ip_conds(Profile &prof, std::list<std::ostringstream> &streams, ip_conds &entry, bool is_peer, bool is_cmd);
+	bool gen_net_rule(Profile &prof, u16 family, unsigned int type_mask, unsigned int protocol);
+	void set_netperm(unsigned int family, unsigned int type, unsigned int protocol);
 	void update_compat_net(void);
+	bool parse_address(ip_conds &entry);
+	bool parse_port(ip_conds &entry);
 
 	virtual bool valid_prefix(const prefixes &p, const char *&error) {
 		if (p.owner) {

parser/parser.h

@@ -341,6 +341,7 @@ extern int kernel_load;
 extern int kernel_supports_setload;
 extern int features_supports_network;
 extern int features_supports_networkv8;
+extern int features_supports_inet;
 extern int kernel_supports_policydb;
 extern int kernel_supports_diff_encode;
 extern int features_supports_mount;

parser/parser_common.c

@@ -69,6 +69,7 @@ int kernel_load = 1;
 int kernel_supports_setload = 0;	/* kernel supports atomic set loads */
 int features_supports_network = 0;	/* kernel supports network rules */
 int features_supports_networkv8 = 0;	/* kernel supports 4.17 network rules */
+int features_supports_inet = 0; 	/* kernel supports inet network rules */
 int features_supports_unix = 0;		/* kernel supports unix socket rules */
 int kernel_supports_policydb = 0;	/* kernel supports new policydb */
 int features_supports_mount = 0;	/* kernel supports mount rules */

parser/parser_interface.c

@@ -276,7 +276,7 @@ static inline void sd_write_aligned_blob(std::ostringstream &buf, void *b, int b
 	buf.write((const char *) b, b_size);
 }
 
-static void sd_write_strn(std::ostringstream &buf, char *b, int size, const char *name)
+static void sd_write_strn(std::ostringstream &buf, const char *b, int size, const char *name)
 {
 	sd_write_name(buf, name);
 	sd_write8(buf, SD_STRING);
@@ -284,7 +284,7 @@ static void sd_write_strn(std::ostringstream &buf, char *b, int size, const char
 	buf.write(b, size);
 }
 
-static inline void sd_write_string(std::ostringstream &buf, char *b, const char *name)
+static inline void sd_write_string(std::ostringstream &buf, const char *b, const char *name)
 {
 	sd_write_strn(buf, b, strlen(b) + 1, name);
 }
@@ -403,11 +403,7 @@ void sd_serialize_profile(std::ostringstream &buf, Profile *profile,
 	sd_write_struct(buf, "profile");
 	if (flattened) {
 		assert(profile->parent);
-		autofree char *name = (char *) malloc(3 + strlen(profile->name) + strlen(profile->parent->name));
-		if (!name)
-			return;
-		sprintf(name, "%s//%s", profile->parent->name, profile->name);
-		sd_write_string(buf, name, NULL);
+		sd_write_string(buf, profile->get_name(false).c_str(), NULL);
 	} else {
 		sd_write_string(buf, profile->name, NULL);
 	}

parser/parser_lex.l

@@ -517,12 +517,6 @@ GT		>
 	}
 }
 
-<NETWORK_MODE>{
-	{IDS} {
-		yylval.id = strdup(yytext);
-		RETURN_TOKEN(TOK_ID);
-	}
-}
 
 <CHANGE_PROFILE_MODE>{
 	safe		{ RETURN_TOKEN(TOK_SAFE); }
@@ -558,7 +552,7 @@ GT		>
 	{LT_EQUAL}	{ RETURN_TOKEN(TOK_LE); }
 }
 
-<UNIX_MODE>{
+<UNIX_MODE,NETWORK_MODE>{
 	listen	{ RETURN_TOKEN(TOK_LISTEN); }
 	accept	{ RETURN_TOKEN(TOK_ACCEPT); }
 	connect	{ RETURN_TOKEN(TOK_CONNECT); }
@@ -567,7 +561,7 @@ GT		>
 	shutdown	{ RETURN_TOKEN(TOK_SHUTDOWN); }
 }
 
-<UNIX_MODE,USERNS_MODE,MQUEUE_MODE>{
+<UNIX_MODE,USERNS_MODE,MQUEUE_MODE,NETWORK_MODE>{
 	create	{ RETURN_TOKEN(TOK_CREATE); }
 }
 
@@ -576,12 +570,12 @@ GT		>
 	delete		{ RETURN_TOKEN(TOK_DELETE); }
 }
 
-<UNIX_MODE,MQUEUE_MODE>{
+<UNIX_MODE,MQUEUE_MODE,NETWORK_MODE>{
 	getattr	{ RETURN_TOKEN(TOK_GETATTR); }
 	setattr	{ RETURN_TOKEN(TOK_SETATTR); }
 }
 
-<DBUS_MODE,UNIX_MODE>{
+<DBUS_MODE,UNIX_MODE,NETWORK_MODE>{
 	bind		{ RETURN_TOKEN(TOK_BIND); }
 }
 
@@ -589,7 +583,7 @@ GT		>
 	eavesdrop	{ RETURN_TOKEN(TOK_EAVESDROP); }
 }
 
-<DBUS_MODE,SIGNAL_MODE,UNIX_MODE>{
+<DBUS_MODE,SIGNAL_MODE,UNIX_MODE,NETWORK_MODE>{
 	send		{ RETURN_TOKEN(TOK_SEND); }
 	receive		{ RETURN_TOKEN(TOK_RECEIVE); }
 }
@@ -600,7 +594,7 @@ GT		>
 	tracedby	{ RETURN_TOKEN(TOK_TRACEDBY); }
 }
 
-<DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,MQUEUE_MODE>{
+<DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,MQUEUE_MODE,NETWORK_MODE>{
 	read		{ RETURN_TOKEN(TOK_READ); }
 	write		{ RETURN_TOKEN(TOK_WRITE); }
 	{OPEN_PAREN}	{
@@ -621,7 +615,7 @@ GT		>
 	sqpoll { RETURN_TOKEN(TOK_SQPOLL); }
 }
 
-<MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,MQUEUE_MODE,IOURING_MODE>{
+<MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,MQUEUE_MODE,IOURING_MODE,NETWORK_MODE>{
 	({IDS_NOEQ}|{LABEL}|{QUOTED_ID}) {
 		yylval.id = processid(yytext, yyleng);
 		RETURN_TOKEN(TOK_ID);

parser/parser_main.c

@@ -919,6 +919,9 @@ void set_supported_features()
 	features_supports_networkv8 = features_intersect(kernel_features,
 							 policy_features,
 							 "network_v8");
+	features_supports_inet = features_intersect(kernel_features,
+						    policy_features,
+						    "network_v8/af_inet");
 	features_supports_unix = features_intersect(kernel_features,
 						    policy_features,
 						    "network/af_unix");

parser/parser_regex.c

@@ -882,7 +882,7 @@ static std::string generate_regex_range(bignum start, bignum end)
 	std::ostringstream result;
 	std::vector<std::pair<bignum, bignum>> regex_range;
 	int j;
-	regex_range = regex_range_generator(start, end);
+	regex_range = regex_range_generator(std::move(start), std::move(end));
 	for (auto &i: regex_range) {
 		bignum sstart = i.first;
 		bignum send = i.second;
@@ -942,7 +942,7 @@ int convert_range(std::string& buffer, bignum start, bignum end)
 	pattern_t ptype;
 	int pos;
 
-	std::string regex_range = generate_regex_range(start, end);
+	std::string regex_range = generate_regex_range(std::move(start), std::move(end));
 
 	if (!regex_range.empty()) {
 		ptype = convert_aaregex_to_pcre(regex_range.c_str(), 0, glob_default, buffer, &pos);

parser/parser_yacc.y

@@ -1083,27 +1083,48 @@ link_rule: TOK_LINK opt_subset_flag id_or_var TOK_ARROW id_or_var TOK_END_OF_RUL
 		$$ = entry;
 	};
 
-network_rule: TOK_NETWORK opt_conds TOK_END_OF_RULE
+network_rule: TOK_NETWORK opt_net_perm opt_conds opt_cond_list TOK_END_OF_RULE
 	{
-		network_rule *entry = new network_rule($2);
+		network_rule *entry;
+
+		if ($4.name) {
+			if (strcmp($4.name, "peer") != 0)
+				yyerror(_("network rule: invalid conditional group %s=()"), $4.name);
+			free($4.name);
+		}
+		entry = new network_rule($2, $3, $4.list);
 		$$ = entry;
 	}
 
-network_rule: TOK_NETWORK TOK_ID opt_conds TOK_END_OF_RULE
+network_rule: TOK_NETWORK opt_net_perm TOK_ID opt_conds opt_cond_list TOK_END_OF_RULE
 	{
-		network_rule *entry = new network_rule($2, NULL, NULL, $3);
-		free($2);
-		$$ = entry;
-	}
+		network_rule *entry;
 
-network_rule: TOK_NETWORK TOK_ID TOK_ID opt_conds TOK_END_OF_RULE
-	{
-		network_rule *entry = new network_rule($2, $3, NULL, $4);
-		free($2);
+		if ($5.name) {
+			if (strcmp($5.name, "peer") != 0)
+				yyerror(_("network rule: invalid conditional group %s=()"), $5.name);
+			free($5.name);
+		}
+		entry = new network_rule($2, $3, NULL, NULL, $4, $5.list);
 		free($3);
 		$$ = entry;
 	}
 
+network_rule: TOK_NETWORK opt_net_perm TOK_ID TOK_ID opt_conds opt_cond_list TOK_END_OF_RULE
+	{
+		network_rule *entry;
+
+		if ($6.name) {
+			if (strcmp($6.name, "peer") != 0)
+				yyerror(_("network rule: invalid conditional group %s=()"), $6.name);
+			free($6.name);
+		}
+		entry = new network_rule($2, $3, $4, NULL, $5, $6.list);
+		free($3);
+		free($4);
+		$$ = entry;
+	}
+
 cond: TOK_CONDID
 	{
 		struct cond_entry *ent;

parser/profile.cc

@@ -28,6 +28,7 @@ const char *profile_mode_table[] = {
 	"kill",
 	"unconfined",
 	"prompt",
+	"default_allow",
 	"conflict"		/* should not ever be displayed */
 };
 

parser/profile.h

@@ -64,9 +64,10 @@ enum profile_mode {
 	MODE_KILL = 3,
 	MODE_UNCONFINED = 4,
 	MODE_PROMPT = 5,
-	MODE_CONFLICT = 6	/* greater than MODE_LAST */
+	MODE_DEFAULT_ALLOW = 6,
+	MODE_CONFLICT = 7	/* greater than MODE_LAST */
 };
-#define MODE_LAST MODE_PROMPT
+#define MODE_LAST MODE_DEFAULT_ALLOW
 
 static inline enum profile_mode operator++(enum profile_mode &mode)
 {
@@ -85,6 +86,9 @@ static inline enum profile_mode merge_profile_mode(enum profile_mode l, enum pro
 
 static inline uint32_t profile_mode_packed(enum profile_mode mode)
 {
+	/* until dominance is fixed use unconfined mode for default_allow */
+	if (mode == MODE_DEFAULT_ALLOW)
+		mode = MODE_UNCONFINED;
 	/* kernel doesn't have an unspecified mode everything
 	 * shifts down by 1
 	 */

parser/rc.apparmor.functions

@@ -105,11 +105,12 @@ is_container_with_internal_policy() {
 		return 1
 	fi
 
-	# LXD and LXC set up AppArmor namespaces starting with "lxd-" and
-	# "lxc-", respectively. Return non-zero for all other namespace
-	# identifiers.
+	# LXD, Incus and LXC set up AppArmor namespaces starting with "lxd-",
+	# "incus-" and "lxc-", respectively. Return non-zero for all other
+	# namespace identifiers.
 	read -r ns_name < "$ns_name_path"
 	if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
+	   [ "${ns_name#incus-*}" = "$ns_name" ] && \
 	   [ "${ns_name#lxc-*}" = "$ns_name" ]; then
 		return 1
 	fi

parser/tst/simple_tests/mount/ok_opt_85.sd

@@ -0,0 +1,9 @@
+#
+#=Description test globbed destination MR 1195
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=(rw, make-slave) -> **,
+  mount options=(rw) foo -> **,
+  mount fstype=tmpfs options=(rw) foo -> **,
+  mount -> **,
+}

parser/tst/simple_tests/network/network_bad_10.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network ip - port conditional test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(ip=127.0.0.1 port=test),
+
+}

parser/tst/simple_tests/network/network_bad_11.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network port range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(ip=127.0.0.1 port=65536),
+
+}

parser/tst/simple_tests/network/network_bad_12.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network ip - port conditional test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(ip=[invalid] port=80),
+
+}

parser/tst/simple_tests/network/network_bad_13.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network ip - port conditional test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(ip=::1 port=-1),
+
+}

parser/tst/simple_tests/network/network_bad_14.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network ip - port conditional test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(ip=::1 port=test),
+
+}

parser/tst/simple_tests/network/network_bad_15.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network port range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(ip=::1 port=65536),
+
+}

parser/tst/simple_tests/network/network_bad_16.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network port range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(port=65536),
+
+}

parser/tst/simple_tests/network/network_bad_17.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network port range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(port=-1),
+
+}

parser/tst/simple_tests/network/network_bad_18.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network port range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(port=test),
+
+}

parser/tst/simple_tests/network/network_bad_19.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(ip=192.168.0.39-192.168.0.4),
+
+}

parser/tst/simple_tests/network/network_bad_20.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(ip=192.168.0.39-invalid),
+
+}

parser/tst/simple_tests/network/network_bad_21.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(ip=192.168.0.39-::58c2),
+
+}

parser/tst/simple_tests/network/network_bad_22.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(ip=2001:1884:d02e:2759:d30:f166:71c9:288f-192.168.0.39),
+
+}

parser/tst/simple_tests/network/network_bad_23.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(ip=80-192.168.0.39),
+
+}

parser/tst/simple_tests/network/network_bad_24.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(port=80-65536),
+
+}

parser/tst/simple_tests/network/network_bad_25.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(port=443-80),
+
+}

parser/tst/simple_tests/network/network_bad_26.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network subnet test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(ip=invalid/80),
+
+}

parser/tst/simple_tests/network/network_bad_27.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network subnet test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(ip=192.168.0.1/-1),
+
+}

parser/tst/simple_tests/network/network_bad_28.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network subnet test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(ip=192.168.0.1/invalid),
+
+}

parser/tst/simple_tests/network/network_bad_29.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network subnet test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(ip=192.168.0.1/33),
+
+}

parser/tst/simple_tests/network/network_bad_30.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network subnet test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(ip=2001:1884:d02e:2759:d30:f166:71c9:288f/-1),
+
+}

parser/tst/simple_tests/network/network_bad_31.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network subnet test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(ip=2001:1884:d02e:2759:d30:f166:71c9:288f/invalid),
+
+}

parser/tst/simple_tests/network/network_bad_32.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network subnet test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(ip=2001:1884:d02e:2759:d30:f166:71c9:288f/129),
+
+}

parser/tst/simple_tests/network/network_bad_33.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network ip - port conditional test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=127.0.0.1 port=test,
+
+}

parser/tst/simple_tests/network/network_bad_34.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network ip - port conditional test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=127.0.0.1 port=test peer=(ip=127.0.0.1 port=test),
+
+}

parser/tst/simple_tests/network/network_bad_35.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network port range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=127.0.0.1 port=65536,
+
+}

parser/tst/simple_tests/network/network_bad_36.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network port range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=127.0.0.1 port=65536 peer=(ip=127.0.0.1 port=65536),
+
+}

parser/tst/simple_tests/network/network_bad_37.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network ip - port conditional test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=[invalid] port=80,
+
+}

parser/tst/simple_tests/network/network_bad_38.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network ip - port conditional test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=[invalid] port=80 peer=(ip=[invalid] port=80),
+
+}

parser/tst/simple_tests/network/network_bad_39.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network ip - port conditional test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=::1 port=-1,
+
+}

parser/tst/simple_tests/network/network_bad_40.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network ip - port conditional test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=::1 port=-1 peer=(ip=::1 port=-1),
+
+}

parser/tst/simple_tests/network/network_bad_41.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network ip - port conditional test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=::1 port=test,
+
+}

parser/tst/simple_tests/network/network_bad_42.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network ip - port conditional test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=::1 port=test peer=(ip=::1 port=test),
+
+}

parser/tst/simple_tests/network/network_bad_43.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network port range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=::1 port=65536,
+
+}

parser/tst/simple_tests/network/network_bad_44.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network port range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=::1 port=65536 peer=(ip=::1 port=65536),
+
+}

parser/tst/simple_tests/network/network_bad_45.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network port range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network port=65536,
+
+}

parser/tst/simple_tests/network/network_bad_46.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network port range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network port=65536 peer=(port=65536),
+
+}

parser/tst/simple_tests/network/network_bad_47.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network port range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network port=-1,
+
+}

parser/tst/simple_tests/network/network_bad_48.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network port range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network port=-1 peer=(port=-1),
+
+}

parser/tst/simple_tests/network/network_bad_49.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network port range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network port=test,
+
+}

parser/tst/simple_tests/network/network_bad_5.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network ip conditional test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=10,
+
+}

parser/tst/simple_tests/network/network_bad_50.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network port range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network port=test peer=(port=test),
+
+}

parser/tst/simple_tests/network/network_bad_51.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=192.168.0.39-192.168.0.4,
+
+}

parser/tst/simple_tests/network/network_bad_52.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=192.168.0.39-192.168.0.4 peer=(ip=192.168.0.39-192.168.0.4),
+
+}

parser/tst/simple_tests/network/network_bad_53.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=192.168.0.39-invalid,
+
+}

parser/tst/simple_tests/network/network_bad_54.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=192.168.0.39-invalid peer=(ip=192.168.0.39-invalid),
+
+}

parser/tst/simple_tests/network/network_bad_55.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=192.168.0.39-::58c2,
+
+}

parser/tst/simple_tests/network/network_bad_56.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=192.168.0.39-::58c2 peer=(ip=192.168.0.39-::58c2),
+
+}

parser/tst/simple_tests/network/network_bad_57.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=2001:1884:d02e:2759:d30:f166:71c9:288f-192.168.0.39,
+
+}

parser/tst/simple_tests/network/network_bad_58.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=2001:1884:d02e:2759:d30:f166:71c9:288f-192.168.0.39 peer=(ip=2001:1884:d02e:2759:d30:f166:71c9:288f-192.168.0.39),
+
+}

parser/tst/simple_tests/network/network_bad_59.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=80-192.168.0.39,
+
+}

parser/tst/simple_tests/network/network_bad_6.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network ip conditional test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=10.2,
+
+}

parser/tst/simple_tests/network/network_bad_60.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network ip=80-192.168.0.39 peer=(ip=80-192.168.0.39),
+
+}

parser/tst/simple_tests/network/network_bad_61.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network port=80-65536,
+
+}

parser/tst/simple_tests/network/network_bad_62.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid network range test
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network port=80-65536 peer=(port=80-65536),
+
+}