Release: Bump revisions in preparation for 2.13.2 release

Signed-off-by: John Johansen <john.johansen@canonical.com>

.gitignore

@@ -63,7 +63,8 @@ parser/techdoc.aux
 parser/techdoc.log
 parser/techdoc.pdf
 parser/techdoc.toc
-profiles/apparmor.d/local/*.*
+profiles/apparmor.d/local/*
+!profiles/apparmor.d/local/README
 libraries/libapparmor/Makefile
 libraries/libapparmor/Makefile.in
 libraries/libapparmor/aclocal.m4
@@ -94,6 +95,8 @@ libraries/libapparmor/src/.deps
 libraries/libapparmor/src/.libs
 libraries/libapparmor/src/Makefile
 libraries/libapparmor/src/Makefile.in
+libraries/libapparmor/src/PMurHash.lo
+libraries/libapparmor/src/PMurHash.o
 libraries/libapparmor/src/af_protos.h
 libraries/libapparmor/src/change_hat.lo
 libraries/libapparmor/src/features.lo
@@ -187,6 +190,7 @@ utils/*.tmp
 utils/po/*.mo
 utils/apparmor/*.pyc
 utils/apparmor/rule/*.pyc
+utils/test/common_test.pyc
 utils/test/.coverage
 utils/test/htmlcov/
 utils/vim/apparmor.vim

Makefile

@@ -19,7 +19,7 @@ DIRS=libraries/libapparmor \
 
 # with conversion to git, we don't export from the remote
 REPO_URL?=git@gitlab.com:apparmor/apparmor.git
-REPO_BRANCH?=master
+REPO_BRANCH?=apparmor-2.13
 
 COVERITY_DIR=cov-int
 RELEASE_DIR=apparmor-${VERSION}
@@ -55,9 +55,11 @@ snapshot: clean
 coverity: snapshot
 	cd $(SNAPSHOT_NAME)/libraries/libapparmor && ./configure --with-python
 	$(foreach dir, $(filter-out utils profiles tests, $(DIRS)), \
-		cov-build --dir $(COVERITY_DIR) -- $(MAKE) -C $(SNAPSHOT_NAME)/$(dir);)
+		cov-build --dir $(COVERITY_DIR) -- $(MAKE) -C $(SNAPSHOT_NAME)/$(dir); \
+		mv $(COVERITY_DIR)/build-log.txt $(COVERITY_DIR)/build-log-$(subst /,.,$(dir)).txt ;)
 	$(foreach dir, libraries/libapparmor utils, \
-		cov-build --dir $(COVERITY_DIR) --no-command --fs-capture-search $(SNAPSHOT_NAME)/$(dir);)
+		cov-build --dir $(COVERITY_DIR) --no-command --fs-capture-search $(SNAPSHOT_NAME)/$(dir); \
+		mv $(COVERITY_DIR)/build-log.txt $(COVERITY_DIR)/build-log-python-$(subst /,.,$(dir)).txt ;)
 	tar -cvzf $(SNAPSHOT_NAME)-$(COVERITY_DIR).tar.gz $(COVERITY_DIR)
 
 .PHONY: export_dir

README.md

@@ -23,9 +23,27 @@ library, available under the LGPL license, which allows change_hat(2)
 and change_profile(2) to be used by non-GPL binaries).
 
 For more information, you can read the techdoc.pdf (available after
-building the parser) and by visiting the http://apparmor.net/ web
+building the parser) and by visiting the https://apparmor.net/ web
 site.
 
+----------------
+Getting in Touch
+----------------
+
+Please send all complaints, feature requests, rants about the software,
+and questions to the
+[AppArmor mailing list](https://lists.ubuntu.com/mailman/listinfo/apparmor).
+
+Bug reports can be filed against the AppArmor project on
+[launchpad](https://bugs.launchpad.net/apparmor) or reported to the mailing
+list directly for those who wish not to register for an account on
+launchpad. See the
+[wiki page](https://gitlab.com/apparmor/apparmor/wikis/home#reporting-bugs)
+for more information.
+
+Security issues can be filed as security bugs on launchpad
+or directed to `security@apparmor.net`. Additional details can be found
+in the [wiki](https://gitlab.com/apparmor/apparmor/wikis/home#reporting-security-vulnerabilities).
 
 -------------
 Source Layout
@@ -33,6 +51,7 @@ Source Layout
 
 AppArmor consists of several different parts:
 
+```
 binutils/	source for basic utilities written in compiled languages
 changehat/	source for using changehat with Apache, PAM and Tomcat
 common/		common makefile rules
@@ -43,6 +62,7 @@ parser/		source for parser/loader and corresponding documentation
 profiles/	configuration files, reference profiles and abstractions
 tests/		regression and stress testsuites
 utils/		high-level utilities for working with AppArmor
+```
 
 --------------------------------------
 Important note on AppArmor kernel code
@@ -67,63 +87,82 @@ the following order. Some systems may need to export various python-related
 environment variables to complete the build. For example, before building
 anything on these systems, use something along the lines of:
 
+```
 $ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
 $ export PYTHON=/usr/bin/python3
 $ export PYTHON_VERSION=3
 $ export PYTHON_VERSIONS=python3
-
+```
 
 libapparmor:
+
+```
 $ cd ./libraries/libapparmor
 $ sh ./autogen.sh
 $ sh ./configure --prefix=/usr --with-perl --with-python # see below
 $ make
 $ make check
 $ make install
+```
 
 [an additional optional argument to libapparmor's configure is --with-ruby, to
 generate Ruby bindings to libapparmor.]
 
 
 Binary Utilities:
+
+```
 $ cd binutils
 $ make
 $ make check
 $ make install
-
+```
 
 parser:
+
+```
 $ cd parser
 $ make		# depends on libapparmor having been built first
 $ make check
 $ make install
+```
 
 
 Utilities:
+
+```
 $ cd utils
 $ make
 $ make check
 $ make install
-
+```
 
 Apache mod_apparmor:
+
+```
 $ cd changehat/mod_apparmor
 $ make		# depends on libapparmor having been built first
 $ make install
+```
 
 
 PAM AppArmor:
+
+```
 $ cd changehat/pam_apparmor
 $ make		# depends on libapparmor having been built first
 $ make install
+```
 
 
 Profiles:
+
+```
 $ cd profiles
 $ make
 $ make check	# depends on the parser having been built first
 $ make install
-
+```
 
 [Note that for the parser, binutils, and utils, if you only wish to build/use
  some of the locale languages, you can override the default by passing
@@ -144,38 +183,50 @@ For details on structure and adding tests, see
 tests/regression/apparmor/README.
 
 To run:
+
+```
 $ cd tests/regression/apparmor (requires root)
 $ make
 $ sudo make tests
 $ sudo bash open.sh -r	 # runs and saves the last testcase from open.sh
-
+```
 
 Parser tests
 ------------
 For details on structure and adding tests, see parser/tst/README.
 
 To run:
+
+```
 $ cd parser/tst
 $ make
 $ make tests
-
+```
 
 Libapparmor
 -----------
 For details on structure and adding tests, see libraries/libapparmor/README.
+
+```
 $ cd libraries/libapparmor
 $ make check
+```
 
 Utils
 -----
 Tests for the Python utilities exist in the test/ subdirectory.
+
+```
 $ cd utils
 $ make check
+```
 
 The aa-decode utility to be tested can be overridden by
 setting up environment variable APPARMOR_DECODE; e.g.:
 
+```
 $ APPARMOR_DECODE=/usr/bin/aa-decode make check
+```
 
 Profile checks
 --------------
@@ -183,29 +234,44 @@ A basic consistency check to ensure that the parser and aa-logprof parse
 successfully the current set of shipped profiles. The system or other
 parser and logprof can be passed in by overriding the PARSER and LOGPROF
 variables.
+
+```
 $ cd profiles
 $ make && make check
+```
 
 Stress Tests
 ------------
 To run AppArmor stress tests:
+
+```
 $ make all
+```
 
 Use these:
+
+```
 $ ./change_hat
 $ ./child
 $ ./kill.sh
 $ ./open
 $ ./s.sh
+```
 
 Or run all at once:
+
+```
 $ ./stress.sh
+```
 
 Please note that the above will stress the system so much it may end up
 invoking the OOM killer.
 
 To run parser stress tests (requires /usr/bin/ruby):
+
+```
 $ ./stress.sh
+```
 
 (see stress.sh -h for options)
 
@@ -220,7 +286,10 @@ https://scan.coverity.com/download?tab=cxx to obtain a pre-built copy of
 cov-build.
 
 To generate a compressed tarball of an intermediate Coverity directory:
+
+```
 $ make coverity
+```
 
 The compressed tarball is written to
 apparmor-<SNAPSHOT_VERSION>-cov-int.tar.gz, where <SNAPSHOT_VERSION>

binutils/aa-enabled.pod

@@ -89,6 +89,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 
-apparmor(7), apparmor.d(5), aa_is_enabled(2), and L<http://wiki.apparmor.net>.
+apparmor(7), apparmor.d(5), aa_is_enabled(2), and L<https://wiki.apparmor.net>.
 
 =cut

binutils/aa-exec.pod

@@ -88,6 +88,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 =head1 SEE ALSO
 
 aa-stack(8), aa-namespace(8), apparmor(7), apparmor.d(5), aa_change_profile(3),
-aa_change_onexec(3) and L<http://wiki.apparmor.net>.
+aa_change_onexec(3) and L<https://wiki.apparmor.net>.
 
 =cut

changehat/mod_apparmor/mod_apparmor.pod

@@ -140,6 +140,6 @@ them at L<https://bugs.launchpad.net/apparmor/+filebug>.
 =head1 SEE ALSO
 
 apparmor(7), subdomain.conf(5), apparmor_parser(8), aa_change_hat(2) and
-L<http://wiki.apparmor.net>.
+L<https://wiki.apparmor.net>.
 
 =cut

common/Version

@@ -1 +1 @@
-2.13
+2.13.2

deprecated/utils/aa-genprof

@@ -138,7 +138,7 @@ my $ratelimit_saved = sysctl_read($ratelimit_sysctl);
 END { sysctl_write($ratelimit_sysctl, $ratelimit_saved); }
 sysctl_write($ratelimit_sysctl, 0);
 
-UI_Info(gettext("\nBefore you begin, you may wish to check if a\nprofile already exists for the application you\nwish to confine. See the following wiki page for\nmore information:\nhttp://wiki.apparmor.net/index.php/Profiles"));
+UI_Info(gettext("\nBefore you begin, you may wish to check if a\nprofile already exists for the application you\nwish to confine. See the following wiki page for\nmore information:\nhttps://gitlab.com/apparmor/apparmor/wikis/Profiles"));
 
 UI_Important(gettext("Please start the application to be profiled in \nanother window and exercise its functionality now.\n\nOnce completed, select the \"Scan\" button below in \norder to scan the system logs for AppArmor events.  \n\nFor each AppArmor event, you will be given the  \nopportunity to choose whether the access should be  \nallowed or denied."));
 
@@ -195,7 +195,7 @@ for my $p (sort keys %helpers) {
 }
 
 UI_Info(gettext("Reloaded AppArmor profiles in enforce mode."));
-UI_Info(gettext("\nPlease consider contributing your new profile! See\nthe following wiki page for more information:\nhttp://wiki.apparmor.net/index.php/Profiles\n"));
+UI_Info(gettext("\nPlease consider contributing your new profile! See\nthe following wiki page for more information:\nhttps://gitlab.com/apparmor/apparmor/wikis/Profiles\n"));
 UI_Info(sprintf(gettext('Finished generating profile for %s.'), $fqdbin));
 exit 0;
 

libraries/libapparmor/configure.ac

@@ -81,7 +81,7 @@ AM_CONDITIONAL(HAVE_RUBY, test x$with_ruby = xyes)
 AC_HEADER_STDC
 AC_CHECK_HEADERS(unistd.h stdint.h syslog.h)
 
-AC_CHECK_FUNCS([asprintf __secure_getenv secure_getenv])
+AC_CHECK_FUNCS([asprintf __secure_getenv secure_getenv reallocarray])
 
 AM_PROG_CC_C_O
 AC_C_CONST

libraries/libapparmor/doc/aa_change_hat.pod

@@ -257,6 +257,6 @@ should be used.
 
 apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2),
 aa_getcon(2) and
-L<http://wiki.apparmor.net>.
+L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_change_profile.pod

@@ -204,6 +204,6 @@ separate processes should be used.
 =head1 SEE ALSO
 
 apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_hat(2) and
-L<http://wiki.apparmor.net>.
+L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_features.pod

@@ -161,6 +161,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 
-openat(2) and L<http://wiki.apparmor.net>.
+openat(2) and L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_find_mountpoint.pod

@@ -115,6 +115,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 =head1 SEE ALSO
 
 apparmor(7), apparmor.d(5), apparmor_parser(8), and
-L<http://wiki.apparmor.net>.
+L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_getcon.pod

@@ -132,6 +132,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 =head1 SEE ALSO
 
 apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2),
-aa_splitcon(3) and L<http://wiki.apparmor.net>.
+aa_splitcon(3) and L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_kernel_interface.pod

@@ -160,6 +160,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 
-aa_features(3), openat(2) and L<http://wiki.apparmor.net>.
+aa_features(3), openat(2) and L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_policy_cache.pod

@@ -175,6 +175,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 =head1 SEE ALSO
 
 aa_features(3), aa_kernel_interface(3), openat(2) and
-L<http://wiki.apparmor.net>.
+L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_query_label.pod

@@ -128,6 +128,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 =head1 SEE ALSO
 
 apparmor(7), apparmor.d(5), apparmor_parser(8), aa_getcon(2), aa_splitcon(3)
-and L<http://wiki.apparmor.net>.
+and L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_splitcon.pod

@@ -67,6 +67,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 
-aa_getcon(2) and L<http://wiki.apparmor.net>.
+aa_getcon(2) and L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_stack_profile.pod

@@ -216,6 +216,6 @@ separate processes should be used.
 =head1 SEE ALSO
 
 apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2),
-aa_getcon(2) and L<http://wiki.apparmor.net>.
+aa_getcon(2) and L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/include/sys/apparmor.h

@@ -68,7 +68,7 @@ extern int aa_is_enabled(void);
 extern int aa_find_mountpoint(char **mnt);
 
 /* Prototypes for self directed domain transitions
- * see <http://apparmor.net>
+ * see <https://apparmor.net>
  * Please see the change_hat(2) manpage for information.
  */
 

libraries/libapparmor/src/Makefile.am

@@ -26,13 +26,13 @@ INCLUDES = $(all_includes)
 # For more information, see:
 # http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
 #
-AA_LIB_CURRENT = 6
+AA_LIB_CURRENT = 7
 AA_LIB_REVISION = 0
-AA_LIB_AGE = 5
+AA_LIB_AGE = 6
 
 SUFFIXES = .pc.in .pc
 
-BUILT_SOURCES = grammar.h scanner.h af_protos.h PMurHash.h
+BUILT_SOURCES = grammar.h scanner.h af_protos.h
 AM_LFLAGS = -v
 AM_YFLAGS = -d -p aalogparse_
 AM_CFLAGS = -Wall
@@ -42,8 +42,8 @@ scanner.h: scanner.l
 
 scanner.c: scanner.l
 
-af_protos.h: /usr/include/netinet/in.h
-	 LC_ALL=C  sed  -n -e "/IPPROTO_MAX/d"  -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" $< > $@
+af_protos.h:
+	 echo '#include <netinet/in.h>' | $(CC) -E -dM - | LC_ALL=C  sed  -n -e "/IPPROTO_MAX/d"  -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@
 
 lib_LTLIBRARIES = libapparmor.la
 noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h private.h PMurHash.h

libraries/libapparmor/src/libapparmor.map

@@ -108,6 +108,13 @@ APPARMOR_2.13 {
         *;
 } APPARMOR_2.11;
 
+APPARMOR_2.13.1 {
+  global:
+        aa_policy_cache_add_ro_dir;
+  local:
+        *;
+} APPARMOR_2.13;
+
 PRIVATE {
 	global:
 		_aa_is_blacklisted;

libraries/libapparmor/src/policy_cache.c

@@ -301,8 +301,10 @@ static int cache_dir_from_path_and_features(char **cache_path,
 		PDEBUG("cache_dir_from_path_and_features() callback found '%s'\n", data.cache_name);
 		*cache_path = data.cache_name;
 		return 0;
-	} else if (rc)
+	} else if (rc) {
+		PDEBUG("cache_dir_from_path_and_features() callback returned an error'%m'\n");
 		return -1;
+	}
 	/* no dir found use 1 higher than highest dir n searched */
 	len = asprintf(&cache_dir, "%s/%s.%d", path, features_id, data.n + 1);
 	if (len == -1)
@@ -313,18 +315,20 @@ static int cache_dir_from_path_and_features(char **cache_path,
 	return 0;
 }
 
+/* will return the cache_dir or NULL */
 static int open_or_create_cache_dir(aa_features *features, int dirfd,
-				    const char *path, bool create)
+				    const char *path, bool create,
+				    char **cache_dir)
 {
-	autofree char *cache_dir = NULL;
 	int fd;
 
-	if (cache_dir_from_path_and_features(&cache_dir, dirfd, path,
+	*cache_dir = NULL;
+	if (cache_dir_from_path_and_features(cache_dir, dirfd, path,
 					     features))
 		return -1;
 
 open:
-	fd = openat(dirfd, cache_dir, O_RDONLY | O_CLOEXEC | O_DIRECTORY);
+	fd = openat(dirfd, *cache_dir, O_RDONLY | O_CLOEXEC | O_DIRECTORY);
 	if (fd < 0) {
 		/* does the dir exist? */
 		if (create && errno == ENOENT) {
@@ -336,23 +340,24 @@ open:
 			 *    /etc/apparmor.d/cache.d/<features_id>/
 			 * 3) Try to reopen the cache directory
 			 */
-			if (mkdirat(fd, path, 0700) == -1 &&
+			if (mkdirat(dirfd, path, 0700) == -1 &&
 			    errno != EEXIST) {
 				PERROR("Can't create cache location '%s': %m\n",
 				       path);
-			} else if (mkdirat(dirfd, cache_dir, 0700) == -1 &&
+			} else if (mkdirat(dirfd, *cache_dir, 0700) == -1 &&
 				   errno != EEXIST) {
 				PERROR("Can't create cache directory '%s': %m\n",
-				       cache_dir);
+				       *cache_dir);
 			} else {
 				goto open;
 			}
 		} else if (create) {
-			PERROR("Can't update cache directory '%s': %m\n", cache_dir);
+			PERROR("Can't update cache directory '%s': %m\n", *cache_dir);
 		} else {
-			PDEBUG("Cache directory '%s' does not exist\n", cache_dir);
+			PDEBUG("Cache directory '%s' does not exist\n", *cache_dir);
 		}
 
+		PDEBUG("Could not open cache_dir: %m");
 		return -1;
 	}
 
@@ -380,6 +385,7 @@ int aa_policy_cache_new(aa_policy_cache **policy_cache,
 			aa_features *kernel_features,
 			int dirfd, const char *path, uint16_t max_caches)
 {
+	autofree char *cache_dir = NULL;
 	aa_policy_cache *pc;
 	bool create = max_caches > 0;
 	autofree const char *features_id = NULL;
@@ -407,13 +413,16 @@ int aa_policy_cache_new(aa_policy_cache **policy_cache,
 		aa_features_ref(kernel_features);
 	} else if (aa_features_new_from_kernel(&kernel_features) == -1) {
 		aa_policy_cache_unref(pc);
+		PDEBUG("%s: Failed to obtain features %m\n", __FUNCTION__);
 		return -1;
 	}
 	pc->features = kernel_features;
 
-	fd = open_or_create_cache_dir(kernel_features, dirfd, path, create);
+	fd = open_or_create_cache_dir(kernel_features, dirfd, path, create,
+				      &cache_dir);
 	if (fd == -1) {
 		aa_policy_cache_unref(pc);
+		PDEBUG("%s: Failed to open_or_create_dir %m\n", __FUNCTION__);
 		return -1;
 	}
 	pc->dirfd[0] = fd;
@@ -443,16 +452,20 @@ int aa_policy_cache_new(aa_policy_cache **policy_cache,
 int aa_policy_cache_add_ro_dir(aa_policy_cache *policy_cache, int dirfd,
 			       const char *path)
 {
+	autofree char *cache_dir = NULL;
 	int fd;
 
 	if (policy_cache->n >= MAX_POLICY_CACHE_OVERLAY_DIRS) {
 		errno = ENOSPC;
+		PDEBUG("%s: exceeded number of supported cache overlays\n", __FUNCTION__);
 		return -1;
 	}
 	fd = open_or_create_cache_dir(policy_cache->features, dirfd, path,
-				      false);
-	if (fd == -1)
+				      false, &cache_dir);
+	if (fd == -1) {
+		PDEBUG("%s: failed to open_or_create_cache_dir %m\n", __FUNCTION__);
 		return -1;
+	}
 	policy_cache->dirfd[policy_cache->n++] = fd;
 
 	return 0;

libraries/libapparmor/src/private.c

@@ -38,11 +38,24 @@
 #ifndef HAVE_SECURE_GETENV
  #ifdef HAVE___SECURE_GETENV
   #define secure_getenv __secure_getenv
+ #elif ENABLE_DEBUG_OUTPUT
+  #error Debug output is not possible without a secure_getenv() implementation.
  #else
-  #error neither secure_getenv nor __secure_getenv is available
+  #define secure_getenv(env) NULL
  #endif
 #endif
 
+/**
+ * Allow libapparmor to build on older glibcs and other libcs that do
+ * not support reallocarray.
+ */
+#ifndef HAVE_REALLOCARRY
+void *reallocarray(void *ptr, size_t nmemb, size_t size)
+{
+	return realloc(ptr, nmemb * size);
+}
+#endif
+
 struct ignored_suffix_t {
 	const char * text;
 	int len;
@@ -173,16 +186,6 @@ int _aa_asprintf(char **strp, const char *fmt, ...)
 	return rc;
 }
 
-static int dot_or_dot_dot_filter(const struct dirent *ent)
-{
-	if (strcmp(ent->d_name, ".") == 0 ||
-	    strcmp(ent->d_name, "..") == 0)
-		return 0;
-
-	return 1;
-}
-
-
 /* stops on first error, can use errno or return value to communicate
  * the goal is to use this to replace _aa_dirat_for_each, but that will
  * be a different patch.
@@ -191,6 +194,7 @@ int _aa_dirat_for_each2(int dirfd, const char *name, void *data,
 			int (* cb)(int, const struct dirent *, void *))
 {
 	autoclose int cb_dirfd = -1;
+	int fd_for_dir = -1;
 	const struct dirent *ent;
 	DIR *dir;
 	int save, rc;
@@ -206,15 +210,16 @@ int _aa_dirat_for_each2(int dirfd, const char *name, void *data,
 		PDEBUG("could not open directory fd '%d' '%s': %m\n", dirfd, name);
 		return -1;
 	}
-	dir = fdopendir(cb_dirfd);
-	if (!dir) {
-		PDEBUG("could not open directory '%s' from fd '%d': %m\n", name, cb_dirfd);
+	/* dup cd_dirfd because fdopendir has claimed the fd passed to it */
+	fd_for_dir = dup(cb_dirfd);
+	if (fd_for_dir == -1) {
+		PDEBUG("could not dup directory fd '%s': %m\n", name);
 		return -1;
 	}
-	/* dup cd_dirfd because fdopendir has claimed the fd passed to it */
-	cb_dirfd = dup(cb_dirfd);
+	dir = fdopendir(fd_for_dir);
 	if (!dir) {
-		PDEBUG("could not dup directory fd '%s': %m\n", name);
+		PDEBUG("could not open directory '%s' from fd '%d': %m\n", name, fd_for_dir);
+		close(fd_for_dir);
 		return -1;
 	}
 
@@ -306,6 +311,79 @@ fail:									\
 	rc;								\
 })
 
+static ssize_t readdirfd(int dirfd, struct dirent ***out,
+			  int (*dircmp)(const struct dirent **, const struct dirent **))
+{
+	struct dirent **dents = NULL, *dent;
+	ssize_t n = 0;
+	size_t i;
+	int save;
+	DIR *dir;
+
+	*out = NULL;
+
+	/*
+	 * closedir(dir) will close the underlying fd, so we need
+	 * to dup first
+	 */
+	if ((dirfd = dup(dirfd)) < 0) {
+		PDEBUG("dup of dirfd failed: %m\n");
+		return -1;
+	}
+
+	if ((dir = fdopendir(dirfd)) == NULL) {
+		PDEBUG("fdopendir of dirfd failed: %m\n");
+		close(dirfd);
+		return -1;
+	}
+
+	/* Get number of directory entries */
+	while ((dent = readdir(dir)) != NULL) {
+		if (!strcmp(dent->d_name, ".") || !strcmp(dent->d_name, ".."))
+			continue;
+		n++;
+	}
+	rewinddir(dir);
+
+	dents = calloc(n, sizeof(struct dirent *));
+	if (!dents)
+		goto fail;
+
+	for (i = 0; i < n; ) {
+		if ((dent = readdir(dir)) == NULL) {
+			PDEBUG("readdir of entry[%d] failed: %m\n", i);
+			goto fail;
+		}
+
+		if (!strcmp(dent->d_name, ".") || !strcmp(dent->d_name, ".."))
+			continue;
+
+		dents[i] = malloc(sizeof(*dents[i]));
+		if (!dents[i])
+			goto fail;
+		memcpy(dents[i], dent, sizeof(*dent));
+		i++;
+	}
+
+	if (dircmp)
+		qsort(dents, n, sizeof(*dent), (int (*)(const void *, const void *))dircmp);
+
+	*out = dents;
+	closedir(dir);
+	return n;
+
+fail:
+	save = errno;
+	if (dents) {
+		for (i = 0; i < n; i++)
+			free(dents[i]);
+	}
+	free(dents);
+	closedir(dir);
+	errno = save;
+	return -1;
+}
+
 int _aa_overlaydirat_for_each(int dirfd[], int n, void *data,
 			int (* cb)(int, const char *, struct stat *, void *))
 {
@@ -316,8 +394,7 @@ int _aa_overlaydirat_for_each(int dirfd[], int n, void *data,
 	int rc = 0;
 
 	for (i = 0; i < n; i++) {
-		n_list = scandirat(dirfd[i], ".", &list, dot_or_dot_dot_filter,
-				   alphasort);
+		n_list = readdirfd(dirfd[i], &list, alphasort);
 		if (n_list == -1) {
 			PDEBUG("scandirat of dirfd[%d] failed: %m\n", i);
 			return -1;
@@ -398,8 +475,7 @@ int _aa_dirat_for_each(int dirfd, const char *name, void *data,
 		return -1;
 	}
 
-	num_dirs = scandirat(cb_dirfd, ".", &namelist,
-			     dot_or_dot_dot_filter, NULL);
+	num_dirs = readdirfd(cb_dirfd, &namelist, NULL);
 	if (num_dirs == -1) {
 		PDEBUG("scandirat of directory '%s' failed: %m\n", name);
 		return -1;

libraries/libapparmor/swig/perl/Makefile.am

@@ -12,6 +12,7 @@ LibAppArmor.pm: libapparmor_wrap.c
 
 Makefile.perl: Makefile.PL LibAppArmor.pm
 	$(PERL) $< PREFIX=$(prefix) MAKEFILE=$@
+	sed -ie 's/LD_RUN_PATH="\x24(LD_RUN_PATH)"//g' Makefile.perl
 	sed -ie 's/^LD_RUN_PATH.*//g' Makefile.perl
 
 LibAppArmor.so: libapparmor_wrap.c Makefile.perl

libraries/libapparmor/swig/python/setup.py.in

@@ -5,7 +5,7 @@ setup(name          = 'LibAppArmor',
       version       = '@VERSION@',
       author        = 'AppArmor Dev Team',
       author_email  = 'apparmor@lists.ubuntu.com',
-      url           = 'http://wiki.apparmor.net',
+      url           = 'https://wiki.apparmor.net',
       description   = 'AppArmor python bindings',
       download_url  = 'https://launchpad.net/apparmor/+download',
       package_dir   = {'LibAppArmor': '@srcdir@'},

parser/Makefile

@@ -30,9 +30,9 @@ INSTALL_CONFDIR=${DESTDIR}${CONFDIR}
 LOCALEDIR=/usr/share/locale
 MANPAGES=apparmor.d.5 apparmor.7 apparmor_parser.8 subdomain.conf.5 aa-teardown.8
 
-YACC	:= /usr/bin/bison
+YACC	:= bison
 YFLAGS	:= -d
-LEX	:= /usr/bin/flex
+LEX	:= flex
 LEXFLAGS = -B -v
 WARNINGS = -Wall
 EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter
@@ -383,9 +383,9 @@ install-indep: indep
 install-systemd:
 	install -m 755 -d $(SYSTEMD_UNIT_DIR)
 	install -m 644 apparmor.service $(SYSTEMD_UNIT_DIR)
-	install -m 644 apparmor.systemd $(APPARMOR_BIN_PREFIX)
-	install -m 755 -d $(DESTDIR)/sbin
-	install -m 755 aa-teardown $(DESTDIR)/sbin
+	install -m 755 apparmor.systemd $(APPARMOR_BIN_PREFIX)
+	install -m 755 -d $(DESTDIR)/usr/sbin
+	install -m 755 aa-teardown $(DESTDIR)/usr/sbin
 
 ifndef VERBOSE
 .SILENT: clean

parser/README

@@ -2,19 +2,6 @@ The apparmor_parser allows you to add, replace, and remove AppArmor
 policy through the use of command line options. The default is to add.
 `apparmor_parser --help` shows what the command line options are.
 
-You can also find more information at http://wiki.apparmor.net
-
-Please send all complaints, feature requests, rants about the software,
-and questions to the apparmor@lists.ubuntu.com mailing list. Bug
-reports can be filed against the AppArmor project on launchpad.net at
-https://launchpad.net/apparmor or reported to the mailing list directly
-for those who wish not to register for an account on launchpad.
-
-Security issues can be filed as security bugs on launchpad
-or directed to security@ubuntu.com. We will attempt to
-conform to the RFP vulnerability disclosure protocol:
-http://www.wiretrip.net/rfp/policy.html
-
-Thanks.
+You can also find more information at https://wiki.apparmor.net
 
 -- The AppArmor development team

parser/aa-teardown.pod

@@ -35,6 +35,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 
-apparmor(7), apparmor.d(5), and L<http://wiki.apparmor.net>.
+apparmor(7), apparmor.d(5), and L<https://wiki.apparmor.net>.
 
 =cut

parser/apparmor.d.pod

@@ -1611,6 +1611,6 @@ negative values match when specifying one or the other. Eg, 'rw' matches when
 
 apparmor(7), apparmor_parser(8), aa-complain(1),
 aa-enforce(1), aa_change_hat(2), mod_apparmor(5), and
-L<http://wiki.apparmor.net>.
+L<https://wiki.apparmor.net>.
 
 =cut

parser/apparmor.pod

@@ -143,6 +143,56 @@ messages with the KERN facility. Thus, REJECTING and PERMITTING messages
 may go to either F</var/log/audit/audit.log> or F</var/log/messages>,
 depending upon local configuration.
 
+=head1 DEBUGGING
+
+AppArmor provides a few facilities to log more information,
+which can help debugging profiles.
+
+=head2 Enable debug mode
+
+When debug mode is enabled, AppArmor will log a few extra messages to
+dmesg (not via the audit subsystem). For example, the logs will tell
+whether environment scrubbing has been applied.
+
+To enable debug mode, run:
+
+	echo 1 > /sys/module/apparmor/parameters/debug
+
+=head2 Turn off deny audit quieting
+
+By default, operations that trigger C<deny> rules are not logged.
+This is called I<deny audit quieting>.
+
+To turn off deny audit quieting, run:
+
+	echo -n noquiet >/sys/module/apparmor/parameters/audit
+
+=head2 Force audit mode
+
+AppArmor can log a message for every operation that triggers a rule
+configured in the policy. This is called I<force audit mode>.
+
+B<Warning!> Force audit mode can be extremely noisy even for a single profile,
+let alone when enabled globally.
+
+To set a specific profile in force audit mode, add the C<audit> flag:
+
+	profile foo flags=(audit) { ... }
+
+To enable force audit mode globally, run:
+
+	echo -n all > /sys/module/apparmor/parameters/audit
+
+If auditd is not running, to avoid losing too many of the extra log
+messages, you will likely have to turn off rate limiting by doing:
+
+	echo 0 > /proc/sys/kernel/printk_ratelimit
+
+But even then the kernel ring buffer may overflow and you might
+lose messages.
+
+Else, if auditd is running, see auditd(8) and auditd.conf(5).
+
 =head1 FILES
 
 =over 4
@@ -165,6 +215,6 @@ apparmor_parser(8), aa_change_hat(2), apparmor.d(5),
 subdomain.conf(5), aa-autodep(1), clean(1),
 auditd(8),
 aa-unconfined(8), aa-enforce(1), aa-complain(1), and
-L<http://wiki.apparmor.net>.
+L<https://wiki.apparmor.net>.
 
 =cut

parser/apparmor_parser.pod

@@ -247,7 +247,7 @@ If a cache directory name needs to have a comma as part of the name, it
 can be specified by using a backslash to escape the comma character in
 the directory name.
 
-If not specified the cache location defaults to /etc/apparmor.d/cache.d
+If not specified the cache location defaults to /var/cache/apparmor
 
 =item --print-cache-dir
 
@@ -355,6 +355,17 @@ This option tells the parser to not attempt to rebuild the cache on
 failure, instead the parser continues on with processing the remaining
 profiles.
 
+=item --config-file
+
+Specify the config file to use instead of
+/etc/apparmor/parser.conf. This option will be processed early before
+regular options regardless of the order it is specified in.
+
+=item --print-config-file
+
+Print the config file location that will be used.
+
+
 =back
 
 =head1 CONFIG FILE
@@ -397,6 +408,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 =head1 SEE ALSO
 
 apparmor(7), apparmor.d(5), subdomain.conf(5), aa_change_hat(2), and
-L<http://wiki.apparmor.net>.
+L<https://wiki.apparmor.net>.
 
 =cut

parser/parser_alias.c

@@ -25,6 +25,8 @@
 #include "parser.h"
 #include "profile.h"
 
+typedef int (*comparison_fn_t)(const void *, const void *);
+
 struct alias_rule {
 	char *from;
 	char *to;

parser/parser_lex.l

@@ -261,6 +261,7 @@ LT_EQUAL	<=
 %x CHANGE_PROFILE_MODE
 %x INCLUDE
 %x INCLUDE_EXISTS
+%x ABI_MODE
 
 %%
 
@@ -315,6 +316,19 @@ LT_EQUAL	<=
 	}
 }
 
+<ABI_MODE>{
+	(\<(([^"\>\t\r\n]+)|{QUOTED_ID})\>|{QUOTED_ID}|{IDS})	{ /* <filename> | <"filename"> | "filename" | filename */
+		int lt = *yytext == '<'  ? 1 : 0;
+		char *filename = processid(yytext + lt, yyleng - lt*2);
+		bool exists = YYSTATE == INCLUDE_EXISTS;
+
+		if (!filename)
+			yyerror(_("Failed to process filename\n"));
+		yylval.id = filename;
+		POP_AND_RETURN(TOK_ID);
+	}
+}
+
 <<EOF>> {
 	fclose(yyin);
 	pop_include_stack();
@@ -666,6 +680,9 @@ include/{WS}	{
 	case TOK_UNIX:
 		state = UNIX_MODE;
 		break;
+	case TOK_ABI:
+		state = ABI_MODE;
+		break;
 	default: /* nothing */
 		break;
 	}
@@ -719,4 +736,5 @@ unordered_map<int, string> state_names = {
 	STATE_TABLE_ENT(CHANGE_PROFILE_MODE),
 	STATE_TABLE_ENT(INCLUDE),
 	STATE_TABLE_ENT(INCLUDE_EXISTS),
+	STATE_TABLE_ENT(ABI_MODE),
 };

parser/parser_main.c

@@ -59,6 +59,8 @@
 #define PRIVILEGED_OPS (kernel_load)
 #define UNPRIVILEGED_OPS (!(PRIVILEGED_OPS))
 
+#define EARLY_ARG_CONFIG_FILE 141
+
 const char *parser_title	= "AppArmor parser";
 const char *parser_copyright	= "Copyright (C) 1999-2008 Novell Inc.\nCopyright 2009-2018 Canonical Ltd.";
 
@@ -102,13 +104,16 @@ bool debug_jobs = false;
 struct timespec cache_tstamp, mru_policy_tstamp;
 
 static char *apparmorfs = NULL;
-static char *cacheloc[MAX_CACHE_LOCS];
+static const char *cacheloc[MAX_CACHE_LOCS];
 static int cacheloc_n = 0;
 static bool print_cache_dir = false;
 
 static aa_features *compile_features = NULL;
 static aa_features *kernel_features = NULL;
 
+static const char *config_file = "/etc/apparmor/parser.conf";
+
+
 /* Make sure to update BOTH the short and long_options */
 static const char *short_options = "ad::f:h::rRVvI:b:BCD:NSm:M:qQn:XKTWkL:O:po:j:";
 struct option long_options[] = {
@@ -129,7 +134,6 @@ struct option long_options[] = {
 	{"ofile",		1, 0, 'o'},
 	{"match-string",	1, 0, 'm'},
 	{"features-file",	1, 0, 'M'},
-	{"kernel-features",	1, 0, 138},	/* no short option */
 	{"quiet",		0, 0, 'q'},
 	{"skip-kernel-load",	0, 0, 'Q'},
 	{"verbose",		0, 0, 'v'},
@@ -139,9 +143,6 @@ struct option long_options[] = {
 	{"skip-read-cache",	0, 0, 'T'},
 	{"write-cache",		0, 0, 'W'},
 	{"show-cache",		0, 0, 'k'},
-	{"skip-bad-cache",	0, 0, 129},	/* no short option */
-	{"purge-cache",		0, 0, 130},	/* no short option */
-	{"create-cache-dir",	0, 0, 131},	/* no short option */
 	{"cache-loc",		1, 0, 'L'},
 	{"debug",		2, 0, 'd'},
 	{"dump",		1, 0, 'D'},
@@ -149,13 +150,21 @@ struct option long_options[] = {
 	{"optimize",		1, 0, 'O'},
 	{"Optimize",		1, 0, 'O'},
 	{"preprocess",		0, 0, 'p'},
+	{"jobs",		1, 0, 'j'},
+	{"skip-bad-cache",	0, 0, 129},	/* no short option */
+	{"purge-cache",		0, 0, 130},	/* no short option */
+	{"create-cache-dir",	0, 0, 131},	/* no short option */
 	{"abort-on-error",	0, 0, 132},	/* no short option */
 	{"skip-bad-cache-rebuild",	0, 0, 133},	/* no short option */
 	{"warn",		1, 0, 134},	/* no short option */
 	{"debug-cache",		0, 0, 135},	/* no short option */
-	{"jobs",		1, 0, 'j'},
 	{"max-jobs",		1, 0, 136},	/* no short option */
 	{"print-cache-dir",	0, 0, 137},	/* no short option */
+	{"kernel-features",	1, 0, 138},	/* no short option */
+	{"compile-features",	1, 0, 139},	/* no short option */
+	{"print-config-file",	0, 0, 140},	/* no short option */
+	{"config-file",		1, 0, EARLY_ARG_CONFIG_FILE},	/* early option, no short option */
+
 	{NULL, 0, 0, 0},
 };
 
@@ -185,7 +194,8 @@ static void display_usage(const char *command)
 	       "-I n, --Include n	Add n to the search path\n"
 	       "-f n, --subdomainfs n	Set location of apparmor filesystem\n"
 	       "-m n, --match-string n  Use only features n\n"
-	       "-M n, --features-file n Compile features set in file n\n"
+	       "-M n, --features-file n Set compile & kernel features to file n\n"
+	       "--compile-features n    Compile features set in file n\n"
 	       "--kernel-features n     Kernel features set in file n\n"
 	       "-n n, --namespace n	Set Namespace for the profile\n"
 	       "-X, --readimpliesX	Map profile read permissions to mr\n"
@@ -211,6 +221,8 @@ static void display_usage(const char *command)
 	       "--max-jobs n		Hard cap on --jobs. Default 8*cpus\n"
 	       "--abort-on-error	Abort processing of profiles on first error\n"
 	       "--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel\n"
+	       "--config-file n		Specify the parser config file location, processed early before other options.\n"
+	       "--print-config		Print config file location\n"
 	       "--warn n		Enable warnings (see --help=warn)\n"
 	       ,command);
 }
@@ -232,7 +244,7 @@ void display_warn(const char *command)
 }
 
 /* Parse comma separated cachelocations. Commas can be escaped by \, */
-static int parse_cacheloc(const char *arg, char **cacheloc, int max_size)
+static int parse_cacheloc(const char *arg, const char **cacheloc, int max_size)
 {
 	const char *s = arg;
 	const char *p = arg;
@@ -244,15 +256,17 @@ static int parse_cacheloc(const char *arg, char **cacheloc, int max_size)
 				p++;
 		} else if (*p == ',') {
 			if (p != s) {
+				char *tmp;
 				if (n == max_size) {
 					errno = E2BIG;
 					return -1;
 				}
-				cacheloc[n] = (char *) malloc(p - s + 1);
-				if (cacheloc[n] == NULL)
+				tmp = (char *) malloc(p - s + 1);
+				if (tmp == NULL)
 					return -1;
-				memcpy(cacheloc[n], s, p - s);
-				cacheloc[n][p - s] = 0;
+				memcpy(tmp, s, p - s);
+				tmp[p - s] = 0;
+				cacheloc[n] = tmp;
 				n++;
 			}
 			p++;
@@ -261,15 +275,17 @@ static int parse_cacheloc(const char *arg, char **cacheloc, int max_size)
 			p++;
 	}
 	if (p != s) {
+		char *tmp;
 		if (n == max_size) {
 			errno = E2BIG;
 			return -1;
 		}
-		cacheloc[n] = (char *) malloc(p - s + 1);
-		if (cacheloc[n] == NULL)
+		tmp = (char *) malloc(p - s + 1);
+		if (tmp == NULL)
 			return -1;
-		memcpy(cacheloc[n], s, p - s);
-		cacheloc[n][p - s] = 0;
+		memcpy(tmp, s, p - s);
+		tmp[p - s] = 0;
+		cacheloc[n] = tmp;
 		n++;
 	}
 
@@ -373,6 +389,16 @@ static long process_jobs_arg(const char *arg, const char *val) {
 	return n;
 }
 
+
+bool early_arg(int c) {
+	switch(c) {
+	case EARLY_ARG_CONFIG_FILE:
+		return true;
+	}
+
+	return false;
+}
+
 /* process a single argment from getopt_long
  * Returns: 1 if an action arg, else 0
  */
@@ -510,14 +536,21 @@ static int process_arg(int c, char *optarg)
 		}
 		break;
 	case 'M':
+		if (compile_features)
+			aa_features_unref(compile_features);
+		if (kernel_features)
+			aa_features_unref(kernel_features);
 		if (aa_features_new(&compile_features, AT_FDCWD, optarg)) {
 			fprintf(stderr,
 				"Failed to load features from '%s': %m\n",
 				optarg);
 			exit(1);
 		}
+		kernel_features = aa_features_ref(compile_features);
 		break;
 	case 138:
+		if (kernel_features)
+			aa_features_unref(kernel_features);
 		if (aa_features_new(&kernel_features, AT_FDCWD, optarg)) {
 			fprintf(stderr,
 				"Failed to load kernel features from '%s': %m\n",
@@ -525,6 +558,16 @@ static int process_arg(int c, char *optarg)
 			exit(1);
 		}
 		break;
+	case 139:
+		if (compile_features)
+			aa_features_unref(compile_features);
+		if (aa_features_new(&compile_features, AT_FDCWD, optarg)) {
+			fprintf(stderr,
+				"Failed to load compile features from '%s': %m\n",
+				optarg);
+			exit(1);
+		}
+		break;
 	case 'q':
 		conf_verbose = 0;
 		conf_quiet = 1;
@@ -605,6 +648,16 @@ static int process_arg(int c, char *optarg)
 		kernel_load = 0;
 		print_cache_dir = true;
 		break;
+	case EARLY_ARG_CONFIG_FILE:
+		config_file = strdup(optarg);
+		if (!config_file) {
+			PERROR("%s: %m", progname);
+			exit(1);
+		}
+		break;
+	case 140:
+		printf("%s\n", config_file);
+		break;
 	default:
 		/* 'unrecognized option' error message gets printed by getopt_long() */
 		exit(1);
@@ -614,15 +667,31 @@ static int process_arg(int c, char *optarg)
 	return count;
 }
 
+static void process_early_args(int argc, char *argv[])
+{
+	int c, o;
+
+	while ((c = getopt_long(argc, argv, short_options, long_options, &o)) != -1)
+	{
+		if (early_arg(c))
+			process_arg(c, optarg);
+	}
+
+	/* reset args, so we are ready for a second pass */
+	optind = 1;
+}
+
 static int process_args(int argc, char *argv[])
 {
 	int c, o;
 	int count = 0;
 	option = OPTION_ADD;
 
+	opterr = 1;
 	while ((c = getopt_long(argc, argv, short_options, long_options, &o)) != -1)
 	{
-		count += process_arg(c, optarg);
+		if (!early_arg(c))
+			count += process_arg(c, optarg);
 	}
 
 	if (count > 1) {
@@ -642,8 +711,10 @@ static int process_config_file(const char *name)
 	int c, o;
 
 	f = fopen(name, "r");
-	if (!f)
+	if (!f) {
+		pwarn("config file '%s' not found\n", name);
 		return 0;
+	}
 
 	while ((c = getopt_long_file(f, long_options, &optarg, &o)) != -1)
 		process_arg(c, optarg);
@@ -742,7 +813,7 @@ static bool do_print_cache_dir(aa_features *features, int dirfd, const char *pat
 	return true;
 }
 
-static bool do_print_cache_dirs(aa_features *features, char **cacheloc,
+static bool do_print_cache_dirs(aa_features *features, const char **cacheloc,
 				int cacheloc_n)
 {
 	int i;
@@ -858,7 +929,9 @@ int process_profile(int option, aa_kernel_interface *kernel_interface,
 			return errno;
 		}
 	} else {
-		pwarn("%s: cannot use or update cache, disable, or force-complain via stdin\n", progname);
+		if (write_cache)
+			pwarn("%s: cannot use or update cache, disable, or force-complain via stdin\n", progname);
+		skip_cache = write_cache = 0;
 	}
 
 	reset_parser(profilename);
@@ -1189,7 +1262,8 @@ int main(int argc, char *argv[])
 
 	init_base_dir();
 
-	process_config_file("/etc/apparmor/parser.conf");
+	process_early_args(argc, argv);
+	process_config_file(config_file);
 	optind = process_args(argc, argv);
 
 	setup_parallel_compile();
@@ -1221,13 +1295,7 @@ int main(int argc, char *argv[])
 		uint16_t max_caches = write_cache && cond_clear_cache ? (uint16_t) (-1) : 0;
 
 		if (!cacheloc[0]) {
-			char *tmp;
-
-			if (asprintf(&tmp, "%s/cache.d", basedir) == -1) {
-				PERROR(_("Memory allocation error."));
-				return 1;
-			}
-			cacheloc[0] = tmp;
+			cacheloc[0] = "/var/cache/apparmor";
 			cacheloc_n = 1;
 		}
 		if (print_cache_dir)
@@ -1247,7 +1315,6 @@ int main(int argc, char *argv[])
 
 		if (create_cache_dir)
 			pwarn(_("The --create-cache-dir option is deprecated. Please use --write-cache.\n"));
-
 		retval = aa_policy_cache_new(&policy_cache, kernel_features,
 					     AT_FDCWD, cacheloc[0], max_caches);
 		if (retval) {

parser/parser_misc.c

@@ -111,6 +111,7 @@ static struct keyword_table keyword_table[] = {
 	{"trace",		TOK_TRACE},
 	{"tracedby",		TOK_TRACEDBY},
 	{"readby",		TOK_READBY},
+	{"abi",			TOK_ABI},
 
 	/* terminate */
 	{NULL, 0}

parser/parser_symtab.c

@@ -25,6 +25,9 @@
 #include "immunix.h"
 #include "parser.h"
 
+typedef int (*comparison_fn_t)(const void *, const void *);
+typedef void (*__free_fn_t)(void *);
+
 enum var_type {
 	sd_boolean,
 	sd_set,

parser/parser_yacc.y

@@ -152,6 +152,7 @@ void add_local_entry(Profile *prof);
 %token TOK_TRACE
 %token TOK_TRACEDBY
 %token TOK_READBY
+%token TOK_ABI
 
  /* rlimits */
 %token TOK_RLIMIT
@@ -400,6 +401,7 @@ hat: hat_start profile_base
 preamble: { /* nothing */ }
 	| preamble alias { /* nothing */ };
 	| preamble varassign { /* nothing */ };
+	| preamble abi_rule { /* nothing */ };
 
 alias: TOK_ALIAS TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE
 	{
@@ -615,6 +617,8 @@ rules:	{ /* nothing */
 		$$ = prof;
 	};
 
+rules: rules abi_rule { /* nothing */ }
+
 rules:  rules opt_prefix rule
 	{
 		PDEBUG("matched: rules rule\n");
@@ -1065,6 +1069,12 @@ opt_named_transition: { /* nothing */ $$ = NULL; }
 rule: file_rule { $$ = $1; }
 	| link_rule { $$ = $1; }
 
+abi_rule: TOK_ABI TOK_ID TOK_END_OF_RULE
+	{
+		pwarn(_("%s: Profile abi not supported, falling back to system abi.\n"), progname);
+		free($2);
+	};
+
 opt_exec_mode: { /* nothing */ $$ = EXEC_MODE_EMPTY; }
 	| TOK_UNSAFE { $$ = EXEC_MODE_UNSAFE; };
 	| TOK_SAFE { $$ = EXEC_MODE_SAFE; };

parser/rc.apparmor.functions

@@ -113,11 +113,13 @@ skip_profile() {
 	local profile=$1
 	if [ "${profile%.rpmnew}" != "${profile}" -o \
 	     "${profile%.rpmsave}" != "${profile}" -o \
+	     "${profile%.orig}" != "${profile}" -o \
+	     "${profile%.rej}" != "${profile}" -o \
 	     -e "${PROFILE_DIR}/disable/`basename ${profile}`" -o \
 	     "${profile%\~}" != "${profile}" ] ; then
 		return 1
 	fi
-	# Silently ignore the dpkg and pacman files
+	# Silently ignore the dpkg, pacman, and xbps files
 	if [ "${profile%.dpkg-new}" != "${profile}" -o \
 	     "${profile%.dpkg-old}" != "${profile}" -o \
 	     "${profile%.dpkg-dist}" != "${profile}" -o \
@@ -127,6 +129,9 @@ skip_profile() {
 	     "${profile%.pacnew}" != "${profile}" ] ; then
 		return 2
 	fi
+	if echo "${profile}" | egrep -q '^.+\.new-[0-9\.]+_[0-9]+$'; then
+		return 2
+	fi
 
 	return 0
 }

parser/subdomain.conf.pod

@@ -101,4 +101,4 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 =head1 SEE ALSO
 
 apparmor(7), apparmor_parser(8), and
-L<http://wiki.apparmor.net>.
+L<https://wiki.apparmor.net>.

parser/tst/Makefile

@@ -4,6 +4,8 @@ TESTS=simple.pl
 PARSER_DIR=..
 PARSER_BIN=apparmor_parser
 PARSER=$(PARSER_DIR)/$(PARSER_BIN)
+# parser.conf to use in tests. Note that some test scripts have the parser options hardcoded, so passing PARSER_ARGS=... is not enough to override it.
+PARSER_ARGS=--config-file=./parser.conf
 PROVE_ARG=-f
 
 ifeq ($(VERBOSE),1)
@@ -30,14 +32,14 @@ gen_dbus: $(GEN_TRANS_DIRS)
 	./gen-dbus.pl
 
 error_output: $(PARSER)
-	LANG=C $(PARSER) -S -I errors >/dev/null errors/okay.sd
-	LANG=C $(PARSER) -S -I errors 2>&1 >/dev/null errors/single.sd | \
+	LANG=C $(PARSER) $(PARSER_ARGS) -S -I errors >/dev/null errors/okay.sd
+	LANG=C $(PARSER) $(PARSER_ARGS) -S -I errors 2>&1 >/dev/null errors/single.sd | \
 		grep -q "AppArmor parser error for errors/single.sd in errors/single.sd at line 3: Could not open 'failure'"
-	LANG=C $(PARSER) -S -I errors 2>&1 >/dev/null errors/double.sd | \
+	LANG=C $(PARSER) $(PARSER_ARGS) -S -I errors 2>&1 >/dev/null errors/double.sd | \
 		grep -q "AppArmor parser error for errors/double.sd in errors/includes/busted at line 66: Could not open 'does-not-exist'"
-	LANG=C $(PARSER) -S -I errors 2>&1 >/dev/null errors/modefail.sd | \
+	LANG=C $(PARSER) $(PARSER_ARGS) -S -I errors 2>&1 >/dev/null errors/modefail.sd | \
 		grep -q "AppArmor parser error for errors/modefail.sd in errors/modefail.sd at line 6: syntax error"
-	LANG=C $(PARSER) -S -I errors 2>&1 >/dev/null errors/multi_include.sd | \
+	LANG=C $(PARSER) $(PARSER_ARGS) -S -I errors 2>&1 >/dev/null errors/multi_include.sd | \
 		grep -q "AppArmor parser error for errors/multi_include.sd in errors/multi_include.sd at line 12: Could not open 'failure'"
 	@echo "Error Output: PASS"
 
@@ -48,13 +50,13 @@ caching: $(PARSER)
 	LANG=C ./caching.py -p "$(PARSER)" $(PYTEST_ARG)
 
 minimize: $(PARSER)
-	LANG=C APPARMOR_PARSER="$(PARSER)" ./minimize.sh
+	LANG=C APPARMOR_PARSER="$(PARSER) $(PARSER_ARGS)" ./minimize.sh
 
 equality: $(PARSER)
-	LANG=C APPARMOR_PARSER="$(PARSER)" ./equality.sh
+	LANG=C APPARMOR_PARSER="$(PARSER) $(PARSER_ARGS)" ./equality.sh
 
 valgrind: $(PARSER) gen_xtrans gen_dbus
-	LANG=C ./valgrind_simple.py -p "$(PARSER)" -v simple_tests
+	LANG=C ./valgrind_simple.py -p "$(PARSER) $(PARSER_ARGS)" -v simple_tests
 
 $(PARSER):
 	$(MAKE) -C $(PARSER_DIR) $(PARSER_BIN)

parser/tst/caching.py

@@ -68,11 +68,19 @@ class AAParserCachingCommon(testlib.AATestTemplate):
             self.do_cleanup = False
             self.debug = True
 
-        self.cmd_prefix = [config.parser, '--base', self.tmp_dir, '--skip-kernel-load']
+        # Warnings break the test harness, but chroots may not be setup
+        # to have the config file, etc.
+        self.cmd_prefix = [config.parser, '--config-file=./parser.conf', '--base', self.tmp_dir, '--skip-kernel-load']
 
         if not self.is_apparmorfs_mounted():
             self.cmd_prefix += ['-M', './features_files/features.all']
 
+        # Otherwise get_cache_dir() will try to create /var/cache/apparmor
+        # and will fail when the test suite is run as non-root.
+        self.cmd_prefix += [
+            '--cache-loc', os.path.join(self.tmp_dir, 'cache')
+        ]
+
         # create directory for cached blobs
         # NOTE: get_cache_dir() requires cmd_prefix to be fully initialized
         self.cache_dir = self.get_cache_dir(create=True)

parser/tst/simple.pl

@@ -81,7 +81,7 @@ sub test_profile {
     # child
     open(STDOUT, ">/dev/null") or die "Failed to redirect STDOUT";
     open(STDERR, ">/dev/null") or die "Failed to redirect STDERR";
-    exec("$config{'parser'}", "-M", "features_files/features.all", "-S", "-I", "$config{'includedir'}") or die "Bail out! couldn't open parser";
+    exec("$config{'parser'}", "--config-file=./parser.conf", "-M", "features_files/features.all", "-S", "-I", "$config{'includedir'}") or die "Bail out! couldn't open parser";
     # noreturn
   }
 
@@ -131,9 +131,13 @@ sub test_profile {
   } elsif ($coredump) {
     ok(0, "$profile: Produced core dump (signal $signal): $description");
   } elsif ($istodo) {
-    TODO: {
-      local $TODO = "Unfixed testcase.";
-      ok($expass ? !$result : $result, "TODO: $profile: $description");
+    if ($expass != $result) {
+        fail("TODO passed unexpectedly: $profile: $description");
+    } else {
+      TODO: {
+        local $TODO = "Unfixed testcase.";
+        ok($expass ? !$result : $result, "TODO: $profile: $description");
+      }
     }
   } else {
     ok($expass ? !$result : $result, "$profile: $description");

parser/tst/simple_tests/abi/bad_1.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi relative path in quotes
+#=EXRESULT FAIL
+#=TODO
+
+abi "abi/4.19,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_10.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT FAIL
+#
+
+abi < "abi/4.19">,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_11.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT FAIL
+#
+
+abi <"abi/4.19" >,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_12.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT FAIL
+#
+
+abi < "abi/4.19" >,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_2.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi relative path in quotes with spaces
+#=EXRESULT FAIL
+#
+
+abi abi/4.19",
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_3.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi abs path in quotes
+#=EXRESULT FAIL
+#
+
+abi "/abi/4.19"
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_4.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi abs path in quotes with space
+#=EXRESULT FAIL
+#
+
+abi "/abi/4.19 ubuntu,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_5.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi relative path no quotes missing ,
+#=EXRESULT FAIL
+#
+
+abi abi/4.19
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_6.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path
+#=EXRESULT FAIL
+#=TODO
+
+abi <abi/4.19,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_1.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi relative path in quotes
+#=EXRESULT PASS
+#
+
+abi "abi/4.19",
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_10.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT PASS
+#=TODO
+#=DISABLED - results in "superfluous TODO", but fails after removing TODO
+
+abi < "abi/4.19">,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_11.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT PASS
+#=DISABLED
+
+abi <"abi/4.19" >,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_12.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT PASS
+#=TODO
+#=DISABLED - results in "superfluous TODO", but fails after removing TODO
+
+abi < "abi/4.19" >,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_13.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT PASS
+#
+
+abi <"abi/4.19 ubuntu">,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_14.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path with space between path and ,
+#=EXRESULT PASS
+#
+
+abi <abi/4.19> ,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_15.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path with space between path and ,
+#=EXRESULT PASS
+#
+
+abi "abi/4.19" ,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_16.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path with space between path and ,
+#=EXRESULT PASS
+#
+
+abi abi/4.19 ,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_17.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path no space between and and path
+#=EXRESULT PASS
+#
+
+abi<abi/4.19>,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_18.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path no space between and and path
+#=EXRESULT PASS
+#
+
+abi"abi/4.19",
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_2.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi relative path in quotes with spaces
+#=EXRESULT PASS
+#
+
+abi "abi/4.19 ubuntu",
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_20.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION abi testing - abi path in profile
+#=EXRESULT PASS
+#
+
+
+/does/not/exist {
+  abi <abi/4.19>,
+
+}

parser/tst/simple_tests/abi/ok_21.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION abi testing - abi path in profile
+#=EXRESULT PASS
+#
+
+
+/does/not/exist {
+  abi "abi/4.19",
+
+}

parser/tst/simple_tests/abi/ok_22.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION abi testing - abi path in profile
+#=EXRESULT PASS
+#
+
+
+/does/not/exist {
+  abi abi/4.19,
+
+}

parser/tst/simple_tests/abi/ok_3.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi abs path in quotes
+#=EXRESULT PASS
+#
+
+abi "/abi/4.19",
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_4.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi abs path in quotes with space
+#=EXRESULT PASS
+#
+
+abi "/abi/4.19 ubuntu",
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_5.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi relative path no quotes
+#=EXRESULT PASS
+#
+
+abi abi/4.19,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_6.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path
+#=EXRESULT PASS
+#
+
+abi <abi/4.19>,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_7.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path spaces
+#=EXRESULT PASS
+#
+
+abi < abi/4.19>,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_8.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path spaces
+#=EXRESULT PASS
+#
+
+abi <abi/4.19 >,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_9.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path spaces
+#=EXRESULT PASS
+#
+
+abi < abi/4.19 >,
+
+/does/not/exist {
+}

parser/tst/simple_tests/vars/vars_profile_name_14.sd

@@ -1,6 +1,5 @@
 #=DESCRIPTION reference variables in rules that also have alternations
 #=EXRESULT PASS
-#=TODO
 # This test needs check on @{FOO} attachment having leading / post var expansion
 
 @{FOO}=/bar /baz

parser/tst/simple_tests/vars/vars_profile_name_25.sd

@@ -1,6 +1,5 @@
 #=DESCRIPTION reference variables is null
 #=EXRESULT FAIL
-#=TODO
 #needs post var expansion check that variable contained a value
 
 @{FOO}=

parser/tst/simple_tests/vars/vars_profile_name_26.sd

@@ -1,6 +1,5 @@
 #=DESCRIPTION reference variables is null
 #=EXRESULT FAIL
-#=TODO
 #needs post var expansion check that variable contained a value
 
 @{FOO}=

parser/tst/simple_tests/xtrans/minimize-x-conflict.sd

@@ -1,7 +1,6 @@
 #
 #=DESCRIPTION test for conflict resolution in minimization phase of dfa gen
 #=EXRESULT PASS
-#=TODO
 #
 /usr/bin/foo {
 

parser/tst/simple_tests/xtrans/x-conflict.sd

@@ -1,7 +1,6 @@
 #
 #=DESCRIPTION test for conflict resolution in minimization phase of dfa gen
 #=EXRESULT FAIL
-#=TODO
 #
 /usr/bin/foo {
   /b* px,

profiles/Makefile

@@ -29,6 +29,7 @@ DESTDIR=/
 PROFILES_DEST=${DESTDIR}/etc/apparmor.d
 EXTRAS_DEST=${DESTDIR}/usr/share/apparmor/extra-profiles/
 PROFILES_SOURCE=./apparmor.d
+ABSTRACTIONS_SOURCE=./apparmor.d/abstractions
 EXTRAS_SOURCE=./apparmor/profiles/extras/
 
 SUBDIRS=$(shell find ${PROFILES_SOURCE} -type d -print)
@@ -84,6 +85,8 @@ docs:
 
 IGNORE_FILES=${EXTRAS_SOURCE}/README
 CHECK_PROFILES=$(filter-out ${IGNORE_FILES} ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*) $(wildcard ${EXTRAS_SOURCE}/*))
+# use find because Make wildcard is not recursive:
+CHECK_ABSTRACTIONS=$(shell find ${ABSTRACTIONS_SOURCE} -type f -print)
 
 .PHONY: check
 check: check-parser check-logprof
@@ -93,7 +96,15 @@ check-parser: local
 	@echo "*** Checking profiles from ${PROFILES_SOURCE} and ${EXTRAS_SOURCE} against apparmor_parser"
 	$(Q)for profile in ${CHECK_PROFILES} ; do \
 	        [ -n "${VERBOSE}" ] && echo "Testing $${profile}" ; \
-		${PARSER} -S -b ${PWD}/apparmor.d $${profile} > /dev/null || exit 1; \
+		${PARSER} --config-file=../parser/tst/parser.conf -S -b ${PWD}/apparmor.d $${profile} > /dev/null || exit 1; \
+	done
+
+	@echo "*** Checking abstractions from ${ABSTRACTIONS_SOURCE} against apparmor_parser"
+	$(Q)for abstraction in ${CHECK_ABSTRACTIONS} ; do \
+	        [ -n "${VERBOSE}" ] && echo "Testing $${abstraction}" ; \
+		echo "#include <tunables/global> profile test { #include <$${abstraction}> }" \
+		| ${PARSER} --config-file=../parser/tst/parser.conf -S -b ${PWD}/apparmor.d -I ${PWD} > /dev/null \
+		|| exit 1; \
 	done
 
 .PHONY: check-logprof

profiles/apparmor.d/abstractions/apache2-common

@@ -7,9 +7,9 @@
   # Allow unconfined processes to send us signals by default
   signal (receive) peer=unconfined,
   # Allow apache to send us signals by default
-  signal (receive) peer=/usr/sbin/apache2,
+  signal (receive) peer=apache2,
   # Allow other hats to signal by default
-  signal peer=/usr/sbin/apache2//*,
+  signal peer=apache2//*,
   # Allow us to signal ourselves
   signal peer=@{profile_name},
 

profiles/apparmor.d/abstractions/apparmor_api/is_enabled

@@ -8,8 +8,8 @@
 
 # permissions needed for aa_is_enabled
 
-# Make sure to include at least tunables/sys and tunables/apparmorfs
-# when using this abstraction, if not tunables/global.
+# Make sure to include tunables/apparmorfs and tunables/global
+# when using this abstraction
 
 #include <abstractions/apparmor_api/find_mountpoint>
 @{sys}/module/apparmor/parameters/enabled r,

profiles/apparmor.d/abstractions/base

@@ -90,8 +90,8 @@
   @{PROC}/meminfo                r,
   @{PROC}/stat                   r,
   @{PROC}/cpuinfo                r,
-  /sys/devices/system/cpu/       r,
-  /sys/devices/system/cpu/online r,
+  @{sys}/devices/system/cpu/       r,
+  @{sys}/devices/system/cpu/online r,
 
   # glibc's *printf protections read the maps file
   @{PROC}/@{pid}/{maps,auxv,status} r,

profiles/apparmor.d/abstractions/dovecot-common

@@ -14,6 +14,6 @@
   deny capability block_suspend,
 
   # dovecot's master can send us signals
-  signal receive peer=/usr/sbin/dovecot,
+  signal receive peer=dovecot,
 
   /{var/,}run/dovecot/config rw,

profiles/apparmor.d/abstractions/dri-enumerate

@@ -4,6 +4,5 @@
 # needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
 # libdrm).
 
-  # TODO: use @{sys} after it's moved into tunables/kernelvars (LP: #1728551)
-  /sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
+  @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
 

profiles/apparmor.d/abstractions/freedesktop.org

@@ -10,21 +10,12 @@
 # ------------------------------------------------------------------
 
   # system configuration
-  /usr/{,local/}share/applications/{*/,}               r,
-  /usr/{,local/}share/applications/{*/,}defaults.list  r,
-  /usr/{,local/}share/applications/{*/,}mimeinfo.cache r,
-  /usr/{,local/}share/applications/{*/,}*.desktop      r,
-  /usr/share/icons/               r,
-  /usr/share/icons/**             r,
-  /usr/share/pixmaps/             r,
-  /usr/share/pixmaps/**           r,
-  /usr/local/share/icons/               r,
-  /usr/local/share/icons/**             r,
-  /usr/local/share/pixmaps/             r,
-  /usr/local/share/pixmaps/**           r,
+  @{system_share_dirs}/applications/{**,} r,
+  @{system_share_dirs}/icons/{**,}        r,
+  @{system_share_dirs}/pixmaps/{**,}      r,
 
   # this should probably go elsewhere
-  /usr/share/mime/**              r,
+  @{system_share_dirs}/mime/** r,
 
   # per-user configurations
   owner @{HOME}/.icons/                 r,
@@ -32,12 +23,6 @@
   owner @{HOME}/.local/share/recently-used.xbel* rw,
   owner @{HOME}/.config/user-dirs.dirs  r,
   owner @{HOME}/.config/mimeapps.list   r,
-  owner @{HOME}/.local/share/applications/               r,
-  owner @{HOME}/.local/share/applications/*.desktop      r,
-  owner @{HOME}/.local/share/applications/defaults.list  r,
-  owner @{HOME}/.local/share/applications/mimeapps.list  r,
-  owner @{HOME}/.local/share/applications/mimeinfo.cache r,
-  owner @{HOME}/.local/share/icons/     r,
-  owner @{HOME}/.local/share/icons/**   r,
-  owner @{HOME}/.local/share/mime/      r,
-  owner @{HOME}/.local/share/mime/**    r,
+  owner @{user_share_dirs}/applications/{**,} r,
+  owner @{user_share_dirs}/icons/{**,}        r,
+  owner @{user_share_dirs}/mime/{**,}         r,

profiles/apparmor.d/abstractions/kde

@@ -15,6 +15,7 @@
 #include <abstractions/freedesktop.org>
 #include <abstractions/xdg-desktop>
 #include <abstractions/user-tmp>
+#include <abstractions/qt5>
 
 /etc/qt3/kstylerc r,
 /etc/qt3/qt_plugins_3.3rc r,
@@ -32,8 +33,6 @@ owner @{HOME}/.kde{,4}/share/config/*.lock rwl,
 owner @{HOME}/.qt/** rw,
 owner @{HOME}/.config/Trolltech.conf rwk,
 
-/usr/share/icons/ r,
-/usr/share/icons/** r,
 /usr/share/X11/XKeysymDB r,
 
 # kde3

profiles/apparmor.d/abstractions/kde-globals-write

@@ -0,0 +1,10 @@
+# vim:syntax=apparmor
+# Rules for changing KDE settings (for KFileDialog and other).
+
+  # User files
+ 
+  owner @{HOME}/.config/#[0-9]* rw,
+  owner @{HOME}/.config/kdeglobals rw,
+  owner @{HOME}/.config/kdeglobals.?????? rwl -> @{HOME}/.config/#[0-9]*,
+  owner @{HOME}/.config/kdeglobals.lock rwk,
+

profiles/apparmor.d/abstractions/kde-icon-cache-write

@@ -0,0 +1,7 @@
+# vim:syntax=apparmor
+# Rules for writing KDE icon cache
+
+  # User files
+
+  owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
+

profiles/apparmor.d/abstractions/kde-language-write

@@ -0,0 +1,12 @@
+# vim:syntax=apparmor
+# Rules for changing per-application language settings on KDE. Some KDE
+# applications have "Help -> Switch Application Language..." option, that needs
+# write access to language settings file.
+
+  # User files
+
+  owner @{HOME}/.config/#[0-9]* rw,
+  owner @{HOME}/.config/klanguageoverridesrc rw,
+  owner @{HOME}/.config/klanguageoverridesrc.?????? rwl -> @{HOME}/.config/#[0-9]*,
+  owner @{HOME}/.config/klanguageoverridesrc.lock rwk,
+

profiles/apparmor.d/abstractions/launchpad-integration

@@ -1,28 +0,0 @@
-# vim:syntax=apparmor
-# launchpad-integration
-
-  # Launchpad integration should run in a sanitizing profile
-  /usr/bin/launchpad-integration Cxr -> launchpad_integration,
-  profile launchpad_integration {
-    #include <abstractions/base>
-    #include <abstractions/nameservice>
-    #include <abstractions/ubuntu-browsers>
-
-    # Required for debuggers
-    capability sys_ptrace,
-
-    # Run confined with security execution. sudo scrubs the environment, so we
-    # don't have to
-    /usr/bin/sudo Ux,
-
-    # Give it wide permissions since it and apport need to do a lot
-    /** rwlk,
-    /{,usr/}{,s}bin/* Pixr,
-    /{,usr/}lib*/{,**/}*.so{,.*} m,
-    /usr/share/apport/* Pixr,
-
-    # Dangerous files
-    audit deny owner /**/*.py* r,       # python imports
-    audit deny owner /**/* m,           # compiled libraries
-  }
-

profiles/apparmor.d/abstractions/mesa

@@ -0,0 +1,13 @@
+# vim:syntax=apparmor
+# Rules for Mesa implementation of the OpenGL API
+
+  # System files
+  /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
+
+  # User files
+  owner @{HOME}/.cache/ w, # if user clears all caches
+  owner @{HOME}/.cache/mesa_shader_cache/ w,
+  owner @{HOME}/.cache/mesa_shader_cache/index rw,
+  owner @{HOME}/.cache/mesa_shader_cache/??/ w,
+  owner @{HOME}/.cache/mesa_shader_cache/??/* rwk,
+

profiles/apparmor.d/abstractions/nvidia

@@ -17,7 +17,7 @@
   @{PROC}/driver/nvidia/params r,
   @{PROC}/modules r,
 
-  /sys/devices/system/memory/block_size_bytes r,
+  @{sys}/devices/system/memory/block_size_bytes r,
 
   owner @{HOME}/.nv/ w,
   owner @{HOME}/.nv/GLCache/ rw,

profiles/apparmor.d/abstractions/opencl

@@ -0,0 +1,9 @@
+# vim:syntax=apparmor
+# OpenCL access requirements
+
+  # TODO: use conditionals to select allowed implementations
+  #include <abstractions/opencl-intel>
+  #include <abstractions/opencl-mesa>
+  #include <abstractions/opencl-nvidia>
+  #include <abstractions/opencl-pocl>
+

profiles/apparmor.d/abstractions/opencl-common

@@ -0,0 +1,10 @@
+# vim:syntax=apparmor
+# implementation-independent OpenCL access requirements
+
+  # System files
+
+  /etc/OpenCL/** r,
+  @{sys}/bus/pci/devices/ r, # libpocl.so -> libhwlock.so, libnvidia-opencl.so, beignet/libcl.so -> libdrm_intel.so
+  @{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
+  @{sys}/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
+

profiles/apparmor.d/abstractions/opencl-intel

@@ -0,0 +1,17 @@
+# vim:syntax=apparmor
+# OpenCL access requirements for Intel implementation
+
+  #include <abstractions/opencl-common>
+
+  # for libcl.so (libOpenCL.so -> beignet/libcl.so calls XOpenDisplay())
+  #include <abstractions/X>
+
+  # for libOpenCL.so -> beignet/libcl.so -> libpciaccess.so
+  #include <abstractions/dri-enumerate>
+
+  # System files
+
+  /dev/dri/card[0-9]* rw, # beignet/libcl.so
+  @{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
+  /usr/lib/@{multiarch}/beignet/** r,
+

profiles/apparmor.d/abstractions/opencl-mesa

@@ -0,0 +1,20 @@
+# vim:syntax=apparmor
+# OpenCL access requirements for Mesa implementation
+
+  #include <abstractions/opencl-common>
+
+  # Additional libraries
+
+  /usr/lib/@{multiarch}/gallium-pipe/*.so mr, # libMesaOpenCL.so
+  /usr/lib{,64}/gallium-pipe/*.so mr, # libMesaOpenCL.so on openSUSE
+
+  # System files
+
+  /dev/dri/ r, # libMesaOpenCL.so -> libdrm.so
+  /dev/dri/render* rw, # libMesaOpenCL.so
+  /etc/drirc r, # libMesaOpenCL.so
+
+  # User files
+
+  owner @{HOME}/.cache/mesa_shader_cache/{,**} rw, # libMesaOpenCL.so -> pipe_nouveau.so
+

profiles/apparmor.d/abstractions/opencl-nvidia

@@ -0,0 +1,30 @@
+# vim:syntax=apparmor
+# OpenCL access requirements for NVIDIA implementation
+
+  #include <abstractions/nvidia>
+  #include <abstractions/opencl-common>
+
+  # Executables
+
+  # https://github.com/NVIDIA/nvidia-modprobe
+  # This setuid executable is used to create various device files and load the
+  # the nvidia kernel module.
+  /usr/bin/nvidia-modprobe Px -> nvidia_modprobe,
+
+  # System files
+
+  # libnvidia-opencl.so rules:
+  /dev/nvidia-uvm rw,
+  /dev/nvidia-uvm-tools rw,
+  @{sys}/devices/pci[0-9]*/**/config r,
+  @{sys}/devices/system/memory/block_size_bytes r,
+  /usr/share/nvidia/** r,
+  @{PROC}/devices r,
+  @{PROC}/sys/vm/mmap_min_addr r,
+
+  # User files
+
+  owner @{HOME}/.nv/ComputeCache/ w,
+  owner @{HOME}/.nv/ComputeCache/** rw,
+  owner @{HOME}/.nv/ComputeCache/index rwk,
+

profiles/apparmor.d/abstractions/opencl-pocl

@@ -0,0 +1,76 @@
+# vim:syntax=apparmor
+# OpenCL access requirements for POCL implementation
+
+  #include <abstractions/opencl-common>
+
+  # Executables
+
+  /usr/bin/{,@{multiarch}-}ld.bfd Cx -> opencl_pocl_ld,
+  /usr/lib/llvm-[0-9]*.[0-9]*/bin/clang Cx -> opencl_pocl_clang,
+
+  # System files
+
+  / r, # libpocl.so -> libhwloc.so
+  @{sys}/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so
+  @{sys}/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so
+  @{sys}/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
+  @{sys}/devices/pci[0-9]*/**/ r, # for libpocl ->  hwloc_linux_lookup_block_class() from libhwloc.so
+  @{sys}/devices/pci[0-9]*/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
+  @{sys}/devices/pci[0-9]*/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
+  @{sys}/devices/pci[0-9]*/*/net/*/address r, # libpocl.so ->  hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
+  @{sys}/devices/system/cpu/ r, # libpocl.so -> libnuma.so
+  @{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so
+  @{sys}/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so
+  @{sys}/devices/system/cpu/cpu[0-9]*/topology/* r, # *_siblings, physical_package_id and lot's of others, for libpocl.so -> libhwloc.so
+  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/* r, # for clGetPlatformIDs() from libpocl.so
+  @{sys}/devices/system/cpu/possible r, # libpocl.so -> libhwloc.so
+  @{sys}/devices/virtual/dmi/id/{,*} r, # libpocl.so -> libhwloc.so
+  @{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
+  @{sys}/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
+  /usr/share/pocl/** r,
+  /{,var/}run/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
+
+  # User files
+
+  owner @{HOME}/.cache/pocl/ w,
+  owner @{HOME}/.cache/pocl/kcache/ w,
+  owner @{HOME}/.cache/pocl/kcache/** rw,
+  owner @{HOME}/.cache/pocl/kcache/**.so mrw, # dangerous!
+  owner @{PROC}/@{pid}/{cgroup,cpuset,status} r, # libpocl.so -> libhwloc.so, status for libpocl.so -> libnuma.so
+
+  # Child profiles
+
+  profile opencl_pocl_ld {
+    #include <abstractions/base>
+
+    # Main executables
+
+    /usr/bin/{,@{multiarch}-}ld.bfd mr,
+
+    # User files
+
+    owner @{HOME}/.cache/pocl/kcache/tempfile*.so rw,
+    owner @{HOME}/.cache/pocl/kcache/**.so.o r,
+  }
+
+  profile opencl_pocl_clang {
+    #include <abstractions/base>
+
+    # Main executables
+
+    /usr/lib/llvm-[0-9]*.[0-9]*/bin/clang mr,
+
+    # Additional executables
+
+    /usr/bin/{,@{multiarch}-}ld.bfd ix, # TODO: transfer to opencl_ld child profile?
+
+    # System files
+
+    /etc/debian-version r,
+    /etc/lsb-release r,
+
+    # User files
+
+    owner @{HOME}/.cache/pocl/kcache/*/*/*/*/*.so{,.o} rw,
+  }
+

profiles/apparmor.d/abstractions/php

@@ -19,6 +19,9 @@
   # php extensions
   /usr/lib{64,}/php{,5,7}/*/*.so mr,
 
+  # ICU (unicode support) data tables
+  /usr/share/icu/*/*.dat r,
+
   # php session mmap socket
   /var/lib/php{,5,7}/session_mm_* rwlk,
   # file based session handler