parser: change priority so that it accumulates based on permissions

The current behavior of priority rules can be non-intuitive with
higher priority rules completely overriding lower priority rules even in
permissions not held in common. This behavior does have use cases but
its can be very confusing, and does not normal policy behavior

Eg.
  priority=0 allow r /**,
  priority=1 deny  w /**,

will result in no allowed permissions even though the deny rule is
only removing the w permission, beause the higher priority rule
completely over ride lower priority permissions sets (including
none shared permissions).

Instead move to tracking the priority at a per permission level. This
allows the w permission to still override at priority 1, while the
read permission is allowed at priority 0.

The final constructed state will still drop priority for the final
permission set on the state.

Note: this patch updates the equality tests for the cases where
the complete override behavior was being tested for.

The complete override behavior will be reintroduced in a future
patch with a keyword extension, enabling that behavior to be used
for ordered blocks etc.

Signed-off-by: John Johansen <john.johansen@canonical.com>

.gitignore

@@ -7,15 +7,28 @@ binutils/aa-exec.1
 binutils/aa-features-abi
 binutils/aa-features-abi.1
 binutils/aa-load
+binutils/aa-load.8
 binutils/aa-status
 binutils/aa-status.8
 binutils/cJSON.o
 binutils/po/*.mo
+changehat/mod_apparmor/.libs
+changehat/mod_apparmor/mod_apparmor.8
+changehat/mod_apparmor/mod_apparmor.8.html
+changehat/mod_apparmor/mod_apparmor.la
+changehat/mod_apparmor/mod_apparmor.lo
+changehat/mod_apparmor/mod_apparmor.slo
+changehat/mod_apparmor/mod_apparmor.so
+changehat/mod_apparmor/pod2htmd.tmp
+changehat/pam_apparmor/get_options.o
+changehat/pam_apparmor/pam_apparmor.o
+changehat/pam_apparmor/pam_apparmor.so
 parser/po/*.mo
 parser/af_names.h
 parser/cap_names.h
 parser/generated_cap_names.h
 parser/generated_af_names.h
+parser/errnos.h
 parser/tst_lib
 parser/tst_misc
 parser/tst_regex
@@ -27,42 +40,9 @@ parser/parser_version.h
 parser/parser_yacc.c
 parser/parser_yacc.h
 parser/pod2htm*.tmp
-parser/af_rule.o
-parser/af_unix.o
-parser/all_rule.o
-parser/common_optarg.o
-parser/dbus.o
-parser/default_features.o
-parser/lib.o
-parser/libapparmor_re/aare_rules.o
-parser/libapparmor_re/chfa.o
-parser/libapparmor_re/expr-tree.o
-parser/libapparmor_re/hfa.o
+parser/libapparmor_re/*.o
 parser/libapparmor_re/libapparmor_re.a
-parser/libapparmor_re/parse.o
-parser/mount.o
-parser/mqueue.o
-parser/network.o
-parser/parser_alias.o
-parser/parser_common.o
-parser/parser_include.o
-parser/parser_interface.o
-parser/parser_lex.o
-parser/parser_main.o
-parser/parser_merge.o
-parser/parser_misc.o
-parser/parser_policy.o
-parser/parser_regex.o
-parser/parser_symtab.o
-parser/parser_variable.o
-parser/parser_yacc.o
-parser/policy_cache.o
-parser/profile.o
-parser/ptrace.o
-parser/rule.o
-parser/signal.o
-parser/userns.o
-parser/io_uring.o
+parser/*.o
 parser/*.7
 parser/*.5
 parser/*.8
@@ -141,6 +121,18 @@ libraries/libapparmor/src/tst_aalogmisc
 libraries/libapparmor/src/tst_aalogmisc.log
 libraries/libapparmor/src/tst_aalogmisc.o
 libraries/libapparmor/src/tst_aalogmisc.trs
+libraries/libapparmor/src/tst_aalogparse_cpp
+libraries/libapparmor/src/tst_aalogparse_cpp.log
+libraries/libapparmor/src/tst_aalogparse_cpp.o
+libraries/libapparmor/src/tst_aalogparse_cpp.trs
+libraries/libapparmor/src/tst_aalogparse_reentrancy
+libraries/libapparmor/src/tst_aalogparse_reentrancy.log
+libraries/libapparmor/src/tst_aalogparse_reentrancy.o
+libraries/libapparmor/src/tst_aalogparse_reentrancy.trs
+libraries/libapparmor/src/tst_aalogparse_oldname
+libraries/libapparmor/src/tst_aalogparse_oldname.log
+libraries/libapparmor/src/tst_aalogparse_oldname.o
+libraries/libapparmor/src/tst_aalogparse_oldname.trs
 libraries/libapparmor/src/tst_features
 libraries/libapparmor/src/tst_features.log
 libraries/libapparmor/src/tst_features.o
@@ -201,7 +193,6 @@ libraries/libapparmor/testsuite/libaalogparse.test/Makefile
 libraries/libapparmor/testsuite/libaalogparse.test/Makefile.in
 libraries/libapparmor/testsuite/test_multi/out
 libraries/libapparmor/testsuite/test_multi_multi-test_multi.o
-changehat/mod_apparmor/.libs
 utils/*.8
 utils/*.8.html
 utils/*.5
@@ -240,6 +231,7 @@ tests/regression/apparmor/chgrp
 tests/regression/apparmor/chmod
 tests/regression/apparmor/chown
 tests/regression/apparmor/clone
+tests/regression/apparmor/complain
 tests/regression/apparmor/dbus_eavesdrop
 tests/regression/apparmor/dbus_message
 tests/regression/apparmor/dbus_service
@@ -266,8 +258,8 @@ tests/regression/apparmor/mmap
 tests/regression/apparmor/mount
 tests/regression/apparmor/move_mount
 tests/regression/apparmor/named_pipe
-tests/regression/apparmor/net_finegrained_rcv
-tests/regression/apparmor/net_finegrained_snd
+tests/regression/apparmor/net_inet_rcv
+tests/regression/apparmor/net_inet_snd
 tests/regression/apparmor/net_raw
 tests/regression/apparmor/open
 tests/regression/apparmor/openat
@@ -315,3 +307,15 @@ tests/regression/apparmor/xattrs_profile
 tests/regression/apparmor/coredump
 **/__pycache__/
 *.orig
+
+# Patterns related to spread integration tests
+*.img
+*.iso
+*.lock
+*.log
+*.qcow2
+*.run
+.spread-reuse.yaml
+.spread-reuse.*.yaml
+spread-artifacts/
+spread-logs/

.gitlab-ci.yml

@@ -4,25 +4,40 @@ image: ubuntu:latest
 # XXX - add a deploy stage to publish man pages, docs, and coverage
 # reports
 
+workflow:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+    - if: $CI_COMMIT_TAG
+    - if: $CI_COMMIT_BRANCH
+
 stages:
   - build
   - test
 
-.ubuntu-before_script:
+.ubuntu-common:
   before_script:
-    - export DEBIAN_FRONTEND=noninteractive
+    # Install build-dependencies by loading the package list from the ubuntu/debian cloud-init profile.
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_deps "Installing dependencies..."
     - apt-get update -qq
-    - apt-get install --no-install-recommends -y gcc perl liblocale-gettext-perl linux-libc-dev lsb-release make
+    - apt-get install --yes yq make lsb-release
+    - |
+      printf 'include .image-garden.mk\n$(info $(UBUNTU_CLOUD_INIT_USER_DATA_TEMPLATE))\n.PHONY: nothing\nnothing:\n' \
+      | make -f - nothing \
+      | yq '.packages | .[]' \
+      | xargs apt-get install --yes --no-install-recommends
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_deps
+  after_script:
+    # Inspect the kernel and lsb-release.
     - lsb_release -a
     - uname -a
 
-.install-c-build-deps: &install-c-build-deps
-  - apt-get install --no-install-recommends -y build-essential apache2-dev autoconf autoconf-archive automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev
-
 build-all:
   stage: build
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
+  script:
+    # Run the spread prepare section to build everything.
+    - yq -r '.prepare' <spread.yaml | SPREAD_PATH=. bash -xeu
   artifacts:
     name: ${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
     expire_in: 30 days
@@ -35,39 +50,33 @@ build-all:
       - changehat/mod_apparmor/
       - changehat/pam_apparmor/
       - profiles/
-  script:
-    - *install-c-build-deps
-    - cd libraries/libapparmor && ./autogen.sh && ./configure --with-perl --with-python --prefix=/usr && make && cd ../.. || { cat config.log ; exit 1 ; }
-    - make -C parser
-    - make -C binutils
-    - make -C utils
-    - make -C changehat/mod_apparmor
-    - make -C changehat/pam_apparmor
-    - make -C profiles
 
 test-libapparmor:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
-    - *install-c-build-deps
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C libraries/libapparmor --touch
     - make -C libraries/libapparmor check
 
 test-parser:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
-    - *install-c-build-deps
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C parser --touch
+    - make -C parser -j $(nproc) tst_binaries
     - make -C parser check
 
 test-binutils:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
     - make -C binutils check
 
@@ -75,9 +84,16 @@ test-utils:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
-    - apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter pyflakes3 python3-coverage python3-notify2 python3-psutil python3-setuptools
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C utils --touch
+
+    # TODO: move those to cloud-init list?
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
+    - apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter flake8 python3-coverage python3-notify2 python3-psutil python3-setuptools python3-tk python3-ttkthemes python3-gi
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
+
     # See apparmor/apparmor#221
     - make -C parser/tst gen_dbus
     - make -C parser/tst gen_xtrans
@@ -92,31 +108,50 @@ test-mod-apparmor:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C changehat/mod_apparmor --touch
     - make -C changehat/mod_apparmor check
 
 test-profiles:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C profiles --touch
     - make -C profiles check-parser
     - make -C profiles check-abstractions.d
-    - make -C profiles check-extras
+    - make -C profiles check-local
+
+# Build the regression tests (don't run them because that needs kernel access)
+test-build-regression:
+  stage: test
+  needs: ["build-all"]
+  extends:
+    - .ubuntu-common
+  script:
+    # Additional dependencies required by regression tests
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
+    - apt-get install --no-install-recommends -y attr fuse-overlayfs libdbus-1-dev liburing-dev
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
+    - make -C tests/regression/apparmor -j $(nproc)
 
 shellcheck:
   stage: test
   needs: []
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
-  - apt-get install --no-install-recommends -y file shellcheck xmlstarlet
-  - shellcheck --version
-  - './tests/bin/shellcheck-tree --format=checkstyle
-       | xmlstarlet tr tests/checkstyle2junit.xslt
-       > shellcheck.xml'
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
+    - apt-get install --no-install-recommends -y python3-minimal file shellcheck xmlstarlet
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
+    - shellcheck --version
+    - "./tests/bin/shellcheck-tree --format=checkstyle
+      | xmlstarlet tr tests/checkstyle2junit.xslt
+      > shellcheck.xml"
   artifacts:
     when: always
     reports:
@@ -138,29 +173,26 @@ variables:
   SAST_EXCLUDED_ANALYZERS: "eslint,flawfinder,semgrep,spotbugs"
   SAST_BANDIT_EXCLUDED_PATHS: "*/tst/*, */test/*"
 
-.send-to-coverity: &send-to-coverity
-  - curl https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
-    --form token=$COVERITY_SCAN_TOKEN --form email=$GITLAB_USER_EMAIL
-    --form file=@$(ls apparmor-*-cov-int.tar.gz) --form version="$(git describe --tags)"
-    --form description="$(git describe --tags) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID"
-
 coverity:
   stage: .post
   extends:
-    - .ubuntu-before_script
-  only:
-    refs:
-      - master
+    - .ubuntu-common
   script:
-      - apt-get install --no-install-recommends -y curl git texlive-latex-recommended
-      - *install-c-build-deps
-      - curl -o /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64
-        --form project=$COVERITY_SCAN_PROJECT_NAME --form token=$COVERITY_SCAN_TOKEN
-      - tar xfz /tmp/cov-analysis-linux64.tgz
-      - COV_VERSION=$(ls -dt cov-analysis-linux64-* | head -1)
-      - PATH=$PATH:$(pwd)/$COV_VERSION/bin
-      - make coverity
-      - *send-to-coverity
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
+    - apt-get install --no-install-recommends -y curl git texlive-latex-recommended
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
+    - curl -o /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64
+      --form project=$COVERITY_SCAN_PROJECT_NAME --form token=$COVERITY_SCAN_TOKEN
+    - tar xfz /tmp/cov-analysis-linux64.tgz
+    - COV_VERSION=$(ls -dt cov-analysis-linux64-* | head -1)
+    - PATH=$PATH:$(pwd)/$COV_VERSION/bin
+    - make coverity
+    - curl https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
+      --form token=$COVERITY_SCAN_TOKEN --form email=$GITLAB_USER_EMAIL
+      --form file=@$(ls apparmor-*-cov-int.tar.gz) --form version="$(git describe --tags)"
+      --form description="$(git describe --tags) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID"
   artifacts:
     paths:
       - "apparmor-*.tar.gz"
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PROJECT_PATH == "apparmor/apparmor"

.image-garden.mk

@@ -0,0 +1,110 @@
+# This file is read by image-garden when spread is allocating test machines.
+# All the package installation happens through cloud-init profiles defined
+# below.
+
+# This is the cloud-init user-data profile for all Debian systems. Note that it
+# is an extension of the default profile necessary for operation of
+# image-garden.
+define DEBIAN_CLOUD_INIT_USER_DATA_TEMPLATE
+$(CLOUD_INIT_USER_DATA_TEMPLATE)
+packages:
+- apache2-dev
+- attr
+- autoconf
+- autoconf-archive
+- automake
+- bison
+- build-essential
+- dejagnu
+- dosfstools
+- flake8
+- flex
+- fuse-overlayfs
+- gdb
+- gettext
+- libdbus-1-dev
+- libpam0g-dev
+- libtool
+- liburing-dev
+- pkg-config
+- python3-all-dev
+- python3-gi
+- python3-notify2
+- python3-psutil
+- python3-setuptools
+- python3-tk
+- python3-ttkthemes
+- swig
+- toybox
+endef
+
+# Ubuntu shares cloud-init profile with Debian.
+UBUNTU_CLOUD_INIT_USER_DATA_TEMPLATE=$(DEBIAN_CLOUD_INIT_USER_DATA_TEMPLATE)
+
+# This is the cloud-init user-data profile for openSUSE Tumbleweed.
+define OPENSUSE_tumbleweed_CLOUD_INIT_USER_DATA_TEMPLATE
+$(CLOUD_INIT_USER_DATA_TEMPLATE)
+- sed -i -e 's/security=selinux/security=apparmor/g' /etc/default/grub
+- update-bootloader
+packages:
+- apache2-devel
+- attr
+- autoconf
+- autoconf-archive
+- automake
+- bison
+- dbus-1-devel
+- dejagnu
+- dosfstools
+- flex
+- fuse-overlayfs
+- gcc
+- gcc-c++
+- gdb
+- gettext
+- gobject-introspection
+- libtool
+- liburing2-devel
+- make
+- pam-devel
+- pkg-config
+- python3-devel
+- python3-flake8
+- python3-notify2
+- python3-psutil
+- python3-setuptools
+- python3-setuptools
+- python3-tk
+- python311
+- python311-devel
+- swig
+endef
+
+define FEDORA_CLOUD_INIT_USER_DATA_TEMPLATE
+$(CLOUD_INIT_USER_DATA_TEMPLATE)
+packages:
+- attr
+- autoconf
+- autoconf-archive
+- automake
+- bison
+- dbus-devel
+- dejagnu
+- dosfstools
+- flex
+- gdb
+- gettext
+- httpd-devel
+- libstdc++-static
+- libtool
+- liburing-devel
+- pam-devel
+- perl
+- pkg-config
+- python3-devel
+- python3-flake8
+- python3-gobject-base
+- python3-notify2
+- python3-tkinter
+- swig
+endef

Makefile

@@ -59,7 +59,7 @@ coverity: snapshot
 		mv $(COVERITY_DIR)/build-log.txt $(COVERITY_DIR)/build-log-python-$(subst /,.,$(dir)).txt ;)
 	cov-build --dir $(COVERITY_DIR) -- sh -c \
 	"$(foreach dir, $(filter-out utils profiles tests, $(DIRS)), \
-		$(MAKE) -C $(SNAPSHOT_NAME)/$(dir);) "
+		$(MAKE) -j $$(nproc) -C $(SNAPSHOT_NAME)/$(dir);) "
 	tar -cvzf $(SNAPSHOT_NAME)-$(COVERITY_DIR).tar.gz $(COVERITY_DIR)
 
 .PHONY: export_dir

README.md

@@ -111,13 +111,21 @@ $ export PYTHON_VERSION=3
 $ export PYTHON_VERSIONS=python3
 ```
 
+Note that, in general, the build steps can be run in parallel, while the test
+steps do not gain much speedup from being run in parallel. This is because the
+test steps spawn a handful of long-lived test runner processes that mostly
+run their tests sequentially and do not use `make`'s jobserver. Moreover,
+process spawning overhead constitutes a significant part of test runtime, so
+reworking the test harnesses to add parallelism (which would be a major undertaking
+for the harnesses that do not have it already) would not produce much of a speedup.
+
 ### libapparmor:
 
 ```
 $ cd ./libraries/libapparmor
 $ sh ./autogen.sh
 $ sh ./configure --prefix=/usr --with-perl --with-python # see below
-$ make
+$ make -j $(nproc)
 $ make check
 $ make install
 ```
@@ -130,7 +138,7 @@ generate Ruby bindings to libapparmor.]
 
 ```
 $ cd binutils
-$ make
+$ make -j $(nproc)
 $ make check
 $ make install
 ```
@@ -139,7 +147,8 @@ $ make install
 
 ```
 $ cd parser
-$ make		# depends on libapparmor having been built first
+$ make -j $(nproc)		# depends on libapparmor having been built first
+$ make -j $(nproc) tst_binaries		# a build step of make check that can be parallelized
 $ make check
 $ make install
 ```
@@ -149,7 +158,7 @@ $ make install
 
 ```
 $ cd utils
-$ make
+$ make -j $(nproc)
 $ make check PYFLAKES=/usr/bin/pyflakes3
 $ make install
 ```
@@ -158,7 +167,7 @@ $ make install
 
 ```
 $ cd changehat/mod_apparmor
-$ make		# depends on libapparmor having been built first
+$ make -j $(nproc)		# depends on libapparmor having been built first
 $ make install
 ```
 
@@ -167,7 +176,7 @@ $ make install
 
 ```
 $ cd changehat/pam_apparmor
-$ make		# depends on libapparmor having been built first
+$ make -j $(nproc)		# depends on libapparmor having been built first
 $ make install
 ```
 
@@ -197,6 +206,33 @@ usage and how to update and add tests. Below is a quick overview of their
 location and how to run them.
 
 
+Using spread with local virtual machines
+----------------------------------------
+
+It may be convenient to use the spread tool to provision and run the test suite
+in an ephemeral virtual machine. This allows testing in isolation from the
+host, as well as testing across different commonly used distributions and their
+real kernels.
+
+```sh
+sudo apt install git golang whois ovmf genisoimage qemu-utils qemu-system
+go install github.com/snapcore/spread/cmd/spread@latest
+git clone https://gitlab.com/zygoon/image-garden
+make -C image-garden
+sudo make -C image-garden install
+image-garden make ubuntu-cloud-24.10.x86_64.run
+cd $APPARMOR_PATH
+git clean -xdf
+~/go/bin/spread -artifacts ./spread-artifacts -v ubuntu-cloud-24.10
+# or ~/go/bin/spread -v garden:ubuntu-cloud-24.04:tests/regression/apparmor:at_secure
+```
+
+Running the `run_spread.sh` script, with `spread` on `PATH` will run all the
+tests across several supported systems (Debian, Ubuntu and openSUSE).
+
+If you include a `bzImage` file in the root of the repository then that kernel
+will be used in the integration test. Please look at `spread.yaml` for details.
+
 Regression tests
 ----------------
 For details on structure and adding tests, see
@@ -207,7 +243,7 @@ To run:
 ### Regression tests - using apparmor userspace installed on host
 ```
 $ cd tests/regression/apparmor (requires root)
-$ make USE_SYSTEM=1
+$ make -j $(nproc) USE_SYSTEM=1
 $ sudo make tests USE_SYSTEM=1
 $ sudo bash open.sh -r	 # runs and saves the last testcase from open.sh
 ```
@@ -220,7 +256,7 @@ $ sudo bash open.sh -r	 # runs and saves the last testcase from open.sh
 
 ```
 $ cd tests/regression/apparmor (requires root)
-$ make
+$ make -j $(nproc)
 $ sudo make tests
 $ sudo bash open.sh -r	 # runs and saves the last testcase from open.sh
 ```
@@ -354,6 +390,10 @@ The aa-notify tool's Python dependencies can be satisfied by installing the
 following packages (Debian package names, other distros may vary):
 * python3-notify2
 * python3-psutil
+* python3-sqlite (part of the python3.NN-stdlib package)
+* python3-tk
+* python3-ttkthemes
+* python3-gi
 
 Perl is no longer needed since none of the utilities shipped to end users depend
 on it anymore.

binutils/Makefile

@@ -21,7 +21,7 @@ DESTDIR=/
 BINDIR=${DESTDIR}/usr/bin
 SBINDIR=${DESTDIR}/usr/sbin
 LOCALEDIR=/usr/share/locale
-MANPAGES=aa-enabled.1 aa-exec.1 aa-features-abi.1 aa-status.8
+MANPAGES=aa-enabled.1 aa-exec.1 aa-features-abi.1 aa-load.8 aa-status.8
 
 WARNINGS = -Wall
 CPP_WARNINGS =

binutils/aa-load.pod

@@ -0,0 +1,77 @@
+# This publication is intellectual property of Canonical Ltd. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither Canonical Ltd, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. Canonical Ltd
+# essentially adheres to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa-load - load precompiled AppArmor policy from cache location(s)
+
+=head1 SYNOPSIS
+
+B<aa-load> [options] (cache file|cache dir|cache base dir)+
+
+=head1 DESCRIPTION
+
+B<aa-load> loads precompiled AppArmor policy from the specified locations.
+
+=head1 OPTIONS
+
+B<aa-load> accepts the following arguments:
+
+=over 4
+
+=item -f, --force
+
+Force B<aa-load> to load a policy even if its abi does not match the kernel abi.
+
+=item -d, --debug
+
+Display debug messages.
+
+=item -v, --verbose
+
+Display progress and error messages.
+
+=item -n, --dry-run
+
+Do not actually load the specified policy/policies into the kernel.
+
+=item -h, --help
+
+Display a brief usage guide.
+
+=back
+
+=head1 EXIT STATUS
+
+Upon exiting, B<aa-load> returns 0 upon success and 1 upon an error loading
+the precompiled policy.
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L<https://gitlab.com/apparmor/apparmor/-/issues>.
+
+=head1 SEE ALSO
+
+apparmor(7), apparmor.d(5), apparmor_parser(8), and L<https://wiki.apparmor.net>.
+
+=cut

binutils/aa_load.c

@@ -172,7 +172,8 @@ static int load_policy_dir(const char *dir_path)
 	while ((dir = readdir(d)) != NULL) {
 		/* Only check regular files for now */
 		if (dir->d_type == DT_REG) {
-			len = strnlen(dir->d_name, PATH_MAX);
+			/* As per POSIX dir->d_name has at most NAME_MAX characters */
+			len = strnlen(dir->d_name, NAME_MAX);
 			/* Ignores .features */
 			if (strncmp(dir->d_name, CACHE_FEATURES_FILE, len) == 0) {
 				continue;
@@ -308,9 +309,8 @@ static int load_arg(char *arg)
 
 static void print_usage(const char *command)
 {
-	printf("Usage: %s [OPTIONS] (cache file|cache dir|cache base dir)]*\n"
-	       "Load Precompiled AppArmor policy from a cache location or \n"
-	       "locations.\n\n"
+	printf("Usage: %s [OPTIONS] (cache file|cache dir|cache base dir)+\n"
+	       "Load precompiled AppArmor policy from cache location(s)\n\n"
 	       "Options:\n"
 	       "  -f, --force     load policy even if abi does not match the kernel\n"
 	       "  -d, --debug     display debug messages\n"

binutils/aa_status.c

@@ -20,6 +20,8 @@
 #include <ctype.h>
 #include <dirent.h>
 #include <regex.h>
+#include <libintl.h>
+#define _(s) gettext(s)
 
 #include <sys/apparmor.h>
 #include <sys/apparmor_private.h>
@@ -131,7 +133,7 @@ const char *process_statuses[] = {"enforce", "complain", "prompt", "kill", "unco
 #define eprintf(...)                                                    \
 do {									\
 	if (!quiet)							\
-	  fprintf(stderr, __VA_ARGS__);					\
+		fprintf(stderr, __VA_ARGS__);					\
 } while (0)
 
 #define dprintf(...)							\
@@ -156,14 +158,14 @@ static int open_profiles(FILE **fp)
 
 	ret = stat("/sys/module/apparmor", &st);
 	if (ret != 0) {
-		eprintf("apparmor not present.\n");
+		eprintf(_("apparmor not present.\n"));
 		return AA_EXIT_DISABLED;
 	}
-	dprintf("apparmor module is loaded.\n");
+	dprintf(_("apparmor module is loaded.\n"));
 
 	ret = aa_find_mountpoint(&apparmorfs);
 	if (ret == -1) {
-		eprintf("apparmor filesystem is not mounted.\n");
+		eprintf(_("apparmor filesystem is not mounted.\n"));
 		return AA_EXIT_NO_CONTROL;
 	}
 
@@ -176,9 +178,9 @@ static int open_profiles(FILE **fp)
 	*fp = fopen(apparmor_profiles, "r");
 	if (*fp == NULL) {
 		if (errno == EACCES) {
-			eprintf("You do not have enough privilege to read the profile set.\n");
+			eprintf(_("You do not have enough privilege to read the profile set.\n"));
 		} else {
-			eprintf("Could not open %s: %s", apparmor_profiles, strerror(errno));
+			eprintf(_("Could not open %s: %s"), apparmor_profiles, strerror(errno));
 		}
 		return AA_EXIT_NO_PERM;
 	}
@@ -351,7 +353,7 @@ static int get_processes(struct profile *profiles,
 			continue;
 		} else if (rc == -1 ||
 			   asprintf(&exe, "/proc/%s/exe", entry->d_name) == -1) {
-			eprintf("ERROR: Failed to allocate memory\n");
+			eprintf(_("ERROR: Failed to allocate memory\n"));
 			ret = AA_EXIT_INTERNAL_ERROR;
 			goto exit;
 		} else if (mode) {
@@ -374,7 +376,7 @@ static int get_processes(struct profile *profiles,
 			// ensure enough space for NUL terminator
 			real_exe = calloc(PATH_MAX + 1, sizeof(char));
 			if (real_exe == NULL) {
-				eprintf("ERROR: Failed to allocate memory\n");
+				eprintf(_("ERROR: Failed to allocate memory\n"));
 				ret = AA_EXIT_INTERNAL_ERROR;
 				goto exit;
 			}
@@ -488,7 +490,7 @@ static int filter_processes(struct process *processes,
  *
  * Return: 0 on success, else shell error code
  */
-static int simple_filtered_count(FILE *outf, filters_t *filters,
+static int simple_filtered_count(FILE *outf, filters_t *filters, bool json,
 				 struct profile *profiles, size_t nprofiles)
 {
 	struct profile *filtered = NULL;
@@ -497,7 +499,13 @@ static int simple_filtered_count(FILE *outf, filters_t *filters,
 
 	ret = filter_profiles(profiles, nprofiles, filters,
 			      &filtered, &nfiltered);
-	fprintf(outf, "%zd\n", nfiltered);
+
+	if (!json) {
+		fprintf(outf, "%zd\n", nfiltered);
+	} else {
+		fprintf(outf, "\"profile_count\": %zd", nfiltered);
+	}
+
 	free_profiles(filtered, nfiltered);
 
 	return ret;
@@ -512,7 +520,7 @@ static int simple_filtered_count(FILE *outf, filters_t *filters,
  *
  * Return: 0 on success, else shell error code
  */
-static int simple_filtered_process_count(FILE *outf, filters_t *filters,
+static int simple_filtered_process_count(FILE *outf, filters_t *filters, bool json,
 					 struct process *processes, size_t nprocesses) {
 	struct process *filtered = NULL;
 	size_t nfiltered;
@@ -520,7 +528,12 @@ static int simple_filtered_process_count(FILE *outf, filters_t *filters,
 
 	ret = filter_processes(processes, nprocesses, filters, &filtered,
 			       &nfiltered);
-	fprintf(outf, "%zd\n", nfiltered);
+	if (!json) {
+		fprintf(outf, "%zd\n", nfiltered);
+	} else {
+		fprintf(outf, "\"process_count\": %zd", nfiltered);
+	}
+	
 	free_processes(filtered, nfiltered);
 
 	return ret;
@@ -539,7 +552,12 @@ static int compare_processes_by_executable(const void *a, const void *b) {
 
 static void json_header(FILE *outf)
 {
-	fprintf(outf, "{\"version\": \"%s\", ", aa_status_json_version);
+	fprintf(outf, "{\"version\": \"%s\"", aa_status_json_version);
+}
+
+static void json_seperator(FILE *outf)
+{
+	fprintf(outf, ", ");
 }
 
 static void json_footer(FILE *outf)
@@ -582,7 +600,7 @@ static int detailed_profiles(FILE *outf, filters_t *filters, bool json,
 		 */
 		subfilters.mode = &mode_filter;
 		if (regcomp(&mode_filter, profile_statuses[i], REG_NOSUB) != 0) {
-			eprintf("Error: failed to compile sub filter '%s'\n",
+			eprintf(_("Error: failed to compile sub filter '%s'\n"),
 				 profile_statuses[i]);
 			return AA_EXIT_INTERNAL_ERROR;
 		}
@@ -607,7 +625,7 @@ static int detailed_profiles(FILE *outf, filters_t *filters, bool json,
 		free_profiles(filtered, nfiltered);
 	}
 	if (json)
-		fprintf(outf, "}, ");
+		fprintf(outf, "}");
 
 	return AA_EXIT_ENABLED;
 }
@@ -648,7 +666,7 @@ static int detailed_processes(FILE *outf, filters_t *filters, bool json,
 		 */
 		subfilters.mode = &mode_filter;
 		if (regcomp(&mode_filter, process_statuses[i], REG_NOSUB) != 0) {
-			eprintf("Error: failed to compile sub filter '%s'\n",
+			eprintf(_("Error: failed to compile sub filter '%s'\n"),
 				 profile_statuses[i]);
 			return AA_EXIT_INTERNAL_ERROR;
 		}
@@ -700,7 +718,7 @@ static int detailed_processes(FILE *outf, filters_t *filters, bool json,
 			fprintf(outf, "]");
 		}
 
-		fprintf(outf, "}\n");
+		fprintf(outf, "}");
 	}
 
 exit:
@@ -710,7 +728,7 @@ exit:
 
 static int print_legacy(const char *command)
 {
-	printf("Usage: %s [OPTIONS]\n"
+	printf(_("Usage: %s [OPTIONS]\n"
 	 "Legacy options and their equivalent command\n"
 	 "  --profiled             --count --profiles\n"
 	 "  --enforced             --count --profiles --mode=enforced\n"
@@ -718,8 +736,8 @@ static int print_legacy(const char *command)
 	 "  --kill                 --count --profiles --mode=kill\n"
 	 "  --prompt               --count --profiles --mode=prompt\n"
 	 "  --special-unconfined   --count --profiles --mode=unconfined\n"
-	 "  --process-mixed        --count --ps --mode=mixed\n",
-	command);
+	 "  --process-mixed        --count --ps --mode=mixed\n"),
+	 command);
 
 	exit(0);
 	return 0;
@@ -729,7 +747,7 @@ static int usage_filters(void)
 {
 	long unsigned int i;
 
-	printf("Usage of filters\n"
+	printf(_("Usage of filters\n"
 	 "Filters are used to reduce the output of information to only\n"
 	 "those entries that will match the filter. Filters use posix\n"
 	 "regular expression syntax. The possible values for exes that\n"
@@ -739,7 +757,7 @@ static int usage_filters(void)
 	 "  --filter.profiles: regular expression to match displayed profile names\n"
 	 "  --filter.pid:  regular expression to match displayed processes pids\n"
 	 "  --filter.exe:  regular expression to match executable\n"
-	);
+	));
 	for (i = 0; i < ARRAY_SIZE(process_statuses); i++) {
 		printf("%s%s", i ? ", " : "", process_statuses[i]);
 	}
@@ -757,7 +775,7 @@ static int print_usage(const char *command, bool error)
 		status = EXIT_FAILURE;
 	}
 
-	printf("Usage: %s [OPTIONS]\n"
+	printf(_("Usage: %s [OPTIONS]\n"
 	 "Displays various information about the currently loaded AppArmor policy.\n"
 	 "Default if no options given\n"
 	 "  --show=all\n\n"
@@ -774,8 +792,8 @@ static int print_usage(const char *command, bool error)
 	 "  --verbose       (default) displays data points about loaded policy set\n"
 	 "  --quiet         don't output error messages\n"
 	 "  -h[(legacy|filters)]      this message, or info on the specified option\n"
-	 "  --help[=(legacy|filters)] this message, or info on the specified option\n",
-	 command);
+	 "  --help[=(legacy|filters)] this message, or info on the specified option\n"),
+	command);
 
 	exit(status);
 
@@ -851,7 +869,7 @@ static int parse_args(int argc, char **argv)
 			} else if (strcmp(optarg, "filters") == 0) {
 				usage_filters();
 			} else {
-				eprintf("Error: Invalid --help option '%s'.\n", optarg);
+				eprintf(_("Error: Invalid --help option '%s'.\n"), optarg);
 				print_usage(argv[0], true);
 				break;
 			}
@@ -919,7 +937,7 @@ static int parse_args(int argc, char **argv)
 			} else if (strcmp(optarg, "processes") == 0) {
 				opt_show = SHOW_PROCESSES;
 			} else {
-				eprintf("Error: Invalid --show option '%s'.\n", optarg);
+				eprintf(_("Error: Invalid --show option '%s'.\n"), optarg);
 				print_usage(argv[0], true);
 				break;
 			}
@@ -941,7 +959,7 @@ static int parse_args(int argc, char **argv)
 			break;
 			
 		default:
-			eprintf("Error: Invalid command.\n");
+			eprintf(_("Error: Invalid command.\n"));
 			print_usage(argv[0], true);
 			break;
 		}
@@ -966,7 +984,7 @@ int main(int argc, char **argv)
 	if (argc > 1) {
 		int pos = parse_args(argc, argv);
 		if (pos < argc) {
-			eprintf("Error: Unknown options.\n");
+			eprintf(_("Error: Unknown options.\n"));
 			print_usage(progname, true);
 		}
 	} else {
@@ -978,24 +996,24 @@ int main(int argc, char **argv)
 
 	init_filters(&filters, &filter_set);
 	if (regcomp(filters.mode, opt_mode, REG_NOSUB) != 0) {
-		eprintf("Error: failed to compile mode filter '%s'\n",
+		eprintf(_("Error: failed to compile mode filter '%s'\n"),
 			 opt_mode);
 		return AA_EXIT_INTERNAL_ERROR;
 	}
 	if (regcomp(filters.profile, opt_profiles, REG_NOSUB) != 0) {
-		eprintf("Error: failed to compile profiles filter '%s'\n",
+		eprintf(_("Error: failed to compile profiles filter '%s'\n"),
 			 opt_profiles);
 		ret = AA_EXIT_INTERNAL_ERROR;
 		goto out;
 	}
 	if (regcomp(filters.pid, opt_pid, REG_NOSUB) != 0) {
-		eprintf("Error: failed to compile ps filter '%s'\n",
+		eprintf(_("Error: failed to compile ps filter '%s'\n"),
 			 opt_pid);
 		ret = AA_EXIT_INTERNAL_ERROR;
 		goto out;
 	}
 	if (regcomp(filters.exe, opt_exe, REG_NOSUB) != 0) {
-		eprintf("Error: failed to compile exe filter '%s'\n",
+		eprintf(_("Error: failed to compile exe filter '%s'\n"),
 			 opt_exe);
 		ret = AA_EXIT_INTERNAL_ERROR;
 		goto out;
@@ -1010,7 +1028,7 @@ int main(int argc, char **argv)
 		outf_save = outf;
 		outf = open_memstream(&buffer, &buffer_size);
 		if (!outf) {
-			eprintf("Failed to open memstream: %m\n");
+			eprintf(_("Failed to open memstream: %m\n"));
 			return AA_EXIT_INTERNAL_ERROR;
 		}
 	}
@@ -1021,15 +1039,17 @@ int main(int argc, char **argv)
 	 */
 	ret = get_profiles(fp, &profiles, &nprofiles);
 	if (ret != 0) {
-		eprintf("Failed to get profiles: %d....\n", ret);
+		eprintf(_("Failed to get profiles: %d....\n"), ret);
 		goto out;
 	}
 
 	if (opt_json)
 		json_header(outf);
 	if (opt_show & SHOW_PROFILES) {
+		if (opt_json)
+			json_seperator(outf);
 		if (opt_count) {
-			ret = simple_filtered_count(outf, &filters,
+			ret = simple_filtered_count(outf, &filters, opt_json,
 						    profiles, nprofiles);
 		} else {
 			ret = detailed_profiles(outf, &filters, opt_json,
@@ -1040,14 +1060,17 @@ int main(int argc, char **argv)
 	}
 
 	if (opt_show & SHOW_PROCESSES) {
+		if (opt_json)
+			json_seperator(outf);
+
 		struct process *processes = NULL;
 		size_t nprocesses = 0;
 
 		ret = get_processes(profiles, nprofiles, &processes, &nprocesses);
 		if (ret != 0) {
-			eprintf("Failed to get processes: %d....\n", ret);
+			eprintf(_("Failed to get processes: %d....\n"), ret);
 		} else if (opt_count) {
-			ret = simple_filtered_process_count(outf, &filters,
+			ret = simple_filtered_process_count(outf, &filters, opt_json,
 							processes, nprocesses);
 		} else {
 			ret = detailed_processes(outf, &filters, opt_json,
@@ -1071,14 +1094,14 @@ int main(int argc, char **argv)
 		outf = outf_save;
 		json = cJSON_Parse(buffer);
 		if (!json) {
-			eprintf("Failed to parse json output");
+			eprintf(_("Failed to parse json output"));
 			ret = AA_EXIT_INTERNAL_ERROR;
 			goto out;
 		}
 
 		pretty = cJSON_Print(json);
 		if (!pretty) {
-			eprintf("Failed to print pretty json");
+			eprintf(_("Failed to print pretty json"));
 			ret = AA_EXIT_INTERNAL_ERROR;
 			goto out;
 		}

binutils/po/aa_enabled.pot

@@ -1,14 +1,14 @@
-# SOME DESCRIPTIVE TITLE.
-# Copyright (C) YEAR Canonical Ltd
-# This file is distributed under the same license as the PACKAGE package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+# Translations for aa_enabled
+# Copyright (C) 2024 Canonical Ltd
+# This file is distributed under the same license as the AppArmor package.
+# John Johansen <john.johansen@canonical.com>, 2020.
 #
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
-"POT-Creation-Date: 2020-10-14 03:52-0700\n"
+"POT-Creation-Date: 2024-08-31 15:59-0700\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

binutils/po/aa_exec.pot

@@ -1,14 +1,14 @@
-# SOME DESCRIPTIVE TITLE.
-# Copyright (C) YEAR Canonical Ltd
-# This file is distributed under the same license as the PACKAGE package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+# Translations for aa_exec
+# Copyright (C) 2024 Canonical Ltd
+# This file is distributed under the same license as the AppArmor package.
+# John Johansen <john.johansen@canonical.com>, 2020.
 #
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
-"POT-Creation-Date: 2020-10-14 03:52-0700\n"
+"POT-Creation-Date: 2024-08-31 15:59-0700\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

binutils/po/aa_features_abi.pot

@@ -1,14 +1,14 @@
-# SOME DESCRIPTIVE TITLE.
-# Copyright (C) YEAR Canonical Ltd
-# This file is distributed under the same license as the PACKAGE package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+# Translations for aa_features_abi
+# Copyright (C) 2024 Canonical Ltd
+# This file is distributed under the same license as the AppArmor package.
+# John Johansen <john.johansen@canonical.com>, 2011.
 #
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
-"POT-Creation-Date: 2020-10-14 03:52-0700\n"
+"POT-Creation-Date: 2024-08-31 15:59-0700\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

binutils/po/aa_load.pot

@@ -0,0 +1,34 @@
+# Translations for aa_load
+# Copyright (C) 2024 Canonical Ltd
+# This file is distributed under the same license as the AppArmor package.
+# John Johansen <john.johansen@canonical.com>, 2020.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
+"POT-Creation-Date: 2024-08-31 15:59-0700\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../aa_load.c:40
+msgid "aa-load: WARN: "
+msgstr ""
+
+#: ../aa_load.c:41
+msgid "aa-load: ERROR: "
+msgstr ""
+
+#: ../aa_load.c:51
+msgid "\n"
+msgstr ""
+
+#: ../aa_load.c:52
+msgid "aa-load: DEBUG: "
+msgstr ""

binutils/po/aa_status.pot

@@ -0,0 +1,165 @@
+# Translations for aa_status
+# Copyright (C) 2024 Canonical Ltd
+# This file is distributed under the same license as the AppArmor package.
+# John Johansen <john.johansen@canonical.com>, 2024.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
+"POT-Creation-Date: 2024-08-31 17:49-0700\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../aa_status.c:161
+msgid "apparmor not present.\n"
+msgstr ""
+
+#: ../aa_status.c:164
+msgid "apparmor module is loaded.\n"
+msgstr ""
+
+#: ../aa_status.c:168
+msgid "apparmor filesystem is not mounted.\n"
+msgstr ""
+
+#: ../aa_status.c:181
+msgid "You do not have enough privilege to read the profile set.\n"
+msgstr ""
+
+#: ../aa_status.c:183
+#, c-format
+msgid "Could not open %s: %s"
+msgstr ""
+
+#: ../aa_status.c:356 ../aa_status.c:379
+msgid "ERROR: Failed to allocate memory\n"
+msgstr ""
+
+#: ../aa_status.c:587 ../aa_status.c:653
+#, c-format
+msgid "Error: failed to compile sub filter '%s'\n"
+msgstr ""
+
+#: ../aa_status.c:715
+#, c-format
+msgid ""
+"Usage: %s [OPTIONS]\n"
+"Legacy options and their equivalent command\n"
+"  --profiled             --count --profiles\n"
+"  --enforced             --count --profiles --mode=enforced\n"
+"  --complaining          --count --profiles --mode=complain\n"
+"  --kill                 --count --profiles --mode=kill\n"
+"  --prompt               --count --profiles --mode=prompt\n"
+"  --special-unconfined   --count --profiles --mode=unconfined\n"
+"  --process-mixed        --count --ps --mode=mixed\n"
+msgstr ""
+
+#: ../aa_status.c:734
+#, c-format
+msgid ""
+"Usage of filters\n"
+"Filters are used to reduce the output of information to only\n"
+"those entries that will match the filter. Filters use posix\n"
+"regular expression syntax. The possible values for exes that\n"
+"support filters are below\n"
+"\n"
+"  --filter.mode: regular expression to match the profile "
+"mode                 modes: enforce, complain, kill, unconfined, mixed\n"
+"  --filter.profiles: regular expression to match displayed profile names\n"
+"  --filter.pid:  regular expression to match displayed processes pids\n"
+"  --filter.exe:  regular expression to match executable\n"
+msgstr ""
+
+#: ../aa_status.c:762
+#, c-format
+msgid ""
+"Usage: %s [OPTIONS]\n"
+"Displays various information about the currently loaded AppArmor policy.\n"
+"Default if no options given\n"
+"  --show=all\n"
+"\n"
+"OPTIONS (one only):\n"
+"  --enabled       returns error code if AppArmor not enabled\n"
+"  --show=X        What information to show. {profiles,processes,all}\n"
+"  --count         print the number of entries. Implies --quiet\n"
+"  --filter.mode=filter      see filters\n"
+"  --filter.profiles=filter  see filters\n"
+"  --filter.pid=filter       see filters\n"
+"  --filter.exe=filter       see filters\n"
+"  --json          displays multiple data points in machine-readable JSON "
+"format\n"
+"  --pretty-json   same data as --json, formatted for human consumption as "
+"well\n"
+"  --verbose       (default) displays data points about loaded policy set\n"
+"  --quiet         don't output error messages\n"
+"  -h[(legacy|filters)]      this message, or info on the specified option\n"
+"  --help[=(legacy|filters)] this message, or info on the specified option\n"
+msgstr ""
+
+#: ../aa_status.c:856
+#, c-format
+msgid "Error: Invalid --help option '%s'.\n"
+msgstr ""
+
+#: ../aa_status.c:924
+#, c-format
+msgid "Error: Invalid --show option '%s'.\n"
+msgstr ""
+
+#: ../aa_status.c:946
+msgid "Error: Invalid command.\n"
+msgstr ""
+
+#: ../aa_status.c:971
+msgid "Error: Unknown options.\n"
+msgstr ""
+
+#: ../aa_status.c:983
+#, c-format
+msgid "Error: failed to compile mode filter '%s'\n"
+msgstr ""
+
+#: ../aa_status.c:988
+#, c-format
+msgid "Error: failed to compile profiles filter '%s'\n"
+msgstr ""
+
+#: ../aa_status.c:994
+#, c-format
+msgid "Error: failed to compile ps filter '%s'\n"
+msgstr ""
+
+#: ../aa_status.c:1000
+#, c-format
+msgid "Error: failed to compile exe filter '%s'\n"
+msgstr ""
+
+#: ../aa_status.c:1015
+#, c-format
+msgid "Failed to open memstream: %m\n"
+msgstr ""
+
+#: ../aa_status.c:1026
+#, c-format
+msgid "Failed to get profiles: %d....\n"
+msgstr ""
+
+#: ../aa_status.c:1050
+#, c-format
+msgid "Failed to get processes: %d....\n"
+msgstr ""
+
+#: ../aa_status.c:1076
+msgid "Failed to parse json output"
+msgstr ""
+
+#: ../aa_status.c:1083
+msgid "Failed to print pretty json"
+msgstr ""

common/Make.rules

@@ -35,10 +35,7 @@ VERSION=$(shell cat $(COMMONDIR)/Version)
 pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH)))))
 map = $(foreach a,$(2),$(call $(1),$(a)))
 
-AWK:=$(shell which awk)
-ifndef AWK
-$(error awk utility required for build but not available)
-endif
+AWK?=$(or $(shell command -v awk),$(error awk utility required for build but not available))
 
 define nl
 

common/Version

@@ -1 +1 @@
-4.0.0~beta2
+4.1.0~beta1

libraries/libapparmor/configure.ac

@@ -92,13 +92,16 @@ if test "$ac_cv_prog_cc_c99" = "no"; then
   AC_MSG_ERROR([C99 mode is required to build libapparmor])
 fi
 
+AC_PROG_CXX
+
 m4_ifndef([AX_CHECK_COMPILE_FLAG], [AC_MSG_ERROR(['autoconf-archive' missing])])
-EXTRA_CFLAGS="-Wall $(EXTRA_WARNINGS) -fPIC"
+EXTRA_CFLAGS="-Wall $EXTRA_WARNINGS -fPIC"
 AX_CHECK_COMPILE_FLAG([-flto-partition=none], , , [-Werror])
 AS_VAR_IF([ax_cv_check_cflags__Werror__flto_partition_none], [yes],
 	[EXTRA_CFLAGS="$EXTRA_CFLAGS -flto-partition=none"]
 	,)
 AC_SUBST([AM_CFLAGS], ["$EXTRA_CFLAGS"])
+AC_SUBST([AM_CXXFLAGS], ["$EXTRA_CFLAGS"])
 
 AC_OUTPUT(
 Makefile

libraries/libapparmor/doc/aa_change_hat.pod

@@ -22,15 +22,15 @@
 
 =head1 NAME
 
-aa_change_hat  - change to or from a "hat" within a AppArmor profile
+aa_change_hat - change to or from a "hat" within a AppArmor profile
 
 =head1 SYNOPSIS
 
 B<#include E<lt>sys/apparmor.hE<gt>>
 
-B<int aa_change_hat (char *subprofile, unsigned long magic_token);>
+B<int aa_change_hat (const char *subprofile, unsigned long magic_token);>
 
-B<int aa_change_hatv (char *subprofiles[], unsigned long magic_token);>
+B<int aa_change_hatv (const char *subprofiles[], unsigned long magic_token);>
 
 B<int aa_change_hat_vargs (unsigned long magic_token, ...);>
 

libraries/libapparmor/doc/aa_change_profile.pod

@@ -22,7 +22,7 @@
 
 =head1 NAME
 
-aa_change_profile, aa_change_onexec - change a tasks profile
+aa_change_profile, aa_change_onexec - change a task's profile
 
 =head1 SYNOPSIS
 
@@ -58,8 +58,8 @@ The aa_change_onexec() function is like the aa_change_profile() function
 except it specifies that the profile transition should take place on the
 next exec instead of immediately.  The delayed profile change takes
 precedence over any exec transition rules within the confining profile.
-Delaying the profile boundary has a couple of advantages, it removes the
-need for stub transition profiles and the exec boundary is a natural security
+Delaying the profile boundary has a couple of advantages: it removes the
+need for stub transition profiles, and the exec boundary is a natural security
 layer where potentially sensitive memory is unmapped.
 
 =head1 RETURN VALUE

libraries/libapparmor/doc/aa_features.pod

@@ -54,7 +54,7 @@ B<typedef struct aa_features aa_features;>
 
 B<int aa_features_new(aa_features **features, int dirfd, const char *path);>
 
-B<int aa_features_new_from_file(aa_features **features, int fd);>
+B<int aa_features_new_from_file(aa_features **features, int file);>
 
 B<int aa_features_new_from_string(aa_features **features, const char *string, size_t size);>
 

libraries/libapparmor/doc/aa_find_mountpoint.pod

@@ -58,6 +58,9 @@ appropriately.
 
 =head1 ERRORS
 
+# podchecker warns about duplicate link targets for EACCES, EBUSY, ENOENT,
+# and ENOMEM, but this is a warning that is safe to ignore.
+
 B<aa_is_enabled>
 
 =over 4

libraries/libapparmor/doc/aa_stack_profile.pod

@@ -41,7 +41,7 @@ result is an intersection of all profiles which are stacked. Stacking profiles
 together is desirable when wanting to ensure that confinement will never become
 more permissive. When changing between two profiles, as performed with
 aa_change_profile(2), there is always the possibility that the new profile is
-more permissive than the old profile but that possibility is eliminated when
+more permissive than the old profile, but that possibility is eliminated when
 using aa_stack_profile().
 
 To stack a profile with the current confinement context, a task can use the
@@ -68,7 +68,7 @@ The aa_stack_onexec() function is like the aa_stack_profile() function
 except it specifies that the stacking should take place on the next exec
 instead of immediately. The delayed profile change takes precedence over any
 exec transition rules within the confining profile. Delaying the stacking
-boundary has a couple of advantages, it removes the need for stub transition
+boundary has a couple of advantages: it removes the need for stub transition
 profiles and the exec boundary is a natural security layer where potentially
 sensitive memory is unmapped.
 

libraries/libapparmor/include/aalogparse.h

@@ -19,6 +19,10 @@
 #ifndef __LIBAALOGPARSE_H_
 #define __LIBAALOGPARSE_H_
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 #define AA_RECORD_EXEC_MMAP	1
 #define AA_RECORD_READ		2
 #define AA_RECORD_WRITE		4
@@ -26,10 +30,10 @@
 #define AA_RECORD_LINK		16
 
 /**
- * This is just for convenience now that we have two 
- * wildly different grammars.
+ * Enum representing which syntax version the log entry used.
+ * Support for V1 parsing was completely removed in 2011 and that enum entry
+ * is only still there for API compatibility reasons.
  */
-
 typedef enum
 {
 	AA_RECORD_SYNTAX_V1,
@@ -48,70 +52,23 @@ typedef enum
 	AA_RECORD_STATUS	/* Configuration change */
 } aa_record_event_type;
 
-/**
- * With the sole exception of active_hat, this is a 1:1
- * mapping from the keys that the new syntax uses.
+/*
+ * Use this preprocessor dance to maintain backcompat for field names
+ * This will break C code that used the C++ reserved keywords "namespace"
+ * and "class" as identifiers, but this is bad practice anyways, and we
+ * hope that we are the only ones in a given C file that messed up this way
  *
- * Some examples of the old syntax and how they're mapped with the aa_log_record struct:
- *
- * "PERMITTING r access to /path (program_name(12345) profile /profile active hat)"
- * - operation: access
- * - requested_mask: r
- * - pid: 12345
- * - profile: /profile
- * - name: /path
- * - info: program_name
- * - active_hat: hat
- *
- * "REJECTING mkdir on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out"
- * - operation: mkdir
- * - name: /path/to/something
- * - info: bash
- * - pid: 23415
- * - profile: /bin/freak-aa-out 
- * - active_hat: /bin/freak-aa-out 
- * 
- * "REJECTING xattr set on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
- * - operation: xattr
- * - attribute: set
- * - name: /path/to/something
- * - info: bash
- * - pid: 23415
- * - profile: /bin/freak-aa-out
- * - active_hat: /bin/freak-aa-out
- *
- * "PERMITTING attribute (something) change to /else (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
- * - operation: setattr
- * - attribute: something
- * - name: /else
- * - info: bash
- * - pid: 23415
- * - profile: /bin/freak-aa-out
- * - active_hat: /bin/freak-aa-out
- * 
- * "PERMITTING access to capability 'cap' (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
- * - operation: capability
- * - name: cap
- * - info: bash
- * - pid: 23415
- * - profile: /bin/freak-aa-out
- * - active_hat: /bin/freak-aa-out
- * 
- * "LOGPROF-HINT unknown_hat TESTHAT pid=27764 profile=/change_hat_test/test_hat active=/change_hat_test/test_hat"
- * - operation: change_hat
- * - name: TESTHAT
- * - info: unknown_hat
- * - pid: 27764
- * - profile: /change_hat_test/test_hat
- * - active_hat: /change_hat_test/test_hat
- *
- * "LOGPROF-HINT fork pid=27764 child=38229"
- * - operation: clone
- * - task: 38229
- * - pid: 27764
- **/
+ * TODO: document this in a man page for aalogparse?
+ */
+#if defined(SWIG) && defined(__cplusplus)
+#error "SWIG and __cplusplus are defined together"
+#elif !defined(SWIG) && !defined(__cplusplus)
+/* Use SWIG's %rename feature to preserve backcompat */
+#define class rule_class
+#define namespace aa_namespace
+#endif
 
-typedef struct
+typedef struct aa_log_record
 {
 	aa_record_syntax_version version;
 	aa_record_event_type event;	/* Event type */
@@ -134,7 +91,7 @@ typedef struct
 	char *comm;			/* Command that triggered msg */
 	char *name;
 	char *name2;
-	char *namespace;
+	char *aa_namespace;
 	char *attribute;
 	unsigned long parent;	
 	char *info;
@@ -148,6 +105,7 @@ typedef struct
 	unsigned long net_local_port;
 	char *net_foreign_addr;
 	unsigned long net_foreign_port;
+
 	char *dbus_bus;
 	char *dbus_path;
 	char *dbus_interface;
@@ -160,7 +118,11 @@ typedef struct
 	char *flags;
 	char *src_name;
 
-	char *class;
+	char *rule_class;
+
+	char *net_addr;
+	char *peer_addr;
+	char *execpath;
 } aa_log_record;
 
 /**
@@ -171,7 +133,7 @@ typedef struct
  * @return Parsed data.
  */
 aa_log_record *
-parse_record(char *str);
+parse_record(const char *str);
 
 /**
  * Frees all struct data.
@@ -180,5 +142,9 @@ parse_record(char *str);
 void
 free_record(aa_log_record *record);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif
 

libraries/libapparmor/include/sys/apparmor.h

@@ -105,8 +105,8 @@ extern int aa_getpeercon(int fd, char **label, char **mode);
 #define AA_QUERY_CMD_LABEL		"label"
 #define AA_QUERY_CMD_LABEL_SIZE		sizeof(AA_QUERY_CMD_LABEL)
 
-extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
-			  int *audit);
+extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
+			  int *audited);
 extern int aa_query_file_path_len(uint32_t mask, const char *label,
 				  size_t label_len, const char *path,
 				  size_t path_len, int *allowed, int *audited);

libraries/libapparmor/src/Makefile.am

@@ -32,10 +32,10 @@ INCLUDES = $(all_includes)
 #
 # After changing the AA_LIB_* variables, also update EXPECTED_SO_NAME.
 
-AA_LIB_CURRENT = 18
-AA_LIB_REVISION = 1
-AA_LIB_AGE = 17
-EXPECTED_SO_NAME = libapparmor.so.1.17.1
+AA_LIB_CURRENT = 20
+AA_LIB_REVISION = 0
+AA_LIB_AGE = 19
+EXPECTED_SO_NAME = libapparmor.so.1.19.0
 
 SUFFIXES = .pc.in .pc
 
@@ -44,7 +44,7 @@ include $(COMMONDIR)/Make.rules
 
 BUILT_SOURCES = grammar.h scanner.h af_protos.h
 AM_LFLAGS = -v
-AM_YFLAGS = -d -p aalogparse_
+AM_YFLAGS = -Wno-yacc -d -p aalogparse_
 AM_CPPFLAGS = -D_GNU_SOURCE -I$(top_srcdir)/include/
 scanner.h: scanner.l
 	$(LEX) -v $<
@@ -52,7 +52,7 @@ scanner.h: scanner.l
 scanner.c: scanner.l
 
 af_protos.h:
-	 echo '#include <netinet/in.h>' | $(CC) $(CPPFLAGS) -E -dM - | LC_ALL=C  sed  -n -e "/IPPROTO_MAX/d"  -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@
+	 echo '#include <netinet/in.h>' | $(CC) $(CPPFLAGS) -E -dD - | LC_ALL=C  sed  -n -e "/IPPROTO_MAX/d"  -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@
 
 lib_LTLIBRARIES = libapparmor.la
 noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h private.h PMurHash.h
@@ -73,6 +73,16 @@ CLEANFILES = libapparmor.pc
 tst_aalogmisc_SOURCES = tst_aalogmisc.c
 tst_aalogmisc_LDADD = .libs/libapparmor.a
 
+tst_aalogparse_cpp_SOURCES = tst_aalogparse_cpp.cpp
+tst_aalogparse_cpp_LDADD = .libs/libapparmor.a
+
+tst_aalogparse_oldname_SOURCES = tst_aalogparse_oldname.c
+tst_aalogparse_oldname_LDADD = .libs/libapparmor.a
+
+tst_aalogparse_reentrancy_SOURCES = tst_aalogparse_reentrancy.c
+tst_aalogparse_reentrancy_LDADD = .libs/libapparmor.a
+tst_aalogparse_reentrancy_LDFLAGS = -pthread
+
 tst_features_SOURCES = tst_features.c
 tst_features_LDADD = .libs/libapparmor.a
 
@@ -80,7 +90,7 @@ tst_kernel_SOURCES = tst_kernel.c
 tst_kernel_LDADD = .libs/libapparmor.a
 tst_kernel_LDFLAGS = -pthread
 
-check_PROGRAMS = tst_aalogmisc tst_features tst_kernel
+check_PROGRAMS = tst_aalogmisc tst_aalogparse_cpp tst_aalogparse_reentrancy tst_aalogparse_oldname tst_features tst_kernel
 TESTS = $(check_PROGRAMS)
 
 .PHONY: check-local

libraries/libapparmor/src/grammar.y

@@ -15,17 +15,15 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+/* aalogparse_error now requires visibility of the aa_log_record type
+ * Also include in a %code requires block to add it to the header
+ */
+%code requires{
+	#include <aalogparse.h>
+}
 
 %{
 
-/* set the following to non-zero to get bison to emit debugging
- * information about tokens given and rules matched.
- * Also:
- *   Uncomment the %defines
- *   parse.error
- *   parse.trace
- */
-#define YYDEBUG 0
 #include <string.h>
 #include <aalogparse.h>
 #include "parser.h"
@@ -41,12 +39,10 @@
 #define debug_unused_ unused_
 #endif
 
-aa_log_record *ret_record;
-
 /* Since we're a library, on any errors we don't want to print out any
  * error messages. We should probably add a debug interface that does
  * emit messages when asked for. */
-void aalogparse_error(unused_ void *scanner, debug_unused_ char const *s)
+void aalogparse_error(unused_ void *scanner, aa_log_record *ret_record, debug_unused_ char const *s)
 {
 #if (YYDEBUG != 0)
 	printf("ERROR: %s\n", s);
@@ -89,9 +85,10 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %define parse.trace
 */
 
-%define api.pure
+%define api.pure full
 %lex-param{void *scanner}
 %parse-param{void *scanner}
+%parse-param{aa_log_record *ret_record}
 
 %union
 {
@@ -114,6 +111,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_PERIOD
 %token TOK_QUESTION_MARK
 %token TOK_SINGLE_QUOTE
+%token TOK_NONE
 
 %token TOK_TYPE_REJECT
 %token TOK_TYPE_AUDIT
@@ -187,6 +185,8 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_FSTYPE
 %token TOK_KEY_FLAGS
 %token TOK_KEY_SRCNAME
+%token TOK_KEY_UNIX_PEER_ADDR
+%token TOK_KEY_EXECPATH
 %token TOK_KEY_CLASS
 
 %token TOK_SOCKLOGD_KERNEL
@@ -281,8 +281,9 @@ audit_user_msg: TOK_KEY_MSG TOK_EQUALS audit_id audit_user_msg_tail
 
 audit_id: TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS TOK_COLON TOK_AUDIT_DIGITS TOK_CLOSE_PAREN TOK_COLON
 	{
-		if (!asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7))
-			yyerror(scanner, YY_("Out of memory"));
+		if (!asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7)) {
+			yyerror(scanner, ret_record, YY_("Out of memory"));
+		}
 		ret_record->epoch = atol($3);
 		ret_record->audit_sub_id = atoi($7);
 		free($3);
@@ -305,7 +306,7 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	| TOK_KEY_NAME TOK_EQUALS safe_string
 	{ ret_record->name = $3;}
 	| TOK_KEY_NAMESPACE TOK_EQUALS safe_string
-	{ ret_record->namespace = $3;}
+	{ ret_record->aa_namespace = $3;}
 	| TOK_KEY_NAME2 TOK_EQUALS safe_string
 	{ ret_record->name2 = $3;}
 	| TOK_KEY_MASK TOK_EQUALS TOK_QUOTED_STRING
@@ -354,6 +355,13 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->fsuid = $3;}
 	| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
 	{ ret_record->ouid = $3;}
+	| TOK_KEY_ADDR TOK_EQUALS TOK_QUESTION_MARK
+	| TOK_KEY_ADDR TOK_EQUALS TOK_NONE
+	| TOK_KEY_ADDR TOK_EQUALS safe_string
+	{ ret_record->net_addr = $3; }
+	| TOK_KEY_UNIX_PEER_ADDR TOK_EQUALS TOK_NONE
+	| TOK_KEY_UNIX_PEER_ADDR TOK_EQUALS safe_string
+	{ ret_record->peer_addr = $3; }
 	| TOK_KEY_FSUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
 	{ free($3);} /* Ignore - fsuid username */
 	| TOK_KEY_OUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
@@ -363,10 +371,7 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	| TOK_KEY_HOSTNAME TOK_EQUALS safe_string
 	{ free($3); /* Ignore - hostname from user AVC messages */ }
 	| TOK_KEY_HOSTNAME TOK_EQUALS TOK_QUESTION_MARK
-	| TOK_KEY_ADDR TOK_EQUALS TOK_QUESTION_MARK
 	| TOK_KEY_TERMINAL TOK_EQUALS TOK_QUESTION_MARK
-	| TOK_KEY_ADDR TOK_EQUALS safe_string
-	{ free($3); /* Ignore - IP address from user AVC messages */ }
 	| TOK_KEY_TERMINAL TOK_EQUALS safe_string
 	{ free($3); /* Ignore - TTY from user AVC messages */ }
 	| TOK_KEY_EXE TOK_EQUALS safe_string
@@ -419,21 +424,21 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->dbus_member = $3; }
 	| TOK_KEY_SIGNAL TOK_EQUALS TOK_ID
 	{ ret_record->signal = $3; }
-
 	| TOK_KEY_FSTYPE TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->fs_type = $3; }
 	| TOK_KEY_FLAGS TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->flags = $3; }
 	| TOK_KEY_SRCNAME TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->src_name = $3; }
-
+	| TOK_KEY_EXECPATH TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->execpath = $3; }
 	| TOK_MSG_REST
 	{
 		ret_record->event = AA_RECORD_INVALID;
 		ret_record->info = $1;
 	}
 	| TOK_KEY_CLASS TOK_EQUALS TOK_QUOTED_STRING
-	{ ret_record->class = $3; }
+	{ ret_record->rule_class = $3; }
 	;
 
 apparmor_event:
@@ -470,31 +475,3 @@ protocol: TOK_QUOTED_STRING
 	}
 	;
 %%
-
-aa_log_record *
-_parse_yacc(char *str)
-{
-	/* yydebug = 1;  */
-	YY_BUFFER_STATE lex_buf;
-	yyscan_t scanner;
-
-	ret_record = NULL;
-	ret_record = malloc(sizeof(aa_log_record));
-
-	_init_log_record(ret_record);
-
-	if (ret_record == NULL)
-		return NULL;
-
-#if (YYDEBUG != 0)
-	yydebug = 1;
-#endif
-
-	aalogparse_lex_init(&scanner);
-	lex_buf = aalogparse__scan_string(str, scanner);
-	/* Ignore return value to return an AA_RECORD_INVALID event */
-	(void)aalogparse_parse(scanner);
-	aalogparse__delete_buffer(lex_buf, scanner);
-	aalogparse_lex_destroy(scanner);
-	return ret_record;
-}

libraries/libapparmor/src/libaalogparse.c

@@ -34,13 +34,42 @@
 #include <aalogparse.h>
 #include "parser.h"
 
+#include "grammar.h"
+#include "scanner.h"
+
 /* This is mostly just a wrapper around the code in grammar.y */
-aa_log_record *parse_record(char *str)
+aa_log_record *parse_record(const char *str)
 {
+	YY_BUFFER_STATE lex_buf;
+	yyscan_t scanner;
+	aa_log_record *ret_record;
+
 	if (str == NULL)
 		return NULL;
 
-	return _parse_yacc(str);
+	ret_record = malloc(sizeof(aa_log_record));
+
+	_init_log_record(ret_record);
+
+	if (ret_record == NULL)
+		return NULL;
+
+	struct string_buf string_buf = {.buf = NULL, .buf_len = 0, .buf_alloc = 0};
+
+#if (YYDEBUG != 0)
+	/* Warning: this is still a global even in reentrant parsers */
+	aalogparse_debug = 1;
+#endif
+
+	aalogparse_lex_init_extra(&string_buf, &scanner);
+	lex_buf = aalogparse__scan_string(str, scanner);
+	/* Ignore return value to return an AA_RECORD_INVALID event */
+	(void)aalogparse_parse(scanner, ret_record);
+	aalogparse__delete_buffer(lex_buf, scanner);
+	aalogparse_lex_destroy(scanner);
+	/* free(NULL) is a no-op */
+	free(string_buf.buf);
+	return ret_record;
 }
 
 void free_record(aa_log_record *record)
@@ -63,8 +92,8 @@ void free_record(aa_log_record *record)
 			free(record->name);
 		if (record->name2 != NULL)
 			free(record->name2);
-		if (record->namespace != NULL)
-			free(record->namespace);
+		if (record->aa_namespace != NULL)
+			free(record->aa_namespace);
 		if (record->attribute != NULL)
 			free(record->attribute);
 		if (record->info != NULL)
@@ -103,8 +132,15 @@ void free_record(aa_log_record *record)
 			free(record->flags);
 		if (record->src_name != NULL)
 			free(record->src_name);
-		if (record->class != NULL)
-			free(record->class);
+		if (record->net_addr != NULL)
+			free(record->net_addr);
+		if (record->peer_addr != NULL)
+			free(record->peer_addr);
+		if (record->execpath != NULL)
+			free(record->execpath);
+
+		if (record->rule_class != NULL)
+			free(record->rule_class);
 
 		free(record);
 	}

libraries/libapparmor/src/libapparmor.map

@@ -127,6 +127,7 @@ APPARMOR_3.0 {
 APPARMOR_3.1 {
   global:
 	aa_features_check;
+	aa_split_overlay_str;
   local:
 	*;
 } APPARMOR_3.0;

libraries/libapparmor/src/parser.h

@@ -19,8 +19,14 @@
 #ifndef __AA_LOG_PARSER_H__
 #define __AA_LOG_PARSER_H__
 
+// Internal-only type
+struct string_buf {
+	char *buf;
+	unsigned int buf_len;
+	unsigned int buf_alloc;
+};
+
 extern void _init_log_record(aa_log_record *record);
-extern aa_log_record *_parse_yacc(char *str);
 extern char *hex_to_string(char *str);
 extern char *ipproto_to_string(unsigned int proto);
 

libraries/libapparmor/src/scanner.l

@@ -19,6 +19,7 @@
 %option nounput
 %option noyy_top_state
 %option reentrant
+%option extra-type="struct string_buf*"
 %option prefix="aalogparse_"
 %option bison-bridge
 %option header-file="scanner.h"
@@ -34,40 +35,37 @@
 
 #define YY_NO_INPUT
 
-unsigned int string_buf_alloc = 0;
-unsigned int string_buf_len = 0;
-char *string_buf = NULL;
-
-void string_buf_reset()
+void string_buf_reset(struct string_buf* char_buf)
 {
 	/* rewind buffer to zero, possibly doing initial allocation too */
-	string_buf_len = 0;
- 	if (string_buf == NULL) {
-		string_buf_alloc = 128;
-		string_buf = malloc(string_buf_alloc);
-		assert(string_buf != NULL);
+	char_buf->buf_len = 0;
+	if (char_buf->buf == NULL) {
+		char_buf->buf_alloc = 128;
+		char_buf->buf = malloc(char_buf->buf_alloc);
+		assert(char_buf->buf != NULL);
 	}
 	/* always start with a valid but empty string */
-	string_buf[0] = '\0';
+	char_buf->buf[0] = '\0';
 }
 
-void string_buf_append(unsigned int length, char *text)
+void string_buf_append(struct string_buf* char_buf, unsigned int length, char *text)
 {
-	unsigned int current_length = string_buf_len;
+	unsigned int current_length = char_buf->buf_len;
 
 	/* handle calling ..._append before ..._reset */
-	if (string_buf == NULL) string_buf_reset();
+	if (char_buf->buf == NULL) string_buf_reset(char_buf);
 
-	string_buf_len += length;
+	char_buf->buf_len += length;
 	/* expand allocation if this append would exceed the allocation */
-	while (string_buf_len >= string_buf_alloc) {
-		string_buf_alloc *= 2;
-		string_buf = realloc(string_buf, string_buf_alloc);
-		assert(string_buf != NULL);
+	while (char_buf->buf_len >= char_buf->buf_alloc) {
+		// TODO: overflow?
+		char_buf->buf_alloc *= 2;
+		char_buf->buf = realloc(char_buf->buf, char_buf->buf_alloc);
+		assert(char_buf->buf != NULL);
 	}
 	/* copy and unconditionally terminate */
-	memcpy(string_buf+current_length, text, length);
-	string_buf[string_buf_len] = '\0';
+	memcpy(char_buf->buf+current_length, text, length);
+	char_buf->buf[char_buf->buf_len] = '\0';
 }
 
 %}
@@ -90,6 +88,7 @@ question_mark	"?"
 single_quote	"'"
 mode_chars      ([RrWwaLlMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])|([Pp][Ii][Xx])
 modes		({mode_chars}+)|({mode_chars}+::{mode_chars}*)|(::{mode_chars}*)
+none		"none"
 /* New message types */
 
 aa_reject_type		"APPARMOR_DENIED"
@@ -157,9 +156,13 @@ key_capname		"capname"
 key_offset		"offset"
 key_target		"target"
 key_laddr		"laddr"
+key_saddr		"saddr"
 key_faddr		"faddr"
+key_daddr		"daddr"
 key_lport		"lport"
+key_srcport		"src"
 key_fport		"fport"
+key_destport		"dest"
 key_bus			"bus"
 key_dest		"dest"
 key_path		"path"
@@ -173,6 +176,8 @@ key_flags		"flags"
 key_srcname		"srcname"
 key_class		"class"
 key_tcontext		"tcontext"
+key_unix_peer_addr	"peer_addr"
+key_execpath		"execpath"
 audit			"audit"
 
 /* network addrs */
@@ -225,7 +230,7 @@ yy_flex_debug = 0;
 	{open_paren}		{ return(TOK_OPEN_PAREN); }
 	{close_paren}		{ BEGIN(INITIAL); return(TOK_CLOSE_PAREN); }
 	{ws}		{ }
-	\"			{ string_buf_reset(); BEGIN(quoted_string); }
+	\"			{ string_buf_reset(yyextra); BEGIN(quoted_string); }
 	{ID}+	{
 			yylval->t_str = strdup(yytext);
 			BEGIN(INITIAL);
@@ -234,20 +239,20 @@ yy_flex_debug = 0;
 	{equals}		{ return(TOK_EQUALS); }
 	}
 
-\"			{ string_buf_reset(); BEGIN(quoted_string); }
+\"			{ string_buf_reset(yyextra); BEGIN(quoted_string); }
 <quoted_string>\"	{ /* End of the quoted string */
 				BEGIN(INITIAL);
-				yylval->t_str = strdup(string_buf);
+				yylval->t_str = strdup(yyextra->buf);
 				return(TOK_QUOTED_STRING);
 			}
 
 
-<quoted_string>\\(.|\n) { string_buf_append(1, &yytext[1]); }
+<quoted_string>\\(.|\n) { string_buf_append(yyextra, 1, &yytext[1]); }
 
-<quoted_string>[^\\\n\"]+ { string_buf_append(yyleng, yytext); }
+<quoted_string>[^\\\n\"]+ { string_buf_append(yyextra, yyleng, yytext); }
 
 <safe_string>{
-	\"		{ string_buf_reset(); BEGIN(quoted_string); }
+	\"		{ string_buf_reset(yyextra); BEGIN(quoted_string); }
 	{hexstring}	{ yylval->t_str = hex_to_string(yytext); BEGIN(INITIAL); return(TOK_HEXSTRING);}
 	{equals}	{ return(TOK_EQUALS); }
 	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
@@ -303,6 +308,8 @@ yy_flex_debug = 0;
 {period}		{ return(TOK_PERIOD); }
 {question_mark}		{ return(TOK_QUESTION_MARK); }
 {single_quote}		{ return(TOK_SINGLE_QUOTE); }
+{none}			{ return(TOK_NONE); }
+
 
 {key_apparmor}		{ BEGIN(audit_types); return(TOK_KEY_APPARMOR); }
 {key_type}		{ BEGIN(audit_types); return(TOK_KEY_TYPE); }
@@ -342,7 +349,7 @@ yy_flex_debug = 0;
 {key_sauid}		{ return(TOK_KEY_SAUID); }
 {key_ses}		{ return(TOK_KEY_SES); }
 {key_hostname}		{ return(TOK_KEY_HOSTNAME); }
-{key_addr}		{ return(TOK_KEY_ADDR); }
+{key_addr}		{ BEGIN(safe_string); return(TOK_KEY_ADDR); }
 {key_terminal}		{ return(TOK_KEY_TERMINAL); }
 {key_exe}		{ BEGIN(safe_string); return(TOK_KEY_EXE); }
 {key_comm}		{ BEGIN(safe_string); return(TOK_KEY_COMM); }
@@ -351,9 +358,13 @@ yy_flex_debug = 0;
 {key_offset}		{ return(TOK_KEY_OFFSET); }
 {key_target}		{ return(TOK_KEY_TARGET); }
 {key_laddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
+{key_saddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
 {key_faddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
+{key_daddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
 {key_lport}		{ return(TOK_KEY_LPORT); }
+{key_srcport}		{ return(TOK_KEY_LPORT); }
 {key_fport}		{ return(TOK_KEY_FPORT); }
+{key_destport}		{ return(TOK_KEY_FPORT); }
 {key_bus}		{ return(TOK_KEY_BUS); }
 {key_path}		{ return(TOK_KEY_PATH); }
 {key_interface}		{ return(TOK_KEY_INTERFACE); }
@@ -364,6 +375,8 @@ yy_flex_debug = 0;
 {key_fstype}		{ return(TOK_KEY_FSTYPE); }
 {key_flags}		{ BEGIN(safe_string); return(TOK_KEY_FLAGS); }
 {key_srcname}		{ BEGIN(safe_string); return(TOK_KEY_SRCNAME); }
+{key_unix_peer_addr}    { BEGIN(safe_string); return(TOK_KEY_UNIX_PEER_ADDR); }
+{key_execpath}		{ BEGIN(safe_string); return(TOK_KEY_EXECPATH); }
 {key_class}		{ BEGIN(safe_string); return(TOK_KEY_CLASS); }
 
 {socklogd_kernel}	{ BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }

libraries/libapparmor/src/tst_aalogparse_cpp.cpp

@@ -0,0 +1,20 @@
+#include <aalogparse.h>
+#include <string.h>
+
+#include "private.h"
+
+const char* log_line = "[23342.075380] audit: type=1400 audit(1725487203.971:1831): apparmor=\"DENIED\" operation=\"open\" class=\"file\" profile=\"snap-update-ns.firmware-updater\" name=\"/proc/202964/maps\" pid=202964 comm=\"5\" requested_mask=\"r\" denied_mask=\"r\" fsuid=1000 ouid=0";
+
+int main(void) {
+    int rc = 0;
+
+    /* Very basic test to ensure we can do aalogparse stuff in C++ */
+    aa_log_record *record = parse_record(log_line);
+    MY_TEST(record != NULL, "Log failed to parse");
+    MY_TEST(record->version == AA_RECORD_SYNTAX_V2, "Log should have parsed as v2 form");
+    MY_TEST(record->aa_namespace == NULL, "Log should have NULL namespace");
+    MY_TEST((record->rule_class != NULL) && (strcmp(record->rule_class, "file") == 0), "Log should have file class");
+    free_record(record);
+
+    return rc;
+}

libraries/libapparmor/src/tst_aalogparse_oldname.c

@@ -0,0 +1,20 @@
+#include <aalogparse.h>
+#include <string.h>
+
+#include "private.h"
+
+const char* log_line = "[23342.075380] audit: type=1400 audit(1725487203.971:1831): apparmor=\"DENIED\" operation=\"open\" class=\"file\" profile=\"snap-update-ns.firmware-updater\" name=\"/proc/202964/maps\" pid=202964 comm=\"5\" requested_mask=\"r\" denied_mask=\"r\" fsuid=1000 ouid=0";
+
+int main(void) {
+    int rc = 0;
+
+    /* Very basic test to ensure we can use the C++-incompatible field names */
+    aa_log_record *record = parse_record(log_line);
+    MY_TEST(record != NULL, "Log failed to parse");
+    MY_TEST(record->version == AA_RECORD_SYNTAX_V2, "Log should have parsed as v2 form");
+    MY_TEST(record->namespace == NULL, "Log should have NULL namespace");
+    MY_TEST((record->class != NULL) && (strcmp(record->class, "file") == 0), "Log should have file class");
+    free_record(record);
+
+    return rc;
+}

libraries/libapparmor/src/tst_aalogparse_reentrancy.c

@@ -0,0 +1,154 @@
+#include <pthread.h>
+#include <string.h>
+
+#include <aalogparse.h>
+
+#include "private.h"
+
+const char* log_line = "[23342.075380] audit: type=1400 audit(1725487203.971:1831): apparmor=\"DENIED\" operation=\"open\" class=\"file\" profile=\"snap-update-ns.firmware-updater\" name=\"/proc/202964/maps\" pid=202964 comm=\"5\" requested_mask=\"r\" denied_mask=\"r\" fsuid=1000 ouid=0";
+const char* log_line_2 = "[ 4074.372559] audit: type=1400 audit(1725553393.143:793): apparmor=\"DENIED\" operation=\"capable\" class=\"cap\" profile=\"/usr/lib/snapd/snap-confine\" pid=19034 comm=\"snap-confine\" capability=12  capname=\"net_admin\"";
+
+static int pthread_barrier_ok(int barrier_result) {
+	return barrier_result == 0 || barrier_result == PTHREAD_BARRIER_SERIAL_THREAD;
+}
+
+static int nullcmp_and_strcmp(const void *s1, const void *s2)
+{
+	/* Return 0 if both pointers are NULL & non-zero if only one is NULL */
+	if (!s1 || !s2)
+		return s1 != s2;
+
+	return strcmp(s1, s2);
+}
+
+int aa_log_record_eq(aa_log_record *record1, aa_log_record *record2) {
+	int are_eq = 1;
+
+	are_eq &= (record1->version == record2->version);
+	are_eq &= (record1->event == record2->event);
+	are_eq &= (record1->pid == record2->pid);
+	are_eq &= (record1->peer_pid == record2->peer_pid);
+	are_eq &= (record1->task == record2->task);
+	are_eq &= (record1->magic_token == record2->magic_token);
+	are_eq &= (record1->epoch == record2->epoch);
+	are_eq &= (record1->audit_sub_id == record2->audit_sub_id);
+
+	are_eq &= (record1->bitmask == record2->bitmask);
+	are_eq &= (nullcmp_and_strcmp(record1->audit_id, record2->audit_id) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->operation, record2->operation) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->denied_mask, record2->denied_mask) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->requested_mask, record2->requested_mask) == 0);
+	are_eq &= (record1->fsuid == record2->fsuid);
+	are_eq &= (record1->ouid == record2->ouid);
+	are_eq &= (nullcmp_and_strcmp(record1->profile, record2->profile) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->peer_profile, record2->peer_profile) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->comm, record2->comm) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->name, record2->name) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->name2, record2->name2) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->namespace, record2->namespace) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->attribute, record2->attribute) == 0);
+	are_eq &= (record1->parent == record2->parent);
+	are_eq &= (nullcmp_and_strcmp(record1->info, record2->info) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->peer_info, record2->peer_info) == 0);
+	are_eq &= (record1->error_code == record2->error_code);
+	are_eq &= (nullcmp_and_strcmp(record1->active_hat, record2->active_hat) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->net_family, record2->net_family) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->net_protocol, record2->net_protocol) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->net_sock_type, record2->net_sock_type) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->net_local_addr, record2->net_local_addr) == 0);
+	are_eq &= (record1->net_local_port == record2->net_local_port);
+	are_eq &= (nullcmp_and_strcmp(record1->net_foreign_addr, record2->net_foreign_addr) == 0);
+	are_eq &= (record1->net_foreign_port == record2->net_foreign_port);
+
+	are_eq &= (nullcmp_and_strcmp(record1->execpath, record2->execpath) == 0);
+
+	are_eq &= (nullcmp_and_strcmp(record1->dbus_bus, record2->dbus_bus) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->dbus_path, record2->dbus_path) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->dbus_interface, record2->dbus_interface) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->dbus_member, record2->dbus_member) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->signal, record2->signal) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->peer, record2->peer) == 0);
+
+	are_eq &= (nullcmp_and_strcmp(record1->fs_type, record2->fs_type) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->flags, record2->flags) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->src_name, record2->src_name) == 0);
+
+	are_eq &= (nullcmp_and_strcmp(record1->class, record2->class) == 0);
+
+	are_eq &= (nullcmp_and_strcmp(record1->net_addr, record2->net_addr) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->peer_addr, record2->peer_addr) == 0);
+	return are_eq;
+}
+
+typedef struct {
+	const char* log;
+	pthread_barrier_t *barrier;
+} pthread_parse_args;
+
+void* pthread_parse_log(void* args) {
+	pthread_parse_args *args_real = (pthread_parse_args *) args;
+	int barrier_wait_result = pthread_barrier_wait(args_real->barrier);
+	/* Return NULL and fail test if barrier wait fails */
+	if (!pthread_barrier_ok(barrier_wait_result)) {
+		return NULL;
+	}
+	aa_log_record *record = parse_record(args_real->log);
+	return (void*) record;
+}
+
+#define NUM_THREADS 16
+
+int main(void) {
+	pthread_t thread_ids[NUM_THREADS];
+	pthread_barrier_t barrier;
+	int barrier_wait_result;
+	aa_log_record* parsed_logs[NUM_THREADS];
+	int rc = 0;
+	/* Set up arguments to be passed to threads */
+	pthread_parse_args args = {.log=log_line, .barrier=&barrier};
+	pthread_parse_args args2 = {.log=log_line_2, .barrier=&barrier};
+
+	MY_TEST(NUM_THREADS > 2, "Test requires more than 2 threads");
+
+	/* Use barrier to synchronize the start of log parsing among all the threads
+	 * This increases the likelihood of tickling race conditions, if there are any
+	 */
+	MY_TEST(pthread_barrier_init(&barrier, NULL, NUM_THREADS+1) == 0,
+		"Could not init pthread barrier");
+	for (int i=0; i<NUM_THREADS; i++) {
+		if (i%2 == 0) {
+			pthread_create(&thread_ids[i], NULL, pthread_parse_log, (void *) &args);
+		} else {
+			pthread_create(&thread_ids[i], NULL, pthread_parse_log, (void *) &args2);
+		}
+	}
+	/* Final barrier_wait to set off the thread race */
+	barrier_wait_result = pthread_barrier_wait(&barrier);
+	MY_TEST(pthread_barrier_ok(barrier_wait_result), "Could not wait on pthread barrier");
+
+	/* Wait for threads to finish parsing the logs */
+	for (int i=0; i<NUM_THREADS; i++) {
+		MY_TEST(pthread_join(thread_ids[i], (void*) &parsed_logs[i]) == 0, "Could not join thread");
+	}
+
+	/* Check that all logs parsed and are equal */
+	for (int i=0; i<NUM_THREADS; i++) {
+		MY_TEST(parsed_logs[i] != NULL, "Log failed to parse");
+		MY_TEST(parsed_logs[i]->version == AA_RECORD_SYNTAX_V2, "Log should have parsed as v2 form");
+		MY_TEST(parsed_logs[i]->event == AA_RECORD_DENIED, "Log should have parsed as denied");
+
+		/* Also check i==0 and i==1 as a sanity check for aa_log_record_eq */
+		if (i%2 == 0) {
+			MY_TEST(aa_log_record_eq(parsed_logs[0], parsed_logs[i]), "Log 0 != Log even");
+		} else {
+			MY_TEST(aa_log_record_eq(parsed_logs[1], parsed_logs[i]), "Log 1 != Log odd");
+		}
+	}
+	MY_TEST(!aa_log_record_eq(parsed_logs[0], parsed_logs[1]), "Log 0 and log 1 shouldn't be equal");
+	/* Clean up */
+	MY_TEST(pthread_barrier_destroy(&barrier) == 0, "Could not destroy pthread barrier");
+	for (int i=0; i<NUM_THREADS; i++) {
+		free_record(parsed_logs[i]);
+	}
+	return rc;
+}

libraries/libapparmor/src/tst_features.c

@@ -135,7 +135,7 @@ static int do_test_walk_one(const char **str, const struct component *component,
 
 static int test_walk_one(void)
 {
-	struct component c;
+	struct component c = (struct component) { NULL, 0 };
 	const char *str;
 	int rc = 0;
 

libraries/libapparmor/swig/Makefile.am

@@ -1,3 +1,3 @@
 SUBDIRS = perl python ruby
 
-EXTRA_DIST = SWIG/*.i java/Makefile.am
+EXTRA_DIST = SWIG/*.i

libraries/libapparmor/swig/SWIG/libapparmor.i

@@ -5,9 +5,98 @@
 #include <sys/apparmor.h>
 #include <sys/apparmor_private.h>
 
+// Include static_assert if the C compiler supports it
+// static_assert standardized since C11, assert.h not needed since C23
+#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L && __STDC_VERSION__ < 202311L
+#include <assert.h>
+#endif
 %}
 
 %include "typemaps.i"
+%include <cstring.i>
+%include <stdint.i>
+%include <exception.i>
+
+/*
+ * SWIG 4.3 included https://github.com/swig/swig/pull/2907 to distinguish
+ * between Py_None being returned as a default void and Py_None being returned
+ * as the equivalent of C NULL. Unfortunately, this turns into an API breaking
+ * change with our use of %append_output when we want the Python function to
+ * return something even when the C function has a void return type. Thus, we
+ * need an additional macro to smooth over the differences. Include all affected
+ * languages, even ones we don't build bindings for, for completeness.
+ */
+#if SWIG_VERSION >= 0x040300
+#ifdef SWIGPYTHON
+#define ISVOID_APPEND_OUTPUT(value) {$result = SWIG_Python_AppendOutput($result, value, 1);}
+#elif defined(SWIGRUBY)
+#define ISVOID_APPEND_OUTPUT(value) {$result = SWIG_Ruby_AppendOutput($result, value, 1);}
+#elif defined(SWIGPHP)
+#define ISVOID_APPEND_OUTPUT(value) {$result = SWIG_Php_AppendOutput($result, value, 1);}
+#else
+#define ISVOID_APPEND_OUTPUT(value) %append_output(value)
+#endif
+#else
+#define ISVOID_APPEND_OUTPUT(value) %append_output(value)
+#endif
+
+%newobject parse_record;
+%delobject free_record;
+/*
+ * Despite its name, %delobject does not hook up destructors to language
+ * deletion mechanisms. Instead, it sets flags so that manually calling the
+ * free function and then deleting by language mechanisms doesn't cause a
+ * double-free.
+ *
+ * Additionally, we can manually extend the struct with a C++-like
+ * destructor. This ensures that the record struct is freed 
+ * automatically when the high-level object goes out of scope.
+ */
+%extend aa_log_record {
+	~aa_log_record() {
+		free_record($self);
+	}
+}
+
+/*
+ * Generate a no-op free_record wrapper to avoid making a double-free footgun.
+ * Use rename directive to avoid colliding with the actual free_record, which
+ * we use above to clean up when the higher-level language deletes the object.
+ * 
+ * Ideally we would not expose a free_record at all, but we need to maintain
+ * backwards compatibility with the existing high-level code that uses it.
+ */
+%rename(free_record) noop_free_record;
+#ifdef SWIGPYTHON
+%pythonprepend noop_free_record %{
+import warnings
+warnings.warn("free_record is now a no-op as the record's memory is handled automatically", DeprecationWarning)
+%}
+#endif
+%feature("autodoc",
+  "This function used to free aa_log_record objects. Freeing is now handled "
+  "automatically, so this no-op function remains for backwards compatibility.") noop_free_record;
+%inline %{
+  void noop_free_record(aa_log_record *record) {(void) record;}
+%}
+
+/*
+ * Do not autogenerate a wrapper around free_record. This does not prevent us
+ * from calling it ourselves in %extend C code.
+ */
+%ignore free_record;
+
+
+/*
+ * Map names to preserve backwards compatibility
+ */
+#ifdef SWIGPYTHON
+%rename("_class") aa_log_record::rule_class;
+#else
+%rename("class") aa_log_record::rule_class;
+#endif
+%rename("namespace") aa_log_record::aa_namespace;
+
 %include <aalogparse.h>
 
 /**
@@ -21,18 +110,75 @@
 
 /* apparmor.h */
 
+/*
+ * label is a heap-allocated pointer, but when label and mode occur together,
+ * the freeing of label must be deferred because mode points into label.
+ *
+ * %cstring_output_allocate((char **label, char **mode), free(*$1))
+ * does not handle multi-argument typemaps correctly, so we write our own
+ * typemap based on it instead.
+ */
+%typemap(in,noblock=1,numinputs=0) (char **label, char **mode) ($*1_ltype temp_label = 0, $*2_ltype temp_mode = 0) {
+  $1 = &temp_label;
+  $2 = &temp_mode;
+}
+%typemap(freearg,match="in") (char **label, char **mode) ""
+%typemap(argout,noblock=1,fragment="SWIG_FromCharPtr") (char **label, char **mode) {
+  ISVOID_APPEND_OUTPUT(SWIG_FromCharPtr(*$1));
+  ISVOID_APPEND_OUTPUT(SWIG_FromCharPtr(*$2));
+  free(*$1);
+}
+
+/*
+ * mode also occurs in combination with con in aa_splitcon
+ * typemap based on %cstring_mutable but with substantial modifications
+ */
+%typemap(in,numinputs=1,fragment="SWIG_AsCharPtrAndSize") (char *con, char **mode) ($*2_ltype temp_mode = 0) {
+  int alloc_status = 0;
+  $1_ltype con_ptr = NULL;
+  size_t con_len = 0;
+  int char_ptr_res = SWIG_AsCharPtrAndSize($input, &con_ptr, &con_len, &alloc_status);
+  if (!SWIG_IsOK(char_ptr_res)) {
+    %argument_fail(char_ptr_res, "char *con", $symname, $argnum);
+  }
+  if (alloc_status != SWIG_NEWOBJ) {
+    // Unconditionally copy because the C function modifies the string in place
+    $1 = %new_copy_array(con_ptr, con_len+1, char);
+  } else {
+    $1 = con_ptr;
+  }
+
+  $2 = &temp_mode;
+}
+%typemap(freearg,noblock=1,match="in") (char *con, char **mode) {
+  %delete_array($1);
+}
+%typemap(argout,noblock=1,fragment="SWIG_FromCharPtr") (char *con, char **mode) {
+  /*
+   * aa_splitcon returns either con or NULL so we don't need to explicitly
+   * append it to the output, and we don't need the ISVOID helper here
+   * 
+   * SWIG_FromCharPtr does NULL checks for us
+   */
+  %append_output(SWIG_FromCharPtr(*$2));
+}
+
+%exception aa_splitcon {
+  $action
+  if (result == NULL) {
+    SWIG_exception_fail(SWIG_ValueError, "received invalid confinement context");
+  }
+}
+
 extern char *aa_splitcon(char *con, char **mode);
 
-/* apparmor_private.h */
-
-extern int _aa_is_blacklisted(const char *name);
-
 #ifdef SWIGPYTHON
 %exception {
   $action
   if (result < 0) {
+    // Unfortunately SWIG_exception does not support OSError
     PyErr_SetFromErrno(PyExc_OSError);
-    return NULL;
+    SWIG_fail;
   }
 }
 #endif
@@ -41,33 +187,206 @@ extern int _aa_is_blacklisted(const char *name);
 
 /* apparmor.h */
 
+/*
+ * aa_is_enabled returns a boolean as an int with failure reason in errno 
+ * Therefore, aa_is_enabled either returns True or throws an exception
+ *
+ * Keep that behavior for backwards compatibilty but return a boolean on Python
+ * where it makes more sense, which isn't a breaking change because a boolean is
+ * a subclass of int
+ */
+#ifdef SWIGPYTHON
+%typemap(out) int {
+	$result = PyBool_FromLong($1);
+}
+#endif
 extern int aa_is_enabled(void);
-extern int aa_find_mountpoint(char **mnt);
+
+#ifdef SWIGPYTHON
+// Based on SWIG's argcargv.i but we don't have an argc
+%typemap(in,fragment="SWIG_AsCharPtr") const char *subprofiles[] (Py_ssize_t seq_len=0, int* alloc_tracking = NULL) {
+  void* arg_as_ptr = NULL;
+  int res_convertptr = SWIG_ConvertPtr($input, &arg_as_ptr, $descriptor(char*[]), 0);
+  if (SWIG_IsOK(res_convertptr)) {
+    $1 = %static_cast(arg_as_ptr, $1_ltype);
+  } else {
+    // Clear error that would be set if ptr conversion failed
+    PyErr_Clear();
+
+    int is_list = PyList_Check($input);
+    if (is_list || PyTuple_Check($input)) {
+      seq_len = PySequence_Length($input);
+      /*
+       * %new_array zero-inits for cleaner error handling and memory cleanup
+       * %delete_array(NULL) is no-op (either free or delete), and
+       * alloc_tracking of 0 is uninit
+       * 
+       * Further note: SWIG_exception_fail jumps to the freearg typemap
+       */
+      $1 = %new_array(seq_len+1, char *);
+      if ($1 == NULL) {
+        SWIG_exception_fail(SWIG_MemoryError, "could not allocate C subprofiles");
+      }
+
+      alloc_tracking = %new_array(seq_len, int);
+      if (alloc_tracking == NULL) {
+        SWIG_exception_fail(SWIG_MemoryError, "could not allocate C alloc track arr");
+      }
+      for (Py_ssize_t i=0; i<seq_len; i++) {
+        PyObject *o = is_list ? PyList_GetItem($input, i) : PyTuple_GetItem($input, i);
+        if (o == NULL) {
+          // Failed to get item-Python already set exception info
+          SWIG_fail;
+        } else if (o == Py_None) {
+          // SWIG_AsCharPtr(Py_None, ...) succeeds with ptr output being NULL
+          SWIG_exception_fail(SWIG_ValueError, "sequence contains a None object");
+        }
+        int res = SWIG_AsCharPtr(o, &$1[i], &alloc_tracking[i]);
+        if (!SWIG_IsOK(res)) {
+          // Could emit idx of error here, maybe?
+          SWIG_exception_fail(SWIG_ArgError(res), "sequence does not contain all strings");
+        }
+      }
+    } else {
+      SWIG_exception_fail(SWIG_TypeError, "subprofiles is not a list or tuple");
+    }
+  }
+}
+%typemap(freearg,noblock=1) const char *subprofiles[] {
+/*
+ * If static_assert is present, use it to verify the assumption that
+ * allocation uninitialized (0) != SWIG_NEWOBJ
+ */
+%#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L
+  static_assert(SWIG_NEWOBJ != 0);
+%#endif
+  if ($1 != NULL && alloc_tracking$argnum != NULL) {
+    for (Py_ssize_t i=0; i<seq_len$argnum; i++) {
+      if (alloc_tracking$argnum[i] == SWIG_NEWOBJ) {
+        %delete_array($1[i]);
+      }
+    }
+  }
+  %delete_array(alloc_tracking$argnum);
+  %delete_array($1);
+}
+#endif
+
+/* These should not receive the VOID_Object typemap */
 extern int aa_change_hat(const char *subprofile, unsigned long magic_token);
 extern int aa_change_profile(const char *profile);
 extern int aa_change_onexec(const char *profile);
 extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
-extern int aa_change_hat_vargs(unsigned long token, int count, ...);
 extern int aa_stack_profile(const char *profile);
 extern int aa_stack_onexec(const char *profile);
-extern int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
-			      char **mode);
-extern int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode);
+
+/*
+ * aa_find_mountpoint mnt is an output pointer to a heap-allocated string
+ *
+ * This is a replica of %cstring_output_allocate(char **mnt, free(*$1))
+ * that uses the ISVOID helper to work correctly on SWIG 4.3 or later.
+ */
+%typemap(in,noblock=1,numinputs=0) (char **mnt) ($*1_ltype temp_mnt = 0) {
+  $1 = &temp_mnt;
+}
+%typemap(freearg,match="in") (char **mnt) ""
+%typemap(argout,noblock=1,fragment="SWIG_FromCharPtr") (char **mnt) {
+  ISVOID_APPEND_OUTPUT(SWIG_FromCharPtr(*$1));
+  free(*$1);
+}
+/* The other errno-based functions should not always be returning the int value:
+ * - Python exceptions signal success/failure status instead via the %exception 
+ *   handler above.
+ * - Perl (the other binding) has $! for accessing errno but would check the int
+ *   return status first.
+ *
+ * The generated C code for (out) resets the return value to None
+ * before appending the returned data (argout generated by %cstring stuff)
+ */
+#ifdef SWIGPYTHON
+%typemap(out,noblock=1) int {
+#if defined(VOID_Object)
+	$result = VOID_Object;
+#endif
+}
+#endif
+
+/*
+ * We can't use "typedef int pid_t" because we still support systems
+ * with 16-bit PIDs and SWIG can't find sys/types.h
+ *
+ * Capture the passed-in value as an intmax_t because pid_t is guaranteed
+ * to be a signed integer
+ */
+%typemap(in,noblock=1,fragment="SWIG_AsVal_long") pid_t (int conv_pid, intmax_t pid_large) {
+  conv_pid = SWIG_AsVal_long($input, &pid_large);
+  if (!SWIG_IsOK(conv_pid)) {
+    %argument_fail(conv_pid, "pid_t", $symname, $argnum);
+  }
+  /*
+   * Cast the long to a pid_t and then cast back to check for overflow
+   * Technically this is implementation-defined behaviour but we should be fine
+   */
+  $1 = (pid_t) pid_large;
+  if ((intmax_t) $1 != pid_large) {
+    SWIG_exception_fail(SWIG_OverflowError, "pid_t is too large");
+  }
+}
+
+extern int aa_find_mountpoint(char **mnt);
+extern int aa_getprocattr(pid_t tid, const char *attr, char **label, char **mode);
 extern int aa_gettaskcon(pid_t target, char **label, char **mode);
 extern int aa_getcon(char **label, char **mode);
-extern int aa_getpeercon_raw(int fd, char *buf, int *len, char **mode);
 extern int aa_getpeercon(int fd, char **label, char **mode);
-extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
-			  int *audit);
-extern int aa_query_file_path_len(uint32_t mask, const char *label,
-				  size_t label_len, const char *path,
-				  size_t path_len, int *allowed, int *audited);
+
+/*
+ * Typemaps for the boolean outputs of the query functions
+ * Use boolean types for Python and int types elsewhere
+ */
+#ifdef SWIGPYTHON
+// TODO: find a way to deduplicate these
+%typemap(in, numinputs=0) int *allowed (int temp) {
+  $1 = &temp;
+}
+%typemap(argout) int *allowed {
+  ISVOID_APPEND_OUTPUT(PyBool_FromLong(*$1));
+}
+
+%typemap(in, numinputs=0) int *audited (int temp) {
+  $1 = &temp;
+}
+%typemap(argout) int *audited {
+  ISVOID_APPEND_OUTPUT(PyBool_FromLong(*$1));
+}
+#else
+%apply int *OUTPUT { int *allowed };
+%apply int *OUTPUT { int *audited };
+#endif
+
+/* Sync this with the apparmor.h */
+/* Permission flags for the AA_CLASS_FILE mediation class */
+#define AA_MAY_EXEC			(1 << 0)
+#define AA_MAY_WRITE			(1 << 1)
+#define AA_MAY_READ			(1 << 2)
+#define AA_MAY_APPEND			(1 << 3)
+#define AA_MAY_CREATE			(1 << 4)
+#define AA_MAY_DELETE			(1 << 5)
+#define AA_MAY_OPEN			(1 << 6)
+#define AA_MAY_RENAME			(1 << 7)
+#define AA_MAY_SETATTR			(1 << 8)
+#define AA_MAY_GETATTR			(1 << 9)
+#define AA_MAY_SETCRED			(1 << 10)
+#define AA_MAY_GETCRED			(1 << 11)
+#define AA_MAY_CHMOD			(1 << 12)
+#define AA_MAY_CHOWN			(1 << 13)
+#define AA_MAY_LOCK			0x8000
+#define AA_EXEC_MMAP			0x10000
+#define AA_MAY_LINK			0x40000
+#define AA_MAY_ONEXEC			0x20000000
+#define AA_MAY_CHANGE_PROFILE		0x40000000
+
 extern int aa_query_file_path(uint32_t mask, const char *label,
 			      const char *path, int *allowed, int *audited);
-extern int aa_query_link_path_len(const char *label, size_t label_len,
-				  const char *target, size_t target_len,
-				  const char *link, size_t link_len,
-				  int *allowed, int *audited);
 extern int aa_query_link_path(const char *label, const char *target,
 			      const char *link, int *allowed, int *audited);
 

libraries/libapparmor/swig/java/Makefile.am

@@ -1,21 +0,0 @@
-WRAPPERFILES = apparmorlogparse_wrap.c
-
-BUILT_SOURCES = apparmorlogparse_wrap.c
-
-all-local: apparmorlogparse_wrap.o
-	$(CC) -module apparmorlogparse_wrap.o -o libaalogparse.so
-        
-apparmorlogparse_wrap.o: apparmorlogparse_wrap.c
-	$(CC) -c apparmorlogparse_wrap.c $(CFLAGS) -I../../src -I/usr/include/classpath  -fno-strict-aliasing -o apparmorlogparse_wrap.o
-        
-clean-local:
-	rm -rf org
-
-apparmorlogparse_wrap.c: org/aalogparse ../SWIG/*.i
-	$(SWIG) -java -I../SWIG -I../../src -outdir org/aalogparse \
-		-package org.aalogparse -o apparmorlogparse_wrap.c libaalogparse.i
-
-org/aalogparse:
-	mkdir -p org/aalogparse
-
-EXTRA_DIST = $(BUILT_SOURCES) 

libraries/libapparmor/swig/python/Makefile.am

@@ -14,7 +14,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.py
 
 all-local: libapparmor_wrap.c setup.py
 	if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
-	CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS) $(EXTRA_WARNINGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS) $(LDFLAGS)" $(PYTHON) setup.py build
+	CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS) $(CFLAGS) $(EXTRA_WARNINGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS) $(LDFLAGS)" $(PYTHON) setup.py build
 
 install-exec-local:
 	$(PYTHON) setup.py install --root="/$(DESTDIR)" --prefix="$(prefix)"

libraries/libapparmor/swig/python/setup.py.in

@@ -2,7 +2,7 @@ from setuptools import setup, Extension
 import string
 
 setup(name          = 'LibAppArmor',
-      version       = '@VERSION@',
+      version       = '@VERSION@'.replace('~', '-'),
       author        = 'AppArmor Dev Team',
       author_email  = 'apparmor@lists.ubuntu.com',
       url           = 'https://wiki.apparmor.net',

libraries/libapparmor/swig/python/test/buildpath.py

@@ -7,7 +7,7 @@ import sysconfig
 import setuptools
 
 
-if tuple(map(int, setuptools.__version__.split("."))) >= (62, 1):
+if tuple(map(int, setuptools.__version__.split(".")[:2])) >= (62, 1):
     identifier = sys.implementation.cache_tag
 else:
     identifier = "%d.%d" % sys.version_info[:2]

libraries/libapparmor/swig/python/test/test_python.py.in

@@ -55,10 +55,100 @@ NO_VALUE_MAP = {
     'fsuid': int(ctypes.c_ulong(-1).value),
     'ouid':  int(ctypes.c_ulong(-1).value),
 }
-
-
 class AAPythonBindingsTests(unittest.TestCase):
 
+    def setUp(self):
+        # REPORT ALL THE OUTPUT
+        self.maxDiff = None
+
+    def test_aa_splitcon(self):
+        AA_SPLITCON_EXPECT = [
+            ("unconfined", "unconfined", None),
+            ("unconfined\n", "unconfined", None),
+            ("/bin/ping (enforce)", "/bin/ping", "enforce"),
+            ("/bin/ping (enforce)\n", "/bin/ping", "enforce"),
+            ("/usr/sbin/rsyslog (complain)", "/usr/sbin/rsyslog", "complain"),
+        ]
+        for context, expected_label, expected_mode in AA_SPLITCON_EXPECT:
+            actual_label, actual_mode = libapparmor.aa_splitcon(context)
+            if expected_label is None:
+                self.assertIsNone(actual_label)
+            else:
+                self.assertIsInstance(actual_label, str)
+                self.assertEqual(expected_label, actual_label)
+
+            if expected_mode is None:
+                self.assertIsNone(actual_mode)
+            else:
+                self.assertIsInstance(actual_mode, str)
+                self.assertEqual(expected_mode, actual_mode)
+
+        with self.assertRaises(ValueError):
+            libapparmor.aa_splitcon("")
+
+    def test_aa_is_enabled(self):
+        aa_enabled = libapparmor.aa_is_enabled()
+        self.assertIsInstance(aa_enabled, bool)
+
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_aa_find_mountpoint(self):
+        mount_point = libapparmor.aa_find_mountpoint()
+        self.assertIsInstance(mount_point, str)
+        self.assertGreater(len(mount_point), 0, "mount point should not be empty")
+        self.assertTrue(os.path.isdir(mount_point))
+
+    # TODO: test commented out functions (or at least their prototypes)
+    # extern int aa_change_profile(const char *profile);
+    # extern int aa_change_onexec(const char *profile);
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_change_hats(self):
+        # Changing hats will fail because we have no valid hats to change to
+        # However, we still verify that we get an OSError instead of a TypeError
+        with self.assertRaises(OSError):
+            libapparmor.aa_change_hat("nonexistent_profile", 12345678)
+
+        with self.assertRaises(OSError):
+            libapparmor.aa_change_hatv(["nonexistent_1", "nonexistent_2"], 0xabcdef)
+            libapparmor.aa_change_hatv(("nonexistent_1", "nonexistent_2"), 0xabcdef)
+
+    # extern int aa_stack_profile(const char *profile);
+    # extern int aa_stack_onexec(const char *profile);
+    # extern int aa_getprocattr(pid_t tid, const char *attr, char **label, char **mode);
+    # extern int aa_gettaskcon(pid_t target, char **label, char **mode);
+
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_aa_gettaskcon(self):
+        # Our test harness should be running us as unconfined
+        # Get our own pid and this should be equivalent to aa_getcon
+        pid = os.getpid()
+
+        label, mode = libapparmor.aa_gettaskcon(pid)
+        self.assertEqual(label, "unconfined", "aa_gettaskcon label should be unconfined")
+        self.assertIsNone(mode, "aa_gettaskcon mode should be unconfined")
+
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_aa_getcon(self):
+        # Our test harness should be running us as unconfined
+        label, mode = libapparmor.aa_getcon()
+        self.assertEqual(label, "unconfined", "aa_getcon label should be unconfined")
+        self.assertIsNone(mode, "aa_getcon mode should be unconfined")
+
+    # extern int aa_getpeercon(int fd, char **label, char **mode);
+
+    # extern int aa_query_file_path(uint32_t mask, const char *label,
+    #                 const char *path, int *allowed, int *audited);
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_aa_query_file_path(self):
+        aa_query_mask = libapparmor.AA_MAY_EXEC | libapparmor.AA_MAY_READ | libapparmor.AA_MAY_WRITE
+        allowed, audited = libapparmor.aa_query_file_path(aa_query_mask, "unconfined", "/tmp/hello")
+        self.assertTrue(allowed)
+        self.assertFalse(audited)
+    # extern int aa_query_link_path(const char *label, const char *target,
+    #                 const char *link, int *allowed, int *audited);
+
+
+class AALogParsePythonBindingsTests(unittest.TestCase):
+
     def setUp(self):
         # REPORT ALL THE OUTPUT
         self.maxDiff = None
@@ -118,6 +208,9 @@ class AAPythonBindingsTests(unittest.TestCase):
                 # FIXME: out files should report log version?
                 # FIXME: or can we just deprecate v1 logs?
                 continue
+            elif key == "thisown":
+                # SWIG generates this key to track memory allocation
+                continue
             elif key in NO_VALUE_MAP:
                 if NO_VALUE_MAP[key] == value:
                     continue
@@ -142,7 +235,7 @@ def main():
         def stub_test(self, testname=f):
             self._runtest(testname)
         stub_test.__doc__ = "test " + f
-        setattr(AAPythonBindingsTests, 'test_' + f, stub_test)
+        setattr(AALogParsePythonBindingsTests, 'test_' + f, stub_test)
     return unittest.main(verbosity=2)
 
 

libraries/libapparmor/testsuite/test_multi.c

@@ -1,5 +1,3 @@
-#define _GNU_SOURCE /* for glibc's basename version */
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -7,6 +5,12 @@
 
 #include <aalogparse.h>
 
+static const char *basename(const char *path)
+{
+	const char *p = strrchr(path, '/');
+	return p ? p + 1 : path;
+}
+
 int print_results(aa_log_record *record);
 
 int main(int argc, char **argv)
@@ -103,7 +107,7 @@ int print_results(aa_log_record *record)
 		print_string("Name", record->name);
 		print_string("Command", record->comm);
 		print_string("Name2", record->name2);
-		print_string("Namespace", record->namespace);
+		print_string("Namespace", record->aa_namespace);
 		print_string("Attribute", record->attribute);
 		print_long("Task", record->task, 0);
 		print_long("Parent", record->parent, 0);
@@ -115,6 +119,8 @@ int print_results(aa_log_record *record)
 		print_long("Peer PID", record->peer_pid, 0);
 		print_string("Active hat", record->active_hat);
 
+		print_string("Net Addr", record->net_addr);
+		print_string("Peer Addr", record->peer_addr);
 		print_string("Network family", record->net_family);
 		print_string("Socket type", record->net_sock_type);
 		print_string("Protocol", record->net_protocol);
@@ -134,7 +140,9 @@ int print_results(aa_log_record *record)
 		print_string("Flags", record->flags);
 		print_string("Src name", record->src_name);
 
-		print_string("Class", record->class);
+		print_string("Execpath", record->execpath);
+
+		print_string("Class", record->rule_class);
 
 		print_long("Epoch", record->epoch, 0);
 		print_long("Audit subid", (long) record->audit_sub_id, 0);

libraries/libapparmor/testsuite/test_multi/exec01.profile

@@ -1,2 +1,4 @@
 /home/cb/bin/hello.sh {
+  /usr/bin/rm mrix,
+
 }

libraries/libapparmor/testsuite/test_multi/exec02.profile

@@ -1,2 +1,4 @@
 /usr/bin/wireshark {
+  /usr/lib64/wireshark/extcap/androiddump mrix,
+
 }

libraries/libapparmor/testsuite/test_multi/file_inherit_network_lp1509030.profile

@@ -1,4 +1,4 @@
 /usr/lib/NetworkManager/nm-dhcp-client.action {
-  network inet6 dgram,
+  network inet6 dgram port=10580,
 
 }

libraries/libapparmor/testsuite/test_multi/file_perm_network_lp1466812.profile

@@ -1,4 +1,4 @@
 /usr/sbin/apache2 {
-  network inet6 stream,
+  network inet6 stream ip=::ffff:192.168.236.159 port=80 peer=(ip=::ffff:192.168.103.80 port=61985),
 
 }

libraries/libapparmor/testsuite/test_multi/file_perm_network_receive_lp1577051.profile

@@ -1,7 +1,7 @@
 /usr/sbin/apache2 {
 
   ^www.xxxxxxxxxx.co.uk {
-    network inet6 stream,
+    network (send) inet6 stream ip=::ffff:192.168.1.100 port=80 peer=(ip=::ffff:192.168.1.100 port=45658),
 
   }
 }

libraries/libapparmor/testsuite/test_multi/file_perm_network_receive_lp1582374.profile

@@ -1,7 +1,7 @@
 /usr/local/apache-tomcat-8.0.33/bin/catalina.sh {
 
   ^/usr/local/jdk1.8.0_92/bin/java {
-    network inet6 stream,
+    network (receive) inet6 stream ip=::ffff:127.0.0.1 port=8080 peer=(ip=::ffff:127.0.0.1 port=52308),
 
   }
 }

libraries/libapparmor/testsuite/test_multi/testcase01.profile

@@ -1,4 +1,4 @@
 /bin/ping {
-  ping2 ix,
+  /bin/ping mrix,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase12.profile

@@ -1,4 +1,4 @@
 /bin/ping {
-  /bin/ping ix,
+  /bin/ping mrix,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase13.profile

@@ -1,4 +1,4 @@
 /bin/ping {
-  /bin/ping ix,
+  /bin/ping mrix,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase31.profile

@@ -0,0 +1,4 @@
+/home/steve/aa-regression-tests/link {
+  /tmp/sdtest.8236-29816-IN8243/target l,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase36.in

@@ -0,0 +1 @@
+2025-01-27T13:01:36.226987+05:30 sec-plucky-amd64 kernel: audit: type=1400 audit(1737963096.225:3240): apparmor="AUDIT" operation="getattr" class="file" profile="/usr/sbin/mosquitto" name="/etc/mosquitto/pwfile" pid=8119 comm="mosquitto" requested_mask="r" fsuid=122 ouid=122

libraries/libapparmor/testsuite/test_multi/testcase36.out

@@ -0,0 +1,15 @@
+START
+File: testcase36.in
+Event type: AA_RECORD_AUDIT
+Audit ID: 1737963096.225:3240
+Operation: getattr
+Mask: r
+fsuid: 122
+ouid: 122
+Profile: /usr/sbin/mosquitto
+Name: /etc/mosquitto/pwfile
+Command: mosquitto
+PID: 8119
+Class: file
+Epoch: 1737963096
+Audit subid: 3240

libraries/libapparmor/testsuite/test_multi/testcase36.profile

@@ -0,0 +1,4 @@
+/usr/sbin/mosquitto {
+  /etc/mosquitto/pwfile r,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_dbus_09.profile

@@ -1,3 +1,4 @@
 /tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service {
-  dbus send bus=system path=/org/freedesktop/systemd1  interface=org.freedesktop.systemd1.Manager  member=LookupDynamicUserByName peer=( name=org.freedesktop.systemd1, label=unconfined),
+  dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName peer=(label=unconfined),
+
 }

libraries/libapparmor/testsuite/test_multi/testcase_mount_01.profile

@@ -1,4 +1,4 @@
 /home/ubuntu/bzr/apparmor/tests/regression/apparmor/mount {
-  mount fstype=ext2 options="rw, mand" /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/,
+  mount fstype=(ext2) options=(mand, rw) /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1715045678.914:344186): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="steam" name="/newroot/dev/" pid=26487 comm="srt-bwrap" flags="rw, nosuid, nodev, remount, bind, silent, relatime"

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.out

@@ -0,0 +1,14 @@
+START
+File: testcase_mount_02.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1715045678.914:344186
+Operation: mount
+Profile: steam
+Name: /newroot/dev/
+Command: srt-bwrap
+Info: failed flags match
+ErrorCode: 13
+PID: 26487
+Flags: rw, nosuid, nodev, remount, bind, silent, relatime
+Epoch: 1715045678
+Audit subid: 344186

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.profile

@@ -0,0 +1,4 @@
+profile steam {
+  mount options=(bind, nodev, nosuid, relatime, remount, rw, silent) -> /newroot/dev/,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_01.profile

@@ -1,4 +1,4 @@
 /usr/bin/evince-thumbnailer {
-  network inet stream,
+  network inet stream ip=192.168.66.150 port=765 peer=(ip=192.168.66.200 port=2049),
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_network_02.profile

@@ -1,4 +1,4 @@
 /usr/bin/evince-thumbnailer {
-  network inet stream,
+  network inet stream port=765 peer=(port=2049),
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_network_03.profile

@@ -1,4 +1,4 @@
 /usr/lib/dovecot/imap-login {
-  network inet6 stream,
+  network inet6 stream port=143,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_network_04.profile

@@ -1,4 +1,4 @@
 /home/ubuntu/tmp/nc {
-  network inet6 stream,
+  network inet6 stream ip=::1 port=2048 peer=(ip=::1 port=33986),
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_network_05.profile

@@ -1,4 +1,4 @@
 /home/ubuntu/tmp/nc {
-  network inet6 stream,
+  network inet6 stream ip=::ffff:127.0.0.1 port=2048 peer=(ip=::ffff:127.0.0.1 port=59180),
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_network_06.in

@@ -0,0 +1 @@
+[319992.813426] audit: type=1400 audit(1716557137.764:477): apparmor="DENIED" operation="recvmsg" class="net" info="failed remote addr match" error=-13 profile="/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv" pid=22237 comm="net_inet_rcv" laddr=127.0.97.3 lport=3456 saddr=127.0.97.3 src=3456 family="inet" sock_type="dgram" protocol=17 requested="receive" denied="receive"

libraries/libapparmor/testsuite/test_multi/testcase_network_06.out

@@ -0,0 +1,20 @@
+START
+File: testcase_network_06.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1716557137.764:477
+Operation: recvmsg
+Mask: receive
+Denied Mask: receive
+Profile: /home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv
+Command: net_inet_rcv
+Info: failed remote addr match
+ErrorCode: 13
+PID: 22237
+Network family: inet
+Socket type: dgram
+Protocol: udp
+Local addr: 127.0.97.3
+Local port: 3456
+Class: net
+Epoch: 1716557137
+Audit subid: 477

libraries/libapparmor/testsuite/test_multi/testcase_network_06.profile

@@ -0,0 +1,4 @@
+/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv {
+  network (receive) inet dgram ip=127.0.97.3 port=3456,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_07.in

@@ -0,0 +1 @@
+[321266.557863] audit: type=1400 audit(1716558411.518:583): apparmor="DENIED" operation="bind" class="net" profile="/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv" pid=23602 comm="net_inet_rcv" saddr=127.0.97.3 src=3456 family="inet" sock_type="dgram" protocol=17 requested="bind" denied="bind"

libraries/libapparmor/testsuite/test_multi/testcase_network_07.out

@@ -0,0 +1,18 @@
+START
+File: testcase_network_07.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1716558411.518:583
+Operation: bind
+Mask: bind
+Denied Mask: bind
+Profile: /home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv
+Command: net_inet_rcv
+PID: 23602
+Network family: inet
+Socket type: dgram
+Protocol: udp
+Local addr: 127.0.97.3
+Local port: 3456
+Class: net
+Epoch: 1716558411
+Audit subid: 583

libraries/libapparmor/testsuite/test_multi/testcase_network_07.profile

@@ -0,0 +1,4 @@
+/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv {
+  network (bind) inet dgram ip=127.0.97.3 port=3456,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_08.in

@@ -0,0 +1 @@
+[321557.117710] audit: type=1400 audit(1716558702.097:793): apparmor="DENIED" operation="setsockopt" class="net" info="failed cmd selection match" error=-13 profile="/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv" pid=26135 comm="net_inet_rcv" family="inet" sock_type="dgram" protocol=17 requested="setopt" denied="setopt"

libraries/libapparmor/testsuite/test_multi/testcase_network_08.out

@@ -0,0 +1,18 @@
+START
+File: testcase_network_08.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1716558702.097:793
+Operation: setsockopt
+Mask: setopt
+Denied Mask: setopt
+Profile: /home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv
+Command: net_inet_rcv
+Info: failed cmd selection match
+ErrorCode: 13
+PID: 26135
+Network family: inet
+Socket type: dgram
+Protocol: udp
+Class: net
+Epoch: 1716558702
+Audit subid: 793

libraries/libapparmor/testsuite/test_multi/testcase_network_08.profile

@@ -0,0 +1,4 @@
+/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv {
+  network (setopt) inet dgram,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_09.in

@@ -0,0 +1 @@
+[338728.513756] audit: type=1400 audit(1716575873.613:1160): apparmor="DENIED" operation="sendmsg" class="net" profile="/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_snd" pid=31340 comm="net_inet_snd" laddr=127.187.243.54 lport=3457 saddr=127.187.243.54 src=3457 daddr=127.0.97.3 dest=3456 family="inet" sock_type="dgram" protocol=17 requested="send" denied="send"

libraries/libapparmor/testsuite/test_multi/testcase_network_09.out

@@ -0,0 +1,20 @@
+START
+File: testcase_network_09.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1716575873.613:1160
+Operation: sendmsg
+Mask: send
+Denied Mask: send
+Profile: /home/ubuntu/apparmor/tests/regression/apparmor/net_inet_snd
+Command: net_inet_snd
+PID: 31340
+Network family: inet
+Socket type: dgram
+Protocol: udp
+Local addr: 127.187.243.54
+Foreign addr: 127.0.97.3
+Local port: 3457
+Foreign port: 3456
+Class: net
+Epoch: 1716575873
+Audit subid: 1160

libraries/libapparmor/testsuite/test_multi/testcase_network_09.profile

@@ -0,0 +1,4 @@
+/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_snd {
+  network (send) inet dgram ip=127.187.243.54 port=3457 peer=(ip=127.0.97.3 port=3456),
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_10.in

@@ -0,0 +1 @@
+[341455.536270] audit: type=1400 audit(1716578600.733:1467): apparmor="DENIED" operation="bind" class="net" profile="/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv" pid=35013 comm="net_inet_rcv" saddr=fd74:1820:b03a:b361::cf32 src=3456 family="inet6" sock_type="dgram" protocol=17 requested="bind" denied="bind"

libraries/libapparmor/testsuite/test_multi/testcase_network_10.out

@@ -0,0 +1,18 @@
+START
+File: testcase_network_10.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1716578600.733:1467
+Operation: bind
+Mask: bind
+Denied Mask: bind
+Profile: /home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv
+Command: net_inet_rcv
+PID: 35013
+Network family: inet6
+Socket type: dgram
+Protocol: udp
+Local addr: fd74:1820:b03a:b361::cf32
+Local port: 3456
+Class: net
+Epoch: 1716578600
+Audit subid: 1467

libraries/libapparmor/testsuite/test_multi/testcase_network_10.profile

@@ -0,0 +1,4 @@
+/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv {
+  network (bind) inet6 dgram ip=fd74:1820:b03a:b361::cf32 port=3456,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_11.in

@@ -0,0 +1 @@
+[342092.040080] audit: type=1400 audit(1716579237.240:2187): apparmor="DENIED" operation="sendmsg" class="net" profile="/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_snd" pid=43431 comm="net_inet_snd" laddr=fd74:1820:b03a:b361::a0f9 lport=3457 saddr=fd74:1820:b03a:b361::a0f9 src=3457 daddr=fd74:1820:b03a:b361::cf32 dest=3456 family="inet6" sock_type="dgram" protocol=17 requested="send" denied="send"

libraries/libapparmor/testsuite/test_multi/testcase_network_11.out

@@ -0,0 +1,20 @@
+START
+File: testcase_network_11.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1716579237.240:2187
+Operation: sendmsg
+Mask: send
+Denied Mask: send
+Profile: /home/ubuntu/apparmor/tests/regression/apparmor/net_inet_snd
+Command: net_inet_snd
+PID: 43431
+Network family: inet6
+Socket type: dgram
+Protocol: udp
+Local addr: fd74:1820:b03a:b361::a0f9
+Foreign addr: fd74:1820:b03a:b361::cf32
+Local port: 3457
+Foreign port: 3456
+Class: net
+Epoch: 1716579237
+Audit subid: 2187

libraries/libapparmor/testsuite/test_multi/testcase_network_11.profile

@@ -0,0 +1,4 @@
+/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_snd {
+  network (send) inet6 dgram ip=fd74:1820:b03a:b361::a0f9 port=3457 peer=(ip=fd74:1820:b03a:b361::cf32 port=3456),
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_12.in

@@ -0,0 +1 @@
+[  310.308737] audit: type=1400 audit(1724847289.985:631): apparmor="ALLOWED" operation="getsockname" class="net" profile="/usr/bin/wg" pid=15374 comm="wg" laddr=::ffff:127.0.0.1 lport=53131 faddr=::ffff:127.0.0.1 fport=51821 saddr=::ffff:127.0.0.1 src=53131 family="inet6" sock_type="dgram" protocol=17 requested="getattr" denied="getattr"

libraries/libapparmor/testsuite/test_multi/testcase_network_12.out

@@ -0,0 +1,20 @@
+START
+File: testcase_network_12.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1724847289.985:631
+Operation: getsockname
+Mask: getattr
+Denied Mask: getattr
+Profile: /usr/bin/wg
+Command: wg
+PID: 15374
+Network family: inet6
+Socket type: dgram
+Protocol: udp
+Local addr: ::ffff:127.0.0.1
+Foreign addr: ::ffff:127.0.0.1
+Local port: 53131
+Foreign port: 51821
+Class: net
+Epoch: 1724847289
+Audit subid: 631

libraries/libapparmor/testsuite/test_multi/testcase_network_12.profile

@@ -0,0 +1,4 @@
+/usr/bin/wg {
+  network (getattr) inet6 dgram ip=::ffff:127.0.0.1 port=53131,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.profile

@@ -1,7 +1,7 @@
 /usr/bin/nginx-amplify-agent.py {
 
   ^null-/bin/dash {
-    network inet stream,
+    network (receive, send) inet stream ip=192.168.10.3 port=50758 peer=(ip=54.153.70.241 port=443),
 
   }
 }

libraries/libapparmor/testsuite/test_multi/testcase_unix_01.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1711454639.955:322): apparmor="DENIED" operation="connect" class="net" profile="/home/user/test/client.py" pid=80819 comm="client.py" family="unix" sock_type="stream" protocol=0 requested="send receive connect" denied="send receive connect" addr=none peer_addr="@test_abstract_socket" peer="/home/user/test/server.py"

libraries/libapparmor/testsuite/test_multi/testcase_unix_01.out

@@ -0,0 +1,18 @@
+START
+File: testcase_unix_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1711454639.955:322
+Operation: connect
+Mask: send receive connect
+Denied Mask: send receive connect
+Profile: /home/user/test/client.py
+Peer: /home/user/test/server.py
+Command: client.py
+PID: 80819
+Peer Addr: @test_abstract_socket
+Network family: unix
+Socket type: stream
+Protocol: ip
+Class: net
+Epoch: 1711454639
+Audit subid: 322

libraries/libapparmor/testsuite/test_multi/testcase_unix_01.profile

@@ -0,0 +1,4 @@
+/home/user/test/client.py {
+  unix (connect, receive, send) type=stream peer=(addr=@test_abstract_socket),
+
+}