Prepare for AppArmor 4.0.1 release

- update version file
- update library version. addition of saddr/... parsing extends the
  record struct which is an interface addition.

Signed-off-by: John Johansen <john.johansen@canonical.com>

.gitignore

@@ -266,8 +266,8 @@ tests/regression/apparmor/mmap
 tests/regression/apparmor/mount
 tests/regression/apparmor/move_mount
 tests/regression/apparmor/named_pipe
-tests/regression/apparmor/net_finegrained_rcv
-tests/regression/apparmor/net_finegrained_snd
+tests/regression/apparmor/net_inet_rcv
+tests/regression/apparmor/net_inet_snd
 tests/regression/apparmor/net_raw
 tests/regression/apparmor/open
 tests/regression/apparmor/openat

.gitlab-ci.yml

@@ -112,7 +112,7 @@ shellcheck:
   extends:
     - .ubuntu-before_script
   script:
-  - apt-get install --no-install-recommends -y file shellcheck xmlstarlet
+  - apt-get install --no-install-recommends -y python3-minimal file shellcheck xmlstarlet
   - shellcheck --version
   - './tests/bin/shellcheck-tree --format=checkstyle
        | xmlstarlet tr tests/checkstyle2junit.xslt

common/Version

@@ -1 +1 @@
-4.0.0~beta2
+4.0.2

libraries/libapparmor/configure.ac

@@ -93,7 +93,7 @@ if test "$ac_cv_prog_cc_c99" = "no"; then
 fi
 
 m4_ifndef([AX_CHECK_COMPILE_FLAG], [AC_MSG_ERROR(['autoconf-archive' missing])])
-EXTRA_CFLAGS="-Wall $(EXTRA_WARNINGS) -fPIC"
+EXTRA_CFLAGS="-Wall $EXTRA_WARNINGS -fPIC"
 AX_CHECK_COMPILE_FLAG([-flto-partition=none], , , [-Werror])
 AS_VAR_IF([ax_cv_check_cflags__Werror__flto_partition_none], [yes],
 	[EXTRA_CFLAGS="$EXTRA_CFLAGS -flto-partition=none"]

libraries/libapparmor/src/Makefile.am

@@ -32,10 +32,10 @@ INCLUDES = $(all_includes)
 #
 # After changing the AA_LIB_* variables, also update EXPECTED_SO_NAME.
 
-AA_LIB_CURRENT = 18
-AA_LIB_REVISION = 1
-AA_LIB_AGE = 17
-EXPECTED_SO_NAME = libapparmor.so.1.17.1
+AA_LIB_CURRENT = 19
+AA_LIB_REVISION = 0
+AA_LIB_AGE = 18
+EXPECTED_SO_NAME = libapparmor.so.1.18.0
 
 SUFFIXES = .pc.in .pc
 

libraries/libapparmor/src/scanner.l

@@ -157,9 +157,13 @@ key_capname		"capname"
 key_offset		"offset"
 key_target		"target"
 key_laddr		"laddr"
+key_saddr		"saddr"
 key_faddr		"faddr"
+key_daddr		"daddr"
 key_lport		"lport"
+key_srcport		"src"
 key_fport		"fport"
+key_destport		"dest"
 key_bus			"bus"
 key_dest		"dest"
 key_path		"path"
@@ -351,9 +355,13 @@ yy_flex_debug = 0;
 {key_offset}		{ return(TOK_KEY_OFFSET); }
 {key_target}		{ return(TOK_KEY_TARGET); }
 {key_laddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
+{key_saddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
 {key_faddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
+{key_daddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
 {key_lport}		{ return(TOK_KEY_LPORT); }
+{key_srcport}		{ return(TOK_KEY_LPORT); }
 {key_fport}		{ return(TOK_KEY_FPORT); }
+{key_destport}		{ return(TOK_KEY_FPORT); }
 {key_bus}		{ return(TOK_KEY_BUS); }
 {key_path}		{ return(TOK_KEY_PATH); }
 {key_interface}		{ return(TOK_KEY_INTERFACE); }

libraries/libapparmor/swig/python/Makefile.am

@@ -14,7 +14,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.py
 
 all-local: libapparmor_wrap.c setup.py
 	if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
-	CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS) $(EXTRA_WARNINGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS) $(LDFLAGS)" $(PYTHON) setup.py build
+	CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS) $(CFLAGS) $(EXTRA_WARNINGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS) $(LDFLAGS)" $(PYTHON) setup.py build
 
 install-exec-local:
 	$(PYTHON) setup.py install --root="/$(DESTDIR)" --prefix="$(prefix)"

libraries/libapparmor/testsuite/test_multi/testcase_mount_01.profile

@@ -1,4 +1,4 @@
 /home/ubuntu/bzr/apparmor/tests/regression/apparmor/mount {
-  mount fstype=ext2 options="rw, mand" /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/,
+  mount fstype=(ext2) options=(mand, rw) /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1715045678.914:344186): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="steam" name="/newroot/dev/" pid=26487 comm="srt-bwrap" flags="rw, nosuid, nodev, remount, bind, silent, relatime"

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.out

@@ -0,0 +1,14 @@
+START
+File: testcase_mount_02.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1715045678.914:344186
+Operation: mount
+Profile: steam
+Name: /newroot/dev/
+Command: srt-bwrap
+Info: failed flags match
+ErrorCode: 13
+PID: 26487
+Flags: rw, nosuid, nodev, remount, bind, silent, relatime
+Epoch: 1715045678
+Audit subid: 344186

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.profile

@@ -0,0 +1,4 @@
+profile steam {
+  mount options=(bind, nodev, nosuid, relatime, remount, rw, silent) -> /newroot/dev/,
+
+}

parser/Makefile

@@ -440,7 +440,6 @@ install-arch: $(INSTALLDEPS)
 install-indep: indep
 	install -m 755 -d $(INSTALL_CONFDIR)
 	install -m 644 parser.conf $(INSTALL_CONFDIR)
-	install -m 755 -d ${DESTDIR}/var/lib/apparmor
 	install -m 755 -d $(APPARMOR_BIN_PREFIX)
 	install -m 755 rc.apparmor.functions $(APPARMOR_BIN_PREFIX)
 	install -m 755 profile-load $(APPARMOR_BIN_PREFIX)

parser/all_rule.cc

@@ -39,7 +39,7 @@ void all_rule::add_implied_rules(Profile &prof)
 	prefix_rule_t *rule;
 	const prefixes *prefix = this;
 
-	rule = new unix_rule(0, audit, rule_mode);
+	rule = new unix_rule(0xffffffff, audit, rule_mode);
 	(void) rule->add_prefix(*prefix);
 	prof.rule_ents.push_back(rule);
 
@@ -67,7 +67,7 @@ void all_rule::add_implied_rules(Profile &prof)
 	(void) rule->add_prefix(*prefix);
 	prof.rule_ents.push_back(rule);
 
-	rule = new mnt_rule(NULL, NULL, NULL, NULL, 0);
+	rule = new mnt_rule(NULL, NULL, NULL, NULL, AA_MAY_MOUNT);
 	(void) rule->add_prefix(*prefix);
 	prof.rule_ents.push_back(rule);
 

parser/all_rule.h

@@ -29,8 +29,6 @@
 class all_rule: public prefix_rule_t {
 	void move_conditionals(struct cond_entry *conds);
 public:
-	char *label;
-
 	all_rule(void): prefix_rule_t(RULE_TYPE_ALL) { }
 
 	virtual bool valid_prefix(const prefixes &p, const char *&error) {

parser/apparmor.d.pod

@@ -148,7 +148,14 @@ B<CAPABILITY LIST> = ( I<CAPABILITY> )+
 B<CAPABILITY> = (lowercase capability name without 'CAP_' prefix; see
 capabilities(7))
 
-B<NETWORK RULE> = [ I<QUALIFIERS> ] 'network' [ I<DOMAIN> ] [ I<TYPE> | I<PROTOCOL> ]
+B<NETWORK RULE> = [ I<QUALIFIERS> ] 'network' [ I<NETWORK ACCESS EXPR> ] [ I<DOMAIN> ] [ I<TYPE> | I<PROTOCOL> ] [ I<NETWORK LOCAL EXPR> ] [ I<NETWORK PEER EXPR> ]
+
+B<NETWORK ACCESS EXPR> = ( I<NETWORK ACCESS> | I<NETWORK ACCESS LIST> )
+
+B<NETWORK ACCESS> = ( 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' )
+  Some access modes are incompatible with some rules.
+
+B<NETWORK ACCESS LIST> = '(' I<NETWORK ACCESS> ( [','] I<NETWORK ACCESS> )* ')'
 
 B<DOMAIN> = ( 'unix' | 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'netlink' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'rds' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'llc' | 'ib' | 'mpls' | 'can' | 'tipc' | 'bluetooth' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'kcm' | 'qipcrtr' | 'smc' | 'xdp' | 'mctp' ) ','
 
@@ -156,6 +163,22 @@ B<TYPE> = ( 'stream' | 'dgram' | 'seqpacket' |  'rdm' | 'raw' | 'packet' )
 
 B<PROTOCOL> = ( 'tcp' | 'udp' | 'icmp' )
 
+B<NETWORK LOCAL EXPR> = ( I<NETWORK IP COND> | I<NETWORK PORT COND> )*
+  Each cond can appear at most once.
+
+B<NETWORK PEER EXPR> = 'peer' '=' '(' ( I<NETWORK IP COND> | I<NETWORK PORT COND> )+ ')'
+  Each cond can appear at most once.
+
+B<NETWORK IP COND> = 'ip' '=' ( 'none' | I<NETWORK IPV4> | I<NETWORK IPV6> )
+
+B<NETWORK PORT COND> = 'port' '=' ( I<NETWORK PORT> )
+
+B<NETWORK IPV4> = IPv4, represented by four 8-bit decimal numbers separated by '.'
+
+B<NETWORK IPV6> = IPv6, represented by eight groups of four hexadecimal numbers separated by ':'. Shortened representation of contiguous zeros is allowed by using '::'
+
+B<NETWORK PORT> = 16-bit number ranging from 0 to 65535
+
 B<MOUNT RULE> = ( I<MOUNT> | I<REMOUNT> | I<UMOUNT> )
 
 B<MOUNT> = [ I<QUALIFIERS> ] 'mount' [ I<MOUNT CONDITIONS> ] [ I<SOURCE FILEGLOB> ] [ '-E<gt>' [ I<MOUNTPOINT FILEGLOB> ]
@@ -912,11 +935,10 @@ and other operations that are typically reserved for the root user.
 
 =head2 Network Rules
 
-AppArmor supports simple coarse grained network mediation.  The network
-rule restrict all socket(2) based operations.  The mediation done is
-a coarse-grained check on whether a socket of a given type and family
-can be created, read, or written.  There is no mediation based of port
-number or protocol beyond tcp, udp, and raw.  Network netlink(7) rules may
+AppArmor supports simple coarse grained network mediation.  The
+network rule restrict all socket(2) based operations.  The mediation
+done is a coarse-grained check on whether a socket of a given type and
+family can be created, read, or written. Network netlink(7) rules may
 only specify type 'dgram' and 'raw'.
 
 AppArmor network rules are accumulated so that the granted network
@@ -933,6 +955,48 @@ eg.
  network inet6 tcp,	#allow access to tcp only for inet6 addresses
  network netlink raw,	#allow access to AF_NETLINK SOCK_RAW
 
+=head3 Network permissions
+
+Network rule permissions are implied when a rule does not explicitly
+state an access list. By default if a rule does not have an access
+list all permissions that are compatible with the specified set of
+local and peer conditionals are implied.
+
+The create, bind, listen, shutdown, getattr, setattr, getopt, and
+setopt permissions are local socket permissions. They are only applied
+to the local socket and can't be specified in rules that have a peer
+conditional. The accept permission applies to the combination of a
+local and peer socket. The connect, send, and receive permissions are
+peer socket permissions.
+
+=head3 Mediation of inet/inet6 family
+
+AppArmor supports fine grained mediation of the inet and inet6
+families by using the ip and port conditionals. The ip conditional
+accepts both IPv4 and IPv6 using the regular representation of four
+octets separated by '.' for IPv4 and eight groups of four hexadecimal
+numbers separated by ':' for IPv6. Contiguous leading zeros can be
+replaced by '::' once. On a connected socket, the sender and receiver
+don't need to be specified in the recvfrom and sendto system calls. In
+that case, and with unbounded sockets, the IP address is none, or
+unknown. Unknown or Unbound IP addresses are represented in policy by the
+'none' keyword. When the ip conditional is omitted, then all IP
+addresses will be allowed: IPv4, IPv6 and none. If INADDR_ANY or
+in6addr_any is used, then the ip conditional can be omitted or they
+can be represented by:
+
+ network ip=::,		#allow in6addr_any
+ network ip=0.0.0.0;	#allow INADDR_ANY
+
+The network rules support the specification of local and remote IP
+addresses and ports.
+
+ network ip=127.0.0.1 port=8080,
+ network peer=(ip=10.139.15.23 port=8081),
+ network ip=fd74:1820:b03a:b361::cf32 peer=(ip=fd74:1820:b03a:b361::a0f9),
+ network port=8080 peer=(port=8081),
+ network ip=127.0.0.1 port=8080 peer=(ip=10.139.15.23 port=8081),
+
 =head2 Mount Rules
 
 AppArmor supports mount mediation and allows specifying filesystem types and

parser/apparmor.systemd

@@ -17,6 +17,8 @@
 
 APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions
 
+# This function is used in rc.apparmor.functions
+# shellcheck disable=SC2317
 aa_action()
 {
     echo "$1"
@@ -25,36 +27,50 @@ aa_action()
     return $?
 }
 
+# This function is used in rc.apparmor.functions
+# shellcheck disable=SC2317
 aa_log_warning_msg()
 {
     echo "Warning: $*"
 }
 
+# This function is used in rc.apparmor.functions
+# shellcheck disable=SC2317
 aa_log_failure_msg()
 {
     echo "Error: $*"
 }
 
+# This function is used in rc.apparmor.functions
+# shellcheck disable=SC2317
 aa_log_action_start()
 {
     echo "$@"
 }
 
+# This function is used in rc.apparmor.functions
+# shellcheck disable=SC2317
 aa_log_action_end()
 {
     printf ""
 }
 
+# This function is used in rc.apparmor.functions
+# shellcheck disable=SC2317
 aa_log_daemon_msg()
 {
     echo "$@"
 }
 
+# This function is used in rc.apparmor.functions
+# shellcheck disable=SC2317
 aa_log_skipped_msg()
 {
     echo "Skipped: $*"
 }
 
+# This function is used in rc.apparmor.functions
+# shellcheck disable=SC2317
 aa_log_end_msg()
 {
     printf ""

parser/libapparmor_re/expr-tree.cc

@@ -189,6 +189,19 @@ void Node::dump_syntax_tree(ostream &os)
  *        a   b                    c   T
  *
  */
+
+
+static Node *simplify_eps_pair(Node *t)
+{
+	if (t->is_type(NODE_TYPE_TWOCHILD) &&
+	    t->child[0] == &epsnode &&
+	    t->child[1] == &epsnode) {
+		t->release();
+		return &epsnode;
+	}
+	return t;
+}
+
 static void rotate_node(Node *t, int dir)
 {
 	// (a | b) | c -> a | (b | c)
@@ -197,7 +210,9 @@ static void rotate_node(Node *t, int dir)
 	t->child[dir] = left->child[dir];
 	left->child[dir] = left->child[!dir];
 	left->child[!dir] = t->child[!dir];
-	t->child[!dir] = left;
+
+        // check that rotation didn't create (E | E)
+	t->child[!dir] = simplify_eps_pair(left);
 }
 
 /* return False if no work done */
@@ -209,13 +224,7 @@ int TwoChildNode::normalize_eps(int dir)
 		// Ea -> aE
 		// Test for E | (E | E) and E . (E . E) which will
 		// result in an infinite loop
-		Node *c = child[!dir];
-		if (c->is_type(NODE_TYPE_TWOCHILD) &&
-		    &epsnode == c->child[dir] &&
-		    &epsnode == c->child[!dir]) {
-			c->release();
-			c = &epsnode;
-		}
+		Node *c = simplify_eps_pair(child[!dir]);
 		child[!dir] = child[dir];
 		child[dir] = c;
 		return 1;

parser/mqueue.cc

@@ -192,14 +192,14 @@ int mqueue_rule::gen_policy_re(Profile &prof)
 		return RULE_NOT_SUPPORTED;
 	} else if (qtype == mqueue_sysv && !features_supports_sysv_mqueue) {
 		warn_once(prof.name);
-		//	return RULE_NOT_SUPPORTED;
+		return RULE_NOT_SUPPORTED;
 	} else if (qtype == mqueue_unspecified &&
 		   !(features_supports_posix_mqueue ||
 		     features_supports_sysv_mqueue)) {
 		warn_once(prof.name);
 		// should split into warning where posix and sysv can
 		// be separated from nothing being enforced
-		//	return RULE_NOT_SUPPORTED;
+		return RULE_NOT_SUPPORTED;
 	}
 
 	/* always generate a label and mqueue entry */
@@ -231,10 +231,10 @@ int mqueue_rule::gen_policy_re(Profile &prof)
 			/* store perms at name match so label doesn't need
 			 * to be checked
 			 */
-			if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, parseopts, false))
+			if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1, vec, parseopts, false))
 				goto fail;
 			/* also provide label match with perm */
-			if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, parseopts, false))
+			if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, size, vec, parseopts, false))
 				goto fail;
 		}
 	}
@@ -266,10 +266,10 @@ int mqueue_rule::gen_policy_re(Profile &prof)
 		}
 
 		if (perms & AA_VALID_SYSV_MQ_PERMS) {
-			if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, parseopts, false))
+			if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1, vec, parseopts, false))
 				goto fail;
 			/* also provide label match with perm */
-			if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, parseopts, false))
+			if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, size, vec, parseopts, false))
 				goto fail;
 		}
 	}

parser/mqueue.h

@@ -52,13 +52,13 @@
  * kernel doesn't allow for us to control
  * - posix
  *   - notify
- *   - getattr/setattr
  *   - labels at anything other than mqueue label, via mqueue inode.
  */
 
 #define AA_VALID_POSIX_MQ_PERMS (AA_MQUEUE_WRITE | AA_MQUEUE_READ |    \
 				 AA_MQUEUE_CREATE | AA_MQUEUE_DELETE | \
-				 AA_MQUEUE_OPEN)
+				 AA_MQUEUE_OPEN |		       \
+				 AA_MQUEUE_SETATTR | AA_MQUEUE_GETATTR)
 
  /* TBD - for now make it wider than posix */
 #define AA_VALID_SYSV_MQ_PERMS (AA_MQUEUE_WRITE | AA_MQUEUE_READ |    \
@@ -78,6 +78,11 @@ typedef enum mqueue_type {
 	mqueue_sysv
 } mqueue_type;
 
+static inline uint32_t map_mqueue_perms(uint32_t mask)
+{
+	return (mask & 0x7f) |
+		((mask & (AA_MQUEUE_GETATTR | AA_MQUEUE_SETATTR)) << (AA_OTHER_SHIFT - 8));
+}
 
 int parse_mqueue_perms(const char *str_perms, perms_t *perms, int fail);
 

parser/network.cc

@@ -252,6 +252,19 @@ const char *net_find_af_name(unsigned int af)
 	return NULL;
 }
 
+const char *net_find_protocol_name(unsigned int protocol)
+{
+	size_t i;
+
+	for (i = 0; i < sizeof(network_mappings) / sizeof(*network_mappings); i++) {
+		if (network_mappings[i].protocol == protocol) {
+			return network_mappings[i].protocol_name;
+		}
+	}
+
+	return NULL;
+}
+
 const struct network_tuple *net_find_mapping(const struct network_tuple *map,
 					     const char *family,
 					     const char *type,
@@ -331,8 +344,8 @@ bool parse_port_number(const char *port_entry, uint16_t *port) {
 	char *eptr;
 	unsigned long port_tmp = strtoul(port_entry, &eptr, 10);
 
-	if (port_tmp >= 0 && port_entry != eptr &&
-	    *eptr == '\0' && port_tmp <= UINT16_MAX) {
+	if (port_entry != eptr && *eptr == '\0' &&
+	    port_tmp <= UINT16_MAX) {
 		*port = port_tmp;
 		return true;
 	}
@@ -347,6 +360,10 @@ bool network_rule::parse_port(ip_conds &entry)
 
 bool network_rule::parse_address(ip_conds &entry)
 {
+	if (strcmp(entry.sip, "none") == 0) {
+		entry.is_none = true;
+		return true;
+	}
 	entry.is_ip = true;
 	return parse_ip(entry.sip, &entry.ip);
 }
@@ -374,30 +391,45 @@ void network_rule::move_conditionals(struct cond_entry *conds, ip_conds &ip_cond
 	}
 }
 
-void network_rule::set_netperm(unsigned int family, unsigned int type)
+void network_rule::set_netperm(unsigned int family, unsigned int type, unsigned int protocol)
 {
 	if (type > SOCK_PACKET) {
 		/* setting mask instead of a bit */
-		network_perms[family] |= type;
+		network_perms[family].first |= type;
 	} else
-		network_perms[family] |= 1 << type;
+		network_perms[family].first |= 1 << type;
+	network_perms[family].second |= protocol;
 }
 
 network_rule::network_rule(perms_t perms_p, struct cond_entry *conds,
 			   struct cond_entry *peer_conds):
-	dedup_perms_rule_t(AA_CLASS_NETV8)
+	dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
 {
-	size_t family_index;
-	for (family_index = AF_UNSPEC; family_index < get_af_max(); family_index++) {
-		network_map[family_index].push_back({ family_index, 0xFFFFFFFF, 0xFFFFFFFF });
-		set_netperm(family_index, 0xFFFFFFFF);
-	}
+	size_t family_index, i;
 
 	move_conditionals(conds, local);
 	move_conditionals(peer_conds, peer);
 	free_cond_list(conds);
 	free_cond_list(peer_conds);
 
+	if (has_local_conds() || has_peer_conds()) {
+		const char *family[] = { "inet", "inet6" };
+		for (i = 0; i < sizeof(family)/sizeof(family[0]); i++) {
+			const struct network_tuple *mapping = NULL;
+			while ((mapping = net_find_mapping(mapping, family[i], NULL, NULL))) {
+				network_map[mapping->family].push_back({ mapping->family, mapping->type, mapping->protocol });
+				set_netperm(mapping->family, mapping->type, mapping->protocol);
+			}
+		}
+	} else {
+		for (family_index = AF_UNSPEC; family_index < get_af_max(); family_index++) {
+			network_map[family_index].push_back({ family_index, 0xFFFFFFFF, 0xFFFFFFFF });
+			set_netperm(family_index, 0xFFFFFFFF, 0xFFFFFFFF);
+		}
+	}
+
+
+
 	if (perms_p) {
 		perms = perms_p;
 		if (perms & ~AA_VALID_NET_PERMS)
@@ -412,29 +444,45 @@ network_rule::network_rule(perms_t perms_p, struct cond_entry *conds,
 network_rule::network_rule(perms_t perms_p, const char *family, const char *type,
 			   const char *protocol, struct cond_entry *conds,
 			   struct cond_entry *peer_conds):
-	dedup_perms_rule_t(AA_CLASS_NETV8)
+	dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
 {
 	const struct network_tuple *mapping = NULL;
-	while ((mapping = net_find_mapping(mapping, family, type, protocol))) {
-		network_map[mapping->family].push_back({ mapping->family, mapping->type, mapping->protocol });
-		set_netperm(mapping->family, mapping->type);
-	}
-
-	if (type == NULL && network_map.empty()) {
-		while ((mapping = net_find_mapping(mapping, type, family, protocol))) {
-			network_map[mapping->family].push_back({ mapping->family, mapping->type, mapping->protocol });
-			set_netperm(mapping->family, mapping->type);
-		}
-	}
-
-	if (network_map.empty())
-		yyerror(_("Invalid network entry."));
 
 	move_conditionals(conds, local);
 	move_conditionals(peer_conds, peer);
 	free_cond_list(conds);
 	free_cond_list(peer_conds);
 
+	while ((mapping = net_find_mapping(mapping, family, type, protocol))) {
+		/* if inet conds and family are specified, fail if
+		 * family is not af_inet or af_inet6
+		 */
+		if ((has_local_conds() || has_peer_conds()) &&
+		    mapping->family != AF_INET && mapping->family != AF_INET6) {
+			yyerror("network family does not support local or peer conditionals\n");
+		}
+		network_map[mapping->family].push_back({ mapping->family, mapping->type, mapping->protocol });
+		set_netperm(mapping->family, mapping->type, mapping->protocol);
+	}
+
+	if (type == NULL && network_map.empty()) {
+		while ((mapping = net_find_mapping(mapping, type, family, protocol))) {
+			/* if inet conds and type/protocol are
+			 * specified, only add rules for af_inet and
+			 * af_inet6
+			 */
+			if ((has_local_conds() || has_peer_conds()) &&
+			    mapping->family != AF_INET && mapping->family != AF_INET6)
+				continue;
+
+			network_map[mapping->family].push_back({ mapping->family, mapping->type, mapping->protocol });
+			set_netperm(mapping->family, mapping->type, mapping->protocol);
+		}
+	}
+
+	if (network_map.empty())
+		yyerror(_("Invalid network entry."));
+
 	if (perms_p) {
 		perms = perms_p;
 		if (perms & ~AA_VALID_NET_PERMS)
@@ -447,10 +495,10 @@ network_rule::network_rule(perms_t perms_p, const char *family, const char *type
 }
 
 network_rule::network_rule(perms_t perms_p, unsigned int family, unsigned int type):
-	dedup_perms_rule_t(AA_CLASS_NETV8)
+	dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
 {
 	network_map[family].push_back({ family, type, 0xFFFFFFFF });
-	set_netperm(family, type);
+	set_netperm(family, type, 0xFFFFFFFF);
 
 	if (perms_p) {
 		perms = perms_p;
@@ -479,7 +527,8 @@ ostream &network_rule::dump(ostream &os)
 
 	for (const auto& perm : network_perms) {
 		unsigned int family = perm.first;
-		unsigned int type = perm.second;
+		unsigned int type = perm.second.first;
+		unsigned int protocol = perm.second.second;
 
 		const char *family_name = net_find_af_name(family);
 		if (family_name)
@@ -507,6 +556,12 @@ ostream &network_rule::dump(ostream &os)
 			os << " #" << std::hex << (type & mask);
 
 		printf(" }");
+
+		const char *protocol_name = net_find_protocol_name(protocol);
+		if (protocol_name)
+			os << " " << protocol_name;
+		else
+			os << " #" << protocol;
 	}
 
 	os << ",\n";
@@ -531,14 +586,14 @@ std::string gen_ip_cond(const struct ip_address ip)
 	int i;
 	if (ip.family == AF_INET) {
 		/* add a byte containing the size of the following ip */
-		oss << "\\x04";
+		oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << IPV4_SIZE;
 
 		u8 *byte = (u8 *) &ip.address.address_v4; /* in network byte order */
 		for (i = 0; i < 4; i++)
 			oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << static_cast<unsigned int>(byte[i]);
 	} else {
 		/* add a byte containing the size of the following ip */
-		oss << "\\x10";
+		oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << IPV6_SIZE;
 		for (i = 0; i < 16; ++i)
 			oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << static_cast<unsigned int>(ip.address.address_v6[i]);
 	}
@@ -557,48 +612,114 @@ std::string gen_port_cond(uint16_t port)
 	return oss.str();
 }
 
-void network_rule::gen_ip_conds(std::ostringstream &oss, ip_conds entry, bool is_peer, bool is_cmd)
+std::list<std::ostringstream> gen_all_ip_options(std::ostringstream &oss) {
+
+	std::list<std::ostringstream> all_streams;
+	std::ostringstream none, ipv4, ipv6;
+	int i;
+	none << oss.str();
+	ipv4 << oss.str();
+	ipv6 << oss.str();
+
+	none << "\\x" << std::setfill('0') << std::setw(2) << std::hex << NONE_SIZE;
+
+	/* add a byte containing the size of the following ip */
+	ipv4 << "\\x" << std::setfill('0') << std::setw(2) << std::hex << IPV4_SIZE;
+	for (i = 0; i < 4; i++)
+		ipv4 << ".";
+
+	/* add a byte containing the size of the following ip */
+	ipv6 << "\\x" << std::setfill('0') << std::setw(2) << std::hex << IPV6_SIZE;
+	for (i = 0; i < 16; ++i)
+		ipv6 << ".";
+
+	all_streams.push_back(std::move(none));
+	all_streams.push_back(std::move(ipv4));
+	all_streams.push_back(std::move(ipv6));
+
+	return all_streams;
+}
+
+std::list<std::ostringstream> copy_streams_list(std::list<std::ostringstream> &streams)
 {
-	/* encode protocol */
-	if (!is_cmd) {
-		if (entry.is_ip) {
-			oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << ((entry.ip.family & 0xff00) >> 8);
-			oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << (entry.ip.family & 0xff);
+	std::list<std::ostringstream> streams_copy;
+	for (auto &oss : streams) {
+		std::ostringstream oss_copy(oss.str());
+		streams_copy.push_back(std::move(oss_copy));
+	}
+	return streams_copy;
+}
+
+bool network_rule::gen_ip_conds(Profile &prof, std::list<std::ostringstream> &streams, ip_conds &entry, bool is_peer, bool is_cmd)
+{
+	std::string buf;
+	perms_t cond_perms;
+	std::list<std::ostringstream> ip_streams;
+
+	for (auto &oss : streams) {
+		if (entry.is_port && !(entry.is_ip && entry.is_none)) {
+			/* encode port type (privileged - 1, remote - 2, unprivileged - 0) */
+			if (!is_peer && perms & AA_NET_BIND && entry.port < IPPORT_RESERVED)
+				oss << "\\x01";
+			else if (is_peer)
+				oss << "\\x02";
+			else
+				oss << "\\x00";
+
+			oss << gen_port_cond(entry.port);
 		} else {
-			oss << "..";
+			/* port type + port number */
+			oss << "...";
 		}
 	}
 
-	if (entry.is_port) {
-		/* encode port type (privileged - 1, remote - 2, unprivileged - 0) */
-		if (!is_peer && perms & AA_NET_BIND && entry.port < IPPORT_RESERVED)
-			oss << "\\x01";
-		else if (is_peer)
-			oss << "\\x02";
-		else
-			oss << "\\x00";
+	ip_streams = std::move(streams);
+	streams.clear();
 
-		oss << gen_port_cond(entry.port);
-	} else {
-		/* port type + port number */
-		if (!is_cmd)
-			oss << ".";
-		oss << "..";
+	for (auto &oss : ip_streams) {
+		if (entry.is_ip) {
+			oss << gen_ip_cond(entry.ip);
+			streams.push_back(std::move(oss));
+		} else if (entry.is_none) {
+			oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << NONE_SIZE;
+			streams.push_back(std::move(oss));
+		} else {
+			streams.splice(streams.end(), gen_all_ip_options(oss));
+		}
 	}
 
-	if (entry.is_ip) {
-		oss << gen_ip_cond(entry.ip);
-	} else {
-		/* encode 0 to indicate there's no ip (ip size) */
-		oss << "\\x00";
-	}
+	cond_perms = map_perms(perms);
+	if (!is_cmd && (label || is_peer))
+		cond_perms = (AA_CONT_MATCH << 1);
 
-	oss << "\\-x01"; /* oob separator */
-	oss << default_match_pattern; /* label - not used for now */
-	oss << "\\x00"; /* null transition */
+	for (auto &oss : streams) {
+		oss << "\\x00"; /* null transition */
+
+		buf = oss.str();
+		/* AA_CONT_MATCH mapping (cond_perms) only applies to perms, not audit */
+		if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, cond_perms,
+						 dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
+						 parseopts))
+			return false;
+
+		if (label || is_peer) {
+			if (!is_peer)
+				cond_perms = map_perms(perms);
+
+			oss << default_match_pattern; /* label - not used for now */
+			oss << "\\x00"; /* null transition */
+
+			buf = oss.str();
+			if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, cond_perms,
+							 dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
+							 parseopts))
+				return false;
+		}
+	}
+	return true;
 }
 
-bool network_rule::gen_net_rule(Profile &prof, u16 family, unsigned int type_mask) {
+bool network_rule::gen_net_rule(Profile &prof, u16 family, unsigned int type_mask, unsigned int protocol) {
 	std::ostringstream buffer;
 	std::string buf;
 
@@ -621,49 +742,87 @@ bool network_rule::gen_net_rule(Profile &prof, u16 family, unsigned int type_mas
 		return true;
 	}
 
-	if (perms & AA_PEER_NET_PERMS) {
-		gen_ip_conds(buffer, peer, true, false);
-
-		buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_ADDR;
-
-		gen_ip_conds(buffer, local, false, true);
-
-		buf = buffer.str();
-		if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms),
-						 dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
+	buf = buffer.str();
+	/* create perms need to be generated excluding the rest of the perms */
+	if (perms & AA_NET_CREATE) {
+		if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms & AA_NET_CREATE) | (AA_CONT_MATCH << 1),
+						 dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms & AA_NET_CREATE) : 0,
 						 parseopts))
 			return false;
 	}
-	if ((perms & AA_NET_LISTEN) || (perms & AA_NET_OPT)) {
-		gen_ip_conds(buffer, local, false, false);
 
-		if (perms & AA_NET_LISTEN) {
-			std::ostringstream cmd_buffer;
-			cmd_buffer << buffer.str();
-			cmd_buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_LISTEN;
-			/* length of queue allowed - not used for now */
-			cmd_buffer << "..";
-			buf = cmd_buffer.str();
-			if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms),
-							 dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
-							 parseopts))
-				return false;
+	/* encode protocol */
+	if (protocol > 0xffff) {
+		buffer << "..";
+	} else {
+		buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << ((protocol & 0xff00) >> 8);
+		buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << (protocol & 0xff);
+	}
+
+	if (perms & AA_PEER_NET_PERMS) {
+		std::list<std::ostringstream> streams;
+		std::ostringstream cmd_buffer;
+
+		cmd_buffer << buffer.str();
+		streams.push_back(std::move(cmd_buffer));
+
+		if (!gen_ip_conds(prof, streams, peer, true, false))
+			return false;
+
+		for (auto &oss : streams) {
+			oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_ADDR;
 		}
-		if (perms & AA_NET_OPT) {
-			std::ostringstream cmd_buffer;
-			cmd_buffer << buffer.str();
-			cmd_buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_OPT;
-			/* level - not used for now */
-			cmd_buffer << "..";
-			/* socket mapping - not used for now */
-			cmd_buffer << "..";
-			buf = cmd_buffer.str();
+
+		if (!gen_ip_conds(prof, streams, local, false, true))
+			return false;
+	}
+
+	std::list<std::ostringstream> streams;
+	std::ostringstream common_buffer;
+
+	common_buffer << buffer.str();
+	streams.push_back(std::move(common_buffer));
+
+	if (!gen_ip_conds(prof, streams, local, false, false))
+		return false;
+
+	if (perms & AA_NET_LISTEN) {
+		std::list<std::ostringstream> cmd_streams;
+		cmd_streams = copy_streams_list(streams);
+
+		for (auto &cmd_buffer : streams) {
+			std::ostringstream listen_buffer;
+			listen_buffer << cmd_buffer.str();
+			listen_buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_LISTEN;
+			/* length of queue allowed - not used for now */
+			listen_buffer << "..";
+			buf = listen_buffer.str();
 			if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms),
 							 dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
 							 parseopts))
 				return false;
 		}
 	}
+	if (perms & AA_NET_OPT) {
+		std::list<std::ostringstream> cmd_streams;
+		cmd_streams = copy_streams_list(streams);
+
+		for (auto &cmd_buffer : streams) {
+			std::ostringstream opt_buffer;
+			opt_buffer << cmd_buffer.str();
+			opt_buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_OPT;
+			/* level - not used for now */
+			opt_buffer << "..";
+			/* socket mapping - not used for now */
+			opt_buffer << "..";
+			buf = opt_buffer.str();
+			if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms),
+							 dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
+							 parseopts))
+				return false;
+		}
+	}
+
 	return true;
 }
 
@@ -679,17 +838,18 @@ int network_rule::gen_policy_re(Profile &prof)
 
 	for (const auto& perm : network_perms) {
 		unsigned int family = perm.first;
-		unsigned int type = perm.second;
+		unsigned int type = perm.second.first;
+		unsigned int protocol = perm.second.second;
 
 		if (type > 0xffff) {
-			if (!gen_net_rule(prof, family, type))
+			if (!gen_net_rule(prof, family, type, protocol))
 				goto fail;
 		} else {
 			int t;
 			/* generate rules for types that are set */
 			for (t = 0; t < 16; t++) {
 				if (type & (1 << t)) {
-					if (!gen_net_rule(prof, family, t))
+					if (!gen_net_rule(prof, family, t, protocol))
 						goto fail;
 				}
 			}
@@ -760,13 +920,27 @@ void network_rule::update_compat_net(void)
 	}
 }
 
-static int cmp_network_map(std::unordered_map<unsigned int, perms_t> lhs,
-			   std::unordered_map<unsigned int, perms_t> rhs)
+static int cmp_ip_conds(ip_conds const &lhs, ip_conds const &rhs)
+{
+	int res = null_strcmp(lhs.sip, rhs.sip);
+	if (res)
+		return res;
+	res = null_strcmp(lhs.sport, rhs.sport);
+	if (res)
+		return res;
+	return lhs.is_none - rhs.is_none;
+}
+
+static int cmp_network_map(std::unordered_map<unsigned int, std::pair<unsigned int, unsigned int>> lhs,
+			   std::unordered_map<unsigned int, std::pair<unsigned int, unsigned int>> rhs)
 {
 	int res;
 	size_t family_index;
 	for (family_index = AF_UNSPEC; family_index < get_af_max(); family_index++) {
-		res = lhs[family_index] - rhs[family_index];
+		res = lhs[family_index].first - rhs[family_index].first;
+		if (res)
+			return res;
+		res = lhs[family_index].second - rhs[family_index].second;
 		if (res)
 			return res;
 	}
@@ -779,5 +953,14 @@ int network_rule::cmp(rule_t const &rhs) const
 	if (res)
 		return res;
 	network_rule const &nrhs = rule_cast<network_rule const &>(rhs);
-	return cmp_network_map(network_perms, nrhs.network_perms);
+	res = cmp_network_map(network_perms, nrhs.network_perms);
+	if (res)
+		return res;
+	res = cmp_ip_conds(local, nrhs.local);
+	if (res)
+		return res;
+	res = cmp_ip_conds(peer, nrhs.peer);
+	if (res)
+		return res;
+	return null_strcmp(label, nrhs.label);
 };

parser/network.h

@@ -26,6 +26,7 @@
 #include <arpa/inet.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <list>
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
@@ -79,6 +80,10 @@
 #define CMD_LISTEN	2
 #define CMD_OPT		4
 
+#define NONE_SIZE	0
+#define IPV4_SIZE	1
+#define IPV6_SIZE	2
+
 struct network_tuple {
 	const char *family_name;
 	unsigned int family;
@@ -127,6 +132,8 @@ public:
 	uint16_t port;
 	struct ip_address ip;
 
+	bool is_none = false;
+
 	void free_conds() {
 		if (sip)
 			free(sip);
@@ -139,17 +146,18 @@ class network_rule: public dedup_perms_rule_t {
 	void move_conditionals(struct cond_entry *conds, ip_conds &ip_cond);
 public:
 	std::unordered_map<unsigned int, std::vector<struct aa_network_entry>> network_map;
-	std::unordered_map<unsigned int, perms_t> network_perms;
+	std::unordered_map<unsigned int, std::pair<unsigned int, unsigned int>> network_perms;
 
 	ip_conds peer;
 	ip_conds local;
+	char *label;
 
 	bool has_local_conds(void) { return local.sip || local.sport; }
 	bool has_peer_conds(void) { return peer.sip || peer.sport; }
 	/* empty constructor used only for the profile to access
 	 * static elements to maintain compatibility with
 	 * AA_CLASS_NET */
-	network_rule(): dedup_perms_rule_t(AA_CLASS_NETV8) { }
+	network_rule(): dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL) { }
 	network_rule(perms_t perms_p, struct cond_entry *conds,
 		     struct cond_entry *peer_conds);
 	network_rule(perms_t perms_p, const char *family, const char *type,
@@ -178,9 +186,9 @@ public:
 		}
 	};
 
-	void gen_ip_conds(std::ostringstream &oss, ip_conds entry, bool is_peer, bool is_cmd);
-	bool gen_net_rule(Profile &prof, u16 family, unsigned int type_mask);
-	void set_netperm(unsigned int family, unsigned int type);
+	bool gen_ip_conds(Profile &prof, std::list<std::ostringstream> &streams, ip_conds &entry, bool is_peer, bool is_cmd);
+	bool gen_net_rule(Profile &prof, u16 family, unsigned int type_mask, unsigned int protocol);
+	void set_netperm(unsigned int family, unsigned int type, unsigned int protocol);
 	void update_compat_net(void);
 	bool parse_address(ip_conds &entry);
 	bool parse_port(ip_conds &entry);

parser/parser_lex.l

@@ -255,9 +255,11 @@ MODES		{MODE_CHARS}+
 WS		[[:blank:]]
 NUMBER		[[:digit:]]+
 
+ID_FIRST_CHARS	[^ \t\r\n"!,#]
+ID_FIRST	{ID_CHARS}|(,{ID_CHARS}|\\[ ]|\\\t|\\\"|\\!|\\,|\\#)
 ID_CHARS	[^ \t\r\n"!,]
 ID 		{ID_CHARS}|(,{ID_CHARS}|\\[ ]|\\\t|\\\"|\\!|\\,)
-IDS		{ID}+
+IDS		{ID_FIRST}{ID}*
 INC_ID 		[^ \t\r\n"!,<>]|(,[^ \t\r\n"!,<>]|\\[ ]|\\\t|\\\"|\\!|\\,)
 INC_IDS		{INC_ID}+
 POST_VAR_ID_CHARS	[^ \t\n"!,]{-}[=\+]
@@ -507,6 +509,12 @@ GT		>
 		yyerror(_("Variable declarations do not accept trailing commas"));
 	}
 
+	#.*\r?\n	{ /* normal comment */
+		DUMP_AND_DEBUG("comment(%d): %s\n", current_lineno, yytext);
+		current_lineno++;
+		POP();
+	}
+
 	\\\n	{ DUMP_PREPROCESS; current_lineno++ ; }
 
 	\r?\n	{

parser/parser_main.c

@@ -921,7 +921,7 @@ void set_supported_features()
 							 "network_v8");
 	features_supports_inet = features_intersect(kernel_features,
 						    policy_features,
-						    "network/af_inet");
+						    "network_v8/af_inet");
 	features_supports_unix = features_intersect(kernel_features,
 						    policy_features,
 						    "network/af_unix");

parser/parser_regex.c

@@ -1000,41 +1000,46 @@ int process_profile_policydb(Profile *prof)
 	 * to be supported
 	 */
 
-	/* note: this activates fs based unix domain sockets mediation on connect */
-	if (kernel_abi_version > 5 &&
-	    !prof->policy.rules->add_rule(mediates_file, 0, AA_MAY_READ, 0, parseopts))
-		goto out;
-	if (features_supports_mount &&
-	    !prof->policy.rules->add_rule(mediates_mount, 0, AA_MAY_READ, 0, parseopts))
-			goto out;
-	if (features_supports_dbus &&
-	    !prof->policy.rules->add_rule(mediates_dbus, 0, AA_MAY_READ, 0, parseopts))
-		goto out;
-	if (features_supports_signal &&
-	    !prof->policy.rules->add_rule(mediates_signal, 0, AA_MAY_READ, 0, parseopts))
-		goto out;
-	if (features_supports_ptrace &&
-	    !prof->policy.rules->add_rule(mediates_ptrace, 0, AA_MAY_READ, 0, parseopts))
-		goto out;
-	if (features_supports_networkv8 &&
-	    !prof->policy.rules->add_rule(mediates_netv8, 0, AA_MAY_READ, 0, parseopts))
-		goto out;
-	if (features_supports_unix &&
-	    (!prof->policy.rules->add_rule(mediates_extended_net, 0, AA_MAY_READ, 0, parseopts) ||
-	     !prof->policy.rules->add_rule(mediates_net_unix, 0, AA_MAY_READ, 0, parseopts)))
-		goto out;
 	if (features_supports_userns &&
 	    !prof->policy.rules->add_rule(mediates_ns, 0, AA_MAY_READ, 0, parseopts))
 		goto out;
-	if (features_supports_posix_mqueue &&
-	    !prof->policy.rules->add_rule(mediates_posix_mqueue, 0, AA_MAY_READ, 0, parseopts))
-		goto out;
-	if (features_supports_sysv_mqueue &&
-	    !prof->policy.rules->add_rule(mediates_sysv_mqueue, 0, AA_MAY_READ, 0, parseopts))
-		goto out;
-	if (features_supports_io_uring &&
-	    !prof->policy.rules->add_rule(mediates_io_uring, 0, AA_MAY_READ, 0, parseopts))
-		goto out;
+
+	/* don't add mediated classes to unconfined profiles */
+	if (prof->flags.mode != MODE_UNCONFINED &&
+	    prof->flags.mode != MODE_DEFAULT_ALLOW) {
+		/* note: this activates fs based unix domain sockets mediation on connect */
+		if (kernel_abi_version > 5 &&
+		    !prof->policy.rules->add_rule(mediates_file, 0, AA_MAY_READ, 0, parseopts))
+			goto out;
+		if (features_supports_mount &&
+		    !prof->policy.rules->add_rule(mediates_mount, 0, AA_MAY_READ, 0, parseopts))
+			goto out;
+		if (features_supports_dbus &&
+		    !prof->policy.rules->add_rule(mediates_dbus, 0, AA_MAY_READ, 0, parseopts))
+			goto out;
+		if (features_supports_signal &&
+		    !prof->policy.rules->add_rule(mediates_signal, 0, AA_MAY_READ, 0, parseopts))
+			goto out;
+		if (features_supports_ptrace &&
+		    !prof->policy.rules->add_rule(mediates_ptrace, 0, AA_MAY_READ, 0, parseopts))
+			goto out;
+		if (features_supports_networkv8 &&
+		    !prof->policy.rules->add_rule(mediates_netv8, 0, AA_MAY_READ, 0, parseopts))
+			goto out;
+		if (features_supports_unix &&
+		    (!prof->policy.rules->add_rule(mediates_extended_net, 0, AA_MAY_READ, 0, parseopts) ||
+		     !prof->policy.rules->add_rule(mediates_net_unix, 0, AA_MAY_READ, 0, parseopts)))
+			goto out;
+		if (features_supports_posix_mqueue &&
+		    !prof->policy.rules->add_rule(mediates_posix_mqueue, 0, AA_MAY_READ, 0, parseopts))
+			goto out;
+		if (features_supports_sysv_mqueue &&
+		    !prof->policy.rules->add_rule(mediates_sysv_mqueue, 0, AA_MAY_READ, 0, parseopts))
+			goto out;
+		if (features_supports_io_uring &&
+		    !prof->policy.rules->add_rule(mediates_io_uring, 0, AA_MAY_READ, 0, parseopts))
+			goto out;
+	}
 
 	if (prof->policy.rules->rule_count > 0) {
 		int xmatch_len = 0;

parser/rc.apparmor.functions

@@ -253,13 +253,14 @@ remove_profiles() {
 	retval=0
 	# We filter child profiles as removing the parent will remove
 	# the children
-	sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | \
+	sed -e "s/ (\(enforce\|complain\|unconfined\))$//" "$SFS_MOUNTPOINT/profiles" | \
 	LC_COLLATE=C sort | grep -v // | {
 		while read -r profile ; do
 			printf "%s" "$profile" > "$SFS_MOUNTPOINT/.remove"
 			rc=$?
 			if [ "$rc" -ne 0 ] ; then
 				retval=$rc
+				aa_log_failure_msg "Unloading profile '$profile' failed"
 			fi
 		done
 		return "$retval"

parser/tst/equality.sh

@@ -643,6 +643,18 @@ verify_binary_equality "attachment slash filtering" \
                         @{FOO}=/foo
 			   /t @{BAR}/@{FOO} { }"
 
+# verify comment at end of variable assignment is not treated as a value
+verify_binary_equality "comment at end of set var" \
+                       "/t { /bin/ r, }" \
+                       "@{BAR}=/bin/   #a tail comment
+			   /t { @{BAR} r, }"
+
+verify_binary_equality "value like comment at end of set var" \
+                       "/t { /{bin/,#value} r, }" \
+                       "@{BAR}=bin/   \#value
+			   /t { /@{BAR} r, }"
+
+
 # This can potentially fail as ideally it requires a better dfa comparison
 # routine as it can generates hormomorphic dfas. The enumeration of the
 # dfas dumped will be different, even if the binary is the same

parser/tst/simple_tests/mount/ok_opt_85.sd

@@ -0,0 +1,9 @@
+#
+#=Description test globbed destination MR 1195
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=(rw, make-slave) -> **,
+  mount options=(rw) foo -> **,
+  mount fstype=tmpfs options=(rw) foo -> **,
+  mount -> **,
+}

parser/tst/simple_tests/mount/ok_quoted_1.sd

@@ -0,0 +1,9 @@
+#
+#=Description basic mount rules with quoted paths
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+  mount    ""  -> "/",
+  mount    ""  -> "/tmp/",
+  umount "/",
+}

parser/tst/simple_tests/network/network_bad_83.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid family for inet conditionals
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network unix ip=127.0.0.1 port=1234 peer=(ip=127.0.0.1 port=1234),
+
+}

parser/tst/simple_tests/network/network_bad_84.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid family for inet conditionals
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network netlink ip=127.0.0.1,
+
+}

parser/tst/simple_tests/network/network_bad_85.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION invalid family for inet conditionals
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network packet peer=(port=1234),
+
+}

parser/tst/simple_tests/network/network_ok_43.sd

@@ -5,5 +5,7 @@
 /usr/bin/foo {
   network inet ip=10.0.2.1 peer=(ip=10.0.2.1),
   network inet tcp ip=192.168.2.254 peer=(ip=192.168.2.254),
+  network stream ip=192.168.2.254 peer=(ip=192.168.2.254),
+  network raw ip=10.0.2.1 peer=(ip=10.0.2.1),
 
 }

parser/tst/simple_tests/network/network_ok_44.sd

@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION network none ip conditional test
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+  network ip=none,
+  network peer=(ip=none),
+  network inet ip=none peer=(ip=none),
+  network inet tcp ip=none peer=(ip=none),
+
+}

parser/tst/simple_tests/regressions/ok_normalize.sd

@@ -0,0 +1,25 @@
+#
+#=Description caused an infinite loop in expr normalization
+#=EXRESULT PASS
+
+# This test triggers an infinite loop bug in expr normalization
+# Note: this test might be able to be reduced more but, each element appears
+# to be required to trigger the bug.
+# that is the initial var assignment, += with the "comment" at the end
+# (which is a separate bug), the expansion in the 2nd variable and then
+# the use of the 2nd variable.
+# This seems to be due to difference in consistency check between expansion
+# at parse time and variable expansion.
+# eg. expanding @{exec_path} manually will result in a failure to parse
+# see: https://gitlab.com/apparmor/apparmor/-/issues/398
+
+@{var}=*-linux-gnu*
+@{var}+=*-suse-linux*  #aa:only opensuse
+
+@{exec_path} = /{,@{var}/}t
+
+profile test {
+
+
+  @{exec_path} mr,
+}

profiles/apparmor.d/abstractions/X

@@ -28,6 +28,7 @@
   owner @{run}/user/*/gdm/Xauthority r,
   owner @{run}/user/*/X11/Xauthority r,
   owner @{run}/user/*/xauth_* r,
+  owner /tmp/xauth_?????? r,
 
   # the unix socket to use to connect to the display
   /tmp/.X11-unix/* rw,

profiles/apparmor.d/abstractions/authentication

@@ -31,6 +31,17 @@
   /{usr/,}lib/@{multiarch}/security/pam_*.so      mr,
   /{usr/,}lib/@{multiarch}/security/              r,
 
+  # pam_unix
+  owner /proc/@{pid}/loginuid r,
+  /{,usr/}{,s}bin/unix_chkpwd Px,
+
+  # pam_env
+  @{etc_ro}/environment r,
+
+  # pam_limit
+  @{etc_ro}/security/limits.d/ r,
+  @{etc_ro}/security/limits.d/*.conf  r,
+
   # gssapi
   @{etc_ro}/gss/mech               r,
   @{etc_ro}/gss/mech.d/            r,

profiles/apparmor.d/abstractions/crypto

@@ -13,6 +13,9 @@
 
   abi <abi/4.0>,
 
+  # Global config of openssl
+  include <abstractions/openssl>
+
   @{etc_ro}/gcrypt/hwf.deny r,
   @{etc_ro}/gcrypt/random.conf r,
   @{PROC}/sys/crypto/fips_enabled r,
@@ -24,4 +27,8 @@
   /etc/crypto-policies/*/*.txt r,
   /usr/share/crypto-policies/*/*.txt r,
 
+  # Global gnutls config
+  @{etc_ro}/gnutls/config r,
+  @{etc_ro}/gnutls/pkcs11.conf r,
+
   include if exists <abstractions/crypto.d>

profiles/apparmor.d/abstractions/fcitx-strict

@@ -22,5 +22,18 @@
 
   owner @{HOME}/.config/fcitx/dbus/* r,
 
+  # Allow access to the Fcitx portal, supported by fcitx/fcitx5
+  dbus (send)
+      bus=session
+      path=/{,org/freedesktop/portal/}inputmethod
+      interface=org.fcitx.Fcitx.InputMethod1
+      member={CreateInputContext,Version}
+      peer=(name=org.freedesktop.portal.Fcitx),
+
+  dbus (send, receive)
+      bus=session
+      path=/{,org/freedesktop/portal/}inputcontext/**
+      interface=org.fcitx.Fcitx.InputContext1,
+
   # Include additions to the abstraction
   include if exists <abstractions/fcitx-strict.d>

profiles/apparmor.d/abstractions/kde-open5

@@ -50,7 +50,6 @@
   include <abstractions/kde-icon-cache-write>
   include <abstractions/kde>
   include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
-  include <abstractions/openssl>
   include <abstractions/qt5>
   include <abstractions/recent-documents-write>
   include <abstractions/X>

profiles/apparmor.d/abstractions/nameservice

@@ -116,6 +116,7 @@
   network netlink raw,
 
   # interface details
+  @{PROC}/@{pid}/net/ipv6_route r,
   @{PROC}/@{pid}/net/route r,
 
   # Include additions to the abstraction

profiles/apparmor.d/abstractions/samba

@@ -12,6 +12,7 @@
   abi <abi/4.0>,
 
   /etc/samba/* r,
+  /etc/gnutls/config r,
   /usr/lib*/ldb/*.so mr,
   /usr/lib*/ldb2/*.so mr,
   /usr/lib*/ldb2/modules/ldb/*.so mr,

profiles/apparmor.d/abstractions/transmission-common

@@ -0,0 +1,153 @@
+# vim:syntax=apparmor
+# LOGPROF-SUGGEST: no
+# Author: Daniel Richard G. <skunk@iSKUNK.ORG>
+
+  include <abstractions/base>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+
+  network inet    dgram,
+  network inet6   dgram,
+  network netlink dgram,
+  network inet    stream,
+  network inet6   stream,
+
+  dbus (bind)
+       bus=session
+       name=com.transmissionbt.Transmission,
+  dbus (bind)
+       bus=session
+       name=com.transmissionbt.transmission_*,
+
+  dbus (receive)
+       bus=session
+       path=/ca/desrt/dconf/Writer/user
+       interface=ca.desrt.dconf.Writer
+       member=Notify,
+  dbus (send)
+       bus=session
+       path=/ca/desrt/dconf/Writer/user
+       interface=ca.desrt.dconf.Writer
+       member=Change
+       peer=(name=ca.desrt.dconf),
+
+  dbus (receive)
+       bus=accessibility
+       path=/org/a11y/atspi/accessible/root
+       interface=org.freedesktop.DBus.Properties
+       member=Set,
+  dbus (send)
+       bus=accessibility
+       path=/org/a11y/atspi/accessible/root
+       interface=org.a11y.atspi.Socket
+       member=Embed
+       peer=(name=org.a11y.atspi.Registry),
+  dbus (send)
+       bus=accessibility
+       path=/org/a11y/atspi/registry
+       interface=org.a11y.atspi.Registry
+       member=GetRegisteredEvents
+       peer=(name=org.a11y.atspi.Registry),
+  dbus (send)
+       bus=accessibility
+       path=/org/a11y/atspi/registry/deviceeventcontroller
+       interface=org.a11y.atspi.DeviceEventController
+       member={GetDeviceEventListeners,GetKeystrokeListeners}
+       peer=(name=org.a11y.atspi.Registry),
+
+  dbus (send)
+       bus={accessibility,session}
+       path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={AddMatch,GetNameOwner,Hello,ReleaseName,RemoveMatch,RequestName,StartServiceByName}
+       peer=(name=org.freedesktop.DBus),
+  dbus (send)
+       bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       path=/StatusNotifierWatcher
+       member=Introspect
+       peer=(name=org.kde.StatusNotifierWatcher),
+  dbus (send)
+       bus=session
+       interface=org.freedesktop.DBus.Properties
+       path=/StatusNotifierWatcher
+       member=Get
+       peer=(name=org.kde.StatusNotifierWatcher),
+  dbus (send)
+       bus=session
+       interface=org.freedesktop.DBus.Properties
+       path=/org/a11y/bus
+       member=Get
+       peer=(name=org.a11y.Bus),
+  dbus (send)
+       bus=system
+       interface=org.freedesktop.DBus.Properties
+       path=/org/freedesktop/hostname1
+       member=GetAll,
+
+  dbus (send)
+       bus=session
+       interface=org.freedesktop.Notifications
+       path=/org/freedesktop/Notifications
+       member={GetCapabilities,Notify},
+
+  dbus (send)
+       bus=session
+       path=/org/gtk/Private/RemoteVolumeMonitor
+       interface=org.gtk.Private.RemoteVolumeMonitor
+       member={IsSupported,List},
+  dbus (send)
+       bus=session
+       path=/org/gtk/vfs/Daemon
+       interface=org.gtk.vfs.Daemon
+       member={GetConnection,ListMonitorImplementations},
+  dbus (send)
+       bus=session
+       path=/org/gtk/vfs/mount/[1-9]*
+       interface=org.gtk.vfs.Mount
+       member={CreateFileMonitor,Enumerate,QueryInfo},
+  dbus (receive)
+       bus=session
+       path=/org/gtk/vfs/mounttracker
+       interface=org.gtk.vfs.MountTracker
+       member=Mounted,
+  dbus (send)
+       bus=session
+       path=/org/gtk/vfs/mounttracker
+       interface=org.gtk.vfs.MountTracker
+       member={ListMountableInfo,ListMounts2,LookupMount},
+
+  @{PROC}/sys/kernel/random/uuid r,
+
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  owner @{run}/user/@{uid}/gvfsd/socket-* rw,
+
+  @{etc_ro}/fstab r,
+
+  @{system_share_dirs}/hwdata/** r,
+  @{system_share_dirs}/lxqt/**   r,
+
+  owner /tmp/tr_session_id_* rwk,
+
+  # allow a top-level directory listing
+  @{HOME}/ r,
+
+  owner @{HOME}/.cache/transmission/    w,
+  owner @{HOME}/.cache/transmission/**  rw,
+  owner @{HOME}/.config/transmission/   w,
+  owner @{HOME}/.config/transmission/** rw,
+
+  owner @{HOME}/.config/lxqt/lxqt.conf  r,
+
+  owner @{HOME}/@{XDG_DOWNLOAD_DIR}/    r,
+  owner @{HOME}/@{XDG_DOWNLOAD_DIR}/**  rw,
+
+  # exclude these for now
+  deny /usr/share/thumbnailers/ r,
+  deny @{HOME}/.local/share/gvfs-metadata/** r,
+  deny @{HOME}/.config/lxqt/**  rw,
+
+  include if exists <abstractions/transmission-common.d>

profiles/apparmor.d/abstractions/wutmp

@@ -13,6 +13,8 @@
 
   # some services update wtmp, utmp, and lastlog with per-user
   # connection information
+  /var/lib/wtmpdb/  r,
+  /var/lib/wtmpdb/wtmp.db{,-journal} rwlk,
   /var/log/lastlog  rwk,
   /var/log/wtmp     rwk,
   /var/log/btmp     rwk,

profiles/apparmor.d/balena-etcher

@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile balena-etcher /usr/lib/balena-etcher/balena-etcher flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/balena-etcher>
+}

profiles/apparmor.d/chromium

@@ -0,0 +1,14 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+@{chromium} = {,ungoogled-}chromium{,-browser}
+
+profile chromium /usr/lib/@{chromium}/@{chromium} flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/chromium>
+}

profiles/apparmor.d/firefox

@@ -4,7 +4,7 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile firefox /usr/lib/firefox{,-esr}/firefox{,-esr} flags=(unconfined) {
+profile firefox /{usr/lib/firefox{,-esr,-beta,-devedition,-nightly},opt/firefox}/firefox{,-esr,-bin} flags=(unconfined) {
   userns,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/foliate

@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile foliate /usr/bin/foliate flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/foliate>
+}

profiles/apparmor.d/geary

@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile geary /usr/bin/geary flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/geary>
+}

profiles/apparmor.d/goldendict

@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile goldendict /usr/bin/goldendict flags=(unconfined) {
+  userns,
+  
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/goldendict>
+}

profiles/apparmor.d/kchmviewer

@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile kchmviewer /usr/bin/kchmviewer flags=(unconfined) {
+  userns,
+  
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/kchmviewer>
+}

profiles/apparmor.d/loupe

@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile loupe /usr/bin/loupe flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/loupe>
+}

profiles/apparmor.d/notepadqq

@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile notepadqq /{{usr/bin,etc/alternatives}/notepadqq,usr/lib/notepadqq/notepadqq.sh} flags=(unconfined) {
+  userns,
+  
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/notepadqq>
+}

profiles/apparmor.d/pageedit

@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile pageedit /usr/bin/pageedit flags=(unconfined) {
+  userns,
+  
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/pageedit>
+}

profiles/apparmor.d/php-fpm

@@ -11,8 +11,6 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
   include <abstractions/nameservice>
   # common php files and support files that php needs
   include <abstractions/php>
-  # read openssl configuration
-  include <abstractions/openssl>
   # read the system certificates
   include <abstractions/ssl_certs>
 
@@ -38,6 +36,9 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
   @{run}/php*-fpm.pid rw,
   @{run}/php{,-fpm}/php*-fpm.sock rwlk,
 
+  # LP: #2061113
+  owner @{run}/systemd/notify w,
+
   # to reload
   /usr/sbin/php-fpm* rix,
 

profiles/apparmor.d/plasmashell

@@ -17,8 +17,13 @@ profile plasmashell /usr/bin/plasmashell {
   unix,
   ptrace,
 
-  /usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess,
+  # allow executing QtWebEngineProcess with full permissions including userns (using profile stacking to avoid no_new_privs issues)
+  /usr/lib/x86_64-linux-gnu/qt[56]/libexec/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess,
+  /usr/libexec/qt[56]/QtWebEngineProcess                      cx -> &plasmashell//QtWebEngineProcess,
+
+  # allow to execute all other programs under their own profile, or to run unconfined
   /** pux,
+
   /{,**} mrwlk,
 
   profile QtWebEngineProcess {

profiles/apparmor.d/privacybrowser

@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile privacybrowser /usr/bin/privacybrowser flags=(unconfined) {
+  userns,
+  
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/privacybrowser>
+}

profiles/apparmor.d/qmapshack

@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile qmapshack /usr/bin/qmapshack flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/qmapshack>
+}

profiles/apparmor.d/qutebrowser

@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile qutebrowser /usr/bin/qutebrowser flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/qutebrowser>
+}

profiles/apparmor.d/rssguard

@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile rssguard /usr/bin/rssguard flags=(unconfined) {
+  userns,
+  
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/rssguard>
+}

profiles/apparmor.d/samba-bgqd

@@ -6,7 +6,6 @@ profile samba-bgqd /usr/lib*/samba/{,samba/}samba-bgqd {
   include <abstractions/base>
   include <abstractions/cups-client>
   include <abstractions/nameservice>
-  include <abstractions/openssl>
   include <abstractions/samba>
 
   signal receive set=term peer=smbd,

profiles/apparmor.d/samba-dcerpcd

@@ -16,12 +16,14 @@ include <tunables/global>
 profile samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {
   include <abstractions/samba-rpcd>
 
+  capability sys_resource,
+
   @{run}/{,samba/}samba-dcerpcd.pid rwk,
 
   /usr/lib*/samba/{,samba/}samba-dcerpcd mr,
 
   /usr/lib*/samba/ r,
-  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd,
+  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} Px -> samba-rpcd,
   /usr/lib*/samba/{,samba/}rpcd_classic Px -> samba-rpcd-classic,
   /usr/lib*/samba/{,samba/}rpcd_spoolss Px -> samba-rpcd-spoolss,
 

profiles/apparmor.d/samba-rpcd

@@ -13,10 +13,15 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} {
+profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} {
   include <abstractions/samba-rpcd>
-  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} mr,
 
+  capability sys_resource,
+
+  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} mr,
+
+  @{run}/samba/ncalrpc/np/lsarpc wr,
+  @{run}/samba/ncalrpc/np/mdssvc wr,
   @{run}/samba/ncalrpc/np/winreg wr,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/samba-rpcd-classic

@@ -17,8 +17,18 @@ profile samba-rpcd-classic /usr/lib*/samba/{,samba/}rpcd_classic {
   include <abstractions/samba-rpcd>
   include <abstractions/wutmp>
 
+  capability sys_resource,
+
   /usr/lib*/samba/{,samba/}rpcd_classic mr,
 
+  @{run}/samba/ncalrpc/np/srvsvc wr,
+  @{run}/samba/ncalrpc/np/winreg wr,
+  /dev/urandom rw,
+
+  /usr/lib*/samba/{,samba/}samba-dcerpcd Px -> samba-dcerpcd,
+
+  @{HOMEDIRS}/** lrwk,
+
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/samba-rpcd-classic>
 }

profiles/apparmor.d/sbin.syslog-ng

@@ -22,7 +22,6 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
   include <abstractions/consoles>
   include <abstractions/nameservice>
   include <abstractions/mysql>
-  include <abstractions/openssl>
   include <abstractions/python>
   include <abstractions/hosts_access>
 

profiles/apparmor.d/scide

@@ -0,0 +1,13 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+#supercollider-ide
+profile scide /usr/bin/scide flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/scide>
+}

profiles/apparmor.d/transmission

@@ -0,0 +1,76 @@
+# vim:syntax=apparmor
+# Author: Daniel Richard G. <skunk@iSKUNK.ORG>
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile transmission-daemon /usr/bin/transmission-daemon flags=(complain) {
+  # Don't use abstractions/transmission-common here, as the
+  # access needed is narrower than the user applications
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+
+  network inet  dgram,
+  network inet6 dgram,
+  network inet  stream,
+  network inet6 stream,
+
+  owner @{PROC}/@{pid}/mounts r,
+  @{PROC}/sys/kernel/random/uuid r,
+
+  @{run}/systemd/notify w,
+
+  /etc/transmission-daemon/** r,
+  owner /etc/transmission-daemon/settings.json{,.tmp.*} rw,
+
+  owner /tmp/tr_session_id_* rwk,
+
+  /usr/share/transmission/web/** r,
+
+  owner /var/lib/transmission-daemon/.config/transmission-daemon/** rw,
+  owner /var/lib/transmission-daemon/downloads/** rw,
+  owner /var/lib/transmission-daemon/info/**      rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/transmission>
+  include if exists <local/transmission-daemon>
+}
+
+profile transmission-cli /usr/bin/transmission-cli flags=(complain) {
+  include <abstractions/transmission-common>
+  include <abstractions/consoles>
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/transmission>
+  include if exists <local/transmission-cli>
+}
+
+profile transmission-gtk /usr/bin/transmission-gtk flags=(complain) {
+  include <abstractions/transmission-common>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dconf>
+  include <abstractions/gnome>
+
+  owner @{run}/user/*/dconf/user w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/transmission>
+  include if exists <local/transmission-gtk>
+}
+
+profile transmission-qt /usr/bin/transmission-qt flags=(complain) {
+  include <abstractions/transmission-common>
+  include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-network-manager-strict>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/fonts>
+  include <abstractions/X>
+  include <abstractions/qt5>
+  include <abstractions/qt5-settings-write>
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/transmission>
+  include if exists <local/transmission-qt>
+}

profiles/apparmor.d/tuxedo-control-center

@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label unconfined
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile tuxedo-control-center /opt/tuxedo-control-center/tuxedo-control-center flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/tuxedo-control-center>
+}

profiles/apparmor.d/unix-chkpwd

@@ -0,0 +1,35 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2019-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+# The apparmor.d project comes with several variables and abstractions
+# that are not part of upstream AppArmor yet. Therefore this profile was
+# adopted to use abstractions and variables that are available.
+# Copyright (C) Christian Boltz 2024
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+
+  # To write records to the kernel auditing log.
+  capability audit_write,
+
+  network netlink raw,
+
+  /{,usr/}{,s}bin/unix_chkpwd mr,
+
+  /etc/shadow r,
+
+  # systemd userdb, used in nspawn
+  /run/host/userdb/*.user r,
+  /run/host/userdb/*.user-privileged r,
+
+  # file_inherit
+  owner /dev/tty[0-9]* rw,
+
+  include if exists <local/unix-chkpwd>
+}

profiles/apparmor.d/usr.lib.dovecot.auth

@@ -19,7 +19,6 @@ profile dovecot-auth /usr/lib*/dovecot/auth {
   include <abstractions/base>
   include <abstractions/mysql>
   include <abstractions/nameservice>
-  include <abstractions/openssl>
   include <abstractions/wutmp>
   include <abstractions/dovecot-common>
 

profiles/apparmor.d/usr.lib.dovecot.dict

@@ -17,7 +17,6 @@ profile dovecot-dict /usr/lib*/dovecot/dict {
   include <abstractions/base>
   include <abstractions/mysql>
   include <abstractions/nameservice>
-  include <abstractions/openssl>
   include <abstractions/dovecot-common>
 
   capability setuid,

profiles/apparmor.d/usr.lib.dovecot.imap-login

@@ -17,7 +17,6 @@ include <tunables/global>
 profile dovecot-imap-login /usr/lib*/dovecot/imap-login {
   include <abstractions/base>
   include <abstractions/dovecot-common>
-  include <abstractions/openssl>
 
   capability setuid,
   capability sys_chroot,

profiles/apparmor.d/usr.lib.dovecot.lmtp

@@ -18,7 +18,6 @@ profile dovecot-lmtp /usr/lib*/dovecot/lmtp {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/dovecot-common>
-  include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/ssl_keys>
 

profiles/apparmor.d/usr.lib.dovecot.managesieve-login

@@ -19,7 +19,6 @@ include <tunables/global>
 profile dovecot-managesieve-login /usr/lib*/dovecot/managesieve-login {
   include <abstractions/base>
   include <abstractions/dovecot-common>
-  include <abstractions/openssl>
 
   capability setuid,
   capability sys_chroot,

profiles/apparmor.d/usr.lib.dovecot.pop3-login

@@ -17,7 +17,6 @@ include <tunables/global>
 profile dovecot-pop3-login /usr/lib*/dovecot/pop3-login {
   include <abstractions/base>
   include <abstractions/dovecot-common>
-  include <abstractions/openssl>
 
   capability setuid,
   capability sys_chroot,

profiles/apparmor.d/usr.sbin.nmbd

@@ -8,6 +8,7 @@ profile nmbd /usr/{bin,sbin}/nmbd {
   include <abstractions/samba>
 
   capability net_bind_service,
+  capability sys_resource,
 
   @{PROC}/sys/kernel/core_pattern r,
 

profiles/apparmor.d/usr.sbin.ntpd

@@ -16,7 +16,6 @@ include <tunables/ntpd>
 profile ntpd /usr/{bin,sbin}/{,open}ntpd flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice>
-  include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/xad>
 

profiles/apparmor.d/usr.sbin.smbd

@@ -8,7 +8,6 @@ profile smbd /usr/{bin,sbin}/smbd {
   include <abstractions/consoles>
   include <abstractions/cups-client>
   include <abstractions/nameservice>
-  include <abstractions/openssl>
   include <abstractions/samba>
   include <abstractions/user-tmp>
   include <abstractions/wutmp>
@@ -33,9 +32,6 @@ profile smbd /usr/{bin,sbin}/smbd {
   /etc/samba/* rwk,
   @{PROC}/@{pid}/mounts r,
   @{PROC}/sys/kernel/core_pattern r,
-  /usr/etc/environment r,
-  /usr/etc/security/limits.d/ r,
-  /usr/etc/security/limits.d/*.conf  r,
   /usr/lib*/samba/vfs/*.so mr,
   /usr/lib*/samba/auth/*.so mr,
   /usr/lib*/samba/charset/*.so mr,
@@ -50,7 +46,6 @@ profile smbd /usr/{bin,sbin}/smbd {
   /usr/share/samba/** r,
   /usr/{bin,sbin}/smbd mr,
   /usr/{bin,sbin}/smbldap-useradd Px,
-  /usr/sbin/unix_chkpwd Px,
   /var/cache/samba/** rwk,
   /var/{cache,lib}/samba/printing/printers.tdb mrw,
   /var/lib/nscd/netgroup r,
@@ -63,8 +58,6 @@ profile smbd /usr/{bin,sbin}/smbd {
   @{run}/samba/ncalrpc/** rw,
   /var/spool/samba/** rw,
 
-  owner /proc/@{pid}/loginuid r,
-
   @{HOMEDIRS}/** lrwk,
   /var/lib/samba/usershares/{,**} lrwk,
 

profiles/apparmor.d/wike

@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile wike /usr/bin/wike flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/wike>
+}

profiles/apparmor/profiles/extras/bwrap-userns-restrict

@@ -0,0 +1,68 @@
+# This profile allows almost everything and only exists to allow
+# bwrap to work on a system with user namespace restrictions
+# being enforced.
+# bwrap is allowed access to user namespaces and capabilities
+# within the user namespace, but its children do not have
+# capabilities, blocking bwrap from being able to be used to
+# arbitrarily by-pass the user namespace restrictions.
+#
+# Note: the bwrap child is stacked against the bwrap profile due to
+# bwraps use of no-new-privs
+
+# disabled by default as it can break some use cases on a system that
+# doesn't have or has disable user namespace restrictions for unconfined
+# use aa-enforce to enable it
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile bwrap /usr/bin/bwrap flags=(attach_disconnected,mediate_deleted) {
+  allow capability,
+  # not allow all, to allow for pix stack
+  # sadly we have to allow  m every where to allow children to work under
+  # stacking.
+  allow file rwlkm /{**,},
+  allow network,
+  allow unix,
+  allow ptrace,
+  allow signal,
+  allow mqueue,
+  allow io_uring,
+  allow userns,
+  allow mount,
+  allow umount,
+  allow pivot_root,
+  allow dbus,
+  allow px /** -> bwrap//&unpriv_bwrap,
+
+  # the local include should not be used without understanding the userns
+  # restriction.
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/bwrap-userns-restrict>
+}
+
+profile unpriv_bwrap flags=(attach_disconnected,mediate_deleted) {
+  # not allow all, to allow for pix stack
+  allow file rwlkm /{**,},
+  allow network,
+  allow unix,
+  allow ptrace,
+  allow signal,
+  allow mqueue,
+  allow io_uring,
+  allow userns,
+  allow mount,
+  allow umount,
+  allow pivot_root,
+  allow dbus,
+
+  allow pix /** -> &unpriv_bwrap,
+
+  audit deny capability,
+
+  # the local include should not be used without understanding the userns
+  # restriction.
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/unpriv_bwrap>
+}

profiles/apparmor/profiles/extras/chromium_browser

@@ -12,9 +12,9 @@
 
 abi <abi/4.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
-@{chromium} = chromium{,-browser}
+@{chromium} = {,ungoogled-}chromium{,-browser}
 
 # We need 'flags=(attach_disconnected)' in newer chromium versions
 profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconnected) {
@@ -22,10 +22,13 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   include <abstractions/cups-client>
   include <abstractions/dbus-session>
   include <abstractions/dbus-strict>
+  include <abstractions/fonts>
   include <abstractions/gnome>
   include <abstractions/ibus>
+  include <abstractions/mesa>
   include <abstractions/nameservice>
   include <abstractions/user-tmp>
+  include <abstractions/vulkan>
 
   # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if
   # you want access to productivity applications, adjust the following file
@@ -57,14 +60,48 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
        member={EnumerateDevices,GetDisplayDevice}
        peer=(label=unconfined),
 
-  # ???
-  deny dbus (send)
+  dbus (send)
        bus=system
        path=/org/freedesktop/hostname1
        interface=org.freedesktop.DBus.Properties
        member=GetAll
        peer=(label=unconfined),
 
+  dbus (receive)
+       bus=system
+       path=/org/freedesktop/login1
+       interface=org.freedesktop.login1.Manager
+       member={SessionNew,SessionRemoved}
+       peer=(label=unconfined),
+
+  dbus (send)
+       bus=session
+       path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={AddMatch,GetNameOwner,Hello,NameHasOwner,RemoveMatch,StartServiceByName}
+       peer=(name=org.freedesktop.DBus),
+
+  dbus (send)
+       bus=session
+       path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.freedesktop.portal.Desktop),
+
+  dbus (send)
+       bus=session
+       path=/org/freedesktop/Notifications
+       interface=org.freedesktop.Notifications
+       member={GetCapabilities,GetServerInformation}
+       peer=(name=org.freedesktop.Notifications),
+
+  dbus (send)
+       bus=session
+       path=/org/gtk/vfs/mounttracker
+       interface=org.gtk.vfs.MountTracker
+       member=ListMountableInfo
+       peer=(label=unconfined),
+
   # Networking
   network inet stream,
   network inet6 stream,
@@ -72,30 +109,35 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   @{PROC}/@{pid}/net/ipv6_route r,
 
   # Should maybe be in abstractions
+  /etc/fstab r,
   /etc/mime.types r,
   /etc/mailcap r,
   /etc/mtab r,
   /etc/xdg/xubuntu/applications/defaults.list r,
+  owner @{HOME}/.cache/thumbnails/** r,
   owner @{HOME}/.local/share/applications/defaults.list r,
   owner @{HOME}/.local/share/applications/mimeinfo.cache r,
   /tmp/.X[0-9]*-lock r,
 
   @{PROC}/self/exe ixr,
-  @{PROC}/@{pid}/fd/ r,
   @{PROC}/filesystems r,
+  @{PROC}/pressure/{cpu,io,memory} r,
   @{PROC}/vmstat r,
   @{PROC}/ r,
-  @{PROC}/@{pid}/task/@{tid}/stat r,
+  owner @{PROC}/@{pid}/task/@{tid}/stat r,
+  owner @{PROC}/@{pid}/clear_refs w,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/io r,
+  owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/setgroups w,
   owner @{PROC}/@{pid}/{uid,gid}_map w,
-  @{PROC}/@{pid}/smaps r,
+  owner @{PROC}/@{pid}/smaps r,
   @{PROC}/@{pid}/stat r,
   @{PROC}/@{pid}/statm r,
-  @{PROC}/@{pid}/status r,
+  owner @{PROC}/@{pid}/status r,
   owner @{PROC}/@{pid}/task/@{tid}/status r,
   deny @{PROC}/@{pid}/oom_{,score_}adj w,
+  @{PROC}/sys/fs/inotify/max_user_watches r,
   @{PROC}/sys/kernel/yama/ptrace_scope r,
   @{PROC}/sys/net/ipv4/tcp_fastopen r,
 
@@ -105,13 +147,24 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   /sys/devices/**/uevent r,
   /sys/devices/system/cpu/cpufreq/policy*/cpuinfo_max_freq r,
   /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r,
+  /sys/devices/system/cpu/kernel_max r,
+  /sys/devices/system/cpu/possible r,
+  /sys/devices/system/cpu/present r,
   /sys/devices/system/node/node*/meminfo r,
+  /sys/devices/pci[0-9]*/**/bConfigurationValue r,
+  /sys/devices/pci[0-9]*/**/boot_vga r,
+  /sys/devices/pci[0-9]*/**/busnum r,
   /sys/devices/pci[0-9]*/**/class r,
   /sys/devices/pci[0-9]*/**/config r,
+  /sys/devices/pci[0-9]*/**/descriptors r,
   /sys/devices/pci[0-9]*/**/device r,
+  /sys/devices/pci[0-9]*/**/devnum r,
   /sys/devices/pci[0-9]*/**/irq r,
+  /sys/devices/pci[0-9]*/**/manufacturer r,
+  /sys/devices/pci[0-9]*/**/product r,
   /sys/devices/pci[0-9]*/**/resource r,
   /sys/devices/pci[0-9]*/**/revision r,
+  /sys/devices/pci[0-9]*/**/serial r,
   /sys/devices/pci[0-9]*/**/subsystem_device r,
   /sys/devices/pci[0-9]*/**/subsystem_vendor r,
   /sys/devices/pci[0-9]*/**/vendor r,
@@ -122,6 +175,7 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   /sys/devices/virtual/tty/tty*/active r,
   # This is requested, but doesn't seem to actually be needed so deny for now
   deny /run/udev/data/** r,
+  deny /sys/devices/virtual/dmi/id/* r,
 
   # Needed for the crash reporter
   owner @{PROC}/@{pid}/auxv r,
@@ -132,13 +186,13 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   /usr/share/fonts/**/*.pfb m,
   /usr/share/mime/mime.cache m,
   /usr/share/icons/**/*.cache m,
-  owner /{dev,run}/shm/pulse-shm* m,
+  owner /{dev,run,var/run}/shm/pulse-shm* m,
   owner @{HOME}/.local/share/mime/mime.cache m,
   owner /tmp/** m,
 
   @{PROC}/sys/kernel/shmmax r,
-  owner /{dev,run}/shm/{,.}org.chromium.* mrw,
-  owner /{,var/}run/shm/shmfd-* mrw,
+  owner /{dev,run,var/run}/shm/{,.}org.chromium.* mrw,
+  owner /{dev,run,var/run}/shm/shmfd-* mrw,
 
   /usr/lib/@{chromium}/*.pak mr,
   /usr/lib/@{chromium}/locales/* mr,
@@ -149,8 +203,8 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
 
   # Allow ptracing ourselves and our helpers
   ptrace (trace) peer=@{profile_name},
-  ptrace (trace) peer=@{profile_name}//xdgsettings,
-  ptrace (trace) peer=lsb_release,
+  ptrace (read, trace) peer=@{profile_name}//xdgsettings,
+  ptrace (read, trace) peer=lsb_release,
 
   # Make browsing directories work
   / r,
@@ -183,10 +237,9 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   /etc/firefox/profile/bookmarks.html r,
   owner @{HOME}/.mozilla/** k,
 
-  # Chromium Policies
-  /etc/@{chromium}/policies/** r,
-
   # Chromium configuration
+  /etc/@{chromium}/** r,
+  # Note: "~/.pki/{,nssdb/} w" is denied by private-files abstraction
   owner @{HOME}/.pki/nssdb/* rwk,
   owner @{HOME}/.cache/chromium/ rw,
   owner @{HOME}/.cache/chromium/** rw,
@@ -197,12 +250,18 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
   owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,
 
-  # Allow transitions to ourself and our sandbox
+  # Widevine CDM plugin
+  owner @{HOME}/.config/chromium/WidevineCdm/*/_platform_specific/*/libwidevinecdm.so mr,
+
+  # Allow transitions to ourself, our sandbox, and crash handler
   /usr/lib/@{chromium}/@{chromium} ix,
   /usr/lib/@{chromium}/chrome-sandbox cx -> sandbox,
+  /usr/lib/@{chromium}/chrome_crashpad_handler Cxr -> crashpad_handler,
 
-  # Allow communicating with sandbox
+  # Allow communicating with sandbox and crash handler
   unix (receive, send) peer=(label=@{profile_name}//sandbox),
+  unix (receive, send) peer=(label=@{profile_name}//crashpad_handler),
+  signal (receive) set=(cont) peer=@{profile_name}//crashpad_handler,
 
   /{usr/,}bin/ps Uxr,
   /usr/lib/@{chromium}/xdg-settings Cxr -> xdgsettings,
@@ -210,10 +269,13 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   /usr/bin/lsb_release Pxr -> lsb_release,
 
   # GSettings
-  owner /{,var/}run/user/*/dconf/     rw,
-  owner /{,var/}run/user/*/dconf/user rw,
+  owner @{run}/user/[0-9]*/dconf/     rw,
+  owner @{run}/user/[0-9]*/dconf/user rw,
   owner @{HOME}/.config/dconf/user r,
 
+  # GVfs
+  owner @{run}/user/[0-9]*/gvfsd/socket-* rw,
+
   # Magnet links
   /usr/bin/gio ixr,
 
@@ -230,7 +292,7 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
     /etc/ld.so.cache r,
     /etc/xdg/** r,
     /usr/bin/xdg-settings r,
-    /{usr/,}lib{,32,64}/@{chromium}/xdg-settings r,
+    /usr/lib/@{chromium}/xdg-settings r,
     /usr/share/applications/*.desktop r,
     /usr/share/applications/*.list r,
 
@@ -266,6 +328,8 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
     /{usr/,}lib/@{multiarch}/libpthread-*.so* mr,
     /{usr/,}lib{,32,64}/libatomic.so* mr,
     /{usr/,}lib/@{multiarch}/libatomic.so* mr,
+    /{usr/,}lib{,32,64}/libc.so.* mr,
+    /{usr/,}lib/@{multiarch}/libc.so.* mr,
     /{usr/,}lib{,32,64}/libc-*.so* mr,
     /{usr/,}lib/@{multiarch}/libc-*.so* mr,
     /{usr/,}lib{,32,64}/libdl-*.so* mr,
@@ -326,6 +390,32 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
     owner /tmp/** rw,
   }
 
+  profile crashpad_handler {
+    include <abstractions/base>
+
+    capability sys_ptrace,
+
+    ptrace (read, trace) peer=chromium_browser,
+
+    signal (send) set=(cont) peer=chromium_browser,
+
+    unix (receive, send) peer=(label=chromium_browser),
+
+    /usr/lib/@{chromium}/chrome_crashpad_handler ixr,
+
+    /sys/devices/system/cpu/cpufreq/policy[0-9]*/scaling_{cur,max}_freq r,
+
+    @{PROC}/sys/kernel/yama/ptrace_scope r,
+
+    owner @{PROC}/@{pid}/fd/ r,
+    owner @{PROC}/@{pid}/mem r,
+    owner @{PROC}/@{pid}/stat r,
+    owner @{PROC}/@{pid}/task/ r,
+    owner @{PROC}/@{pid}/task/@{tid}/comm r,
+
+    owner @{HOME}/.config/chromium/Crash?Reports/** rwk,
+  }
+
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/chromium_browser>
 }

profiles/apparmor/profiles/extras/firefox

@@ -139,7 +139,7 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
      interface=org.gtk.gio.DesktopAppInfo
      member=Launched,
 
-  /etc/timezone r,
+  /etc/{,writable/}timezone r,
   /etc/wildmidi/wildmidi.cfg r,
 
   # firefox specific
@@ -241,7 +241,7 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   owner @{HOME}/.gnome2/firefox* rwk,
   owner @{HOME}/.cache/mozilla/{,@{MOZ_APP_NAME}/} rw,
   owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/** rw,
-  owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/**/*.sqlite k,
+  owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/**/*.sqlite{,-shm} k,
   owner @{HOME}/.config/gtk-3.0/bookmarks r,
   owner @{HOME}/.config/dconf/user w,
   owner @{run}/user/[0-9]*/dconf/ w,
@@ -416,14 +416,17 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
        bus=system
        path=/org/freedesktop/UPower
        interface=org.freedesktop.UPower
-       member=EnumerateDevices
-       peer=(name=org.freedesktop.UPower),
+       member=EnumerateDevices,
+  dbus (send)
+       bus=system
+       path=/org/freedesktop/UPower
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
   dbus (send)
        bus=system
        path=/org/freedesktop/UPower/devices/*
        interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=org.freedesktop.UPower),
+       member=GetAll,
 
   # File browser
   dbus (send)

profiles/apparmor/profiles/extras/postfix-proxymap

@@ -17,7 +17,6 @@ include <tunables/global>
 profile postfix-proxymap /usr/lib/postfix/{bin/,sbin/,}proxymap {
   include <abstractions/base>
   include <abstractions/nameservice>
-  include <abstractions/openssl>
   include <abstractions/postfix-common>
 
   /etc/my.cnf r,

profiles/apparmor/profiles/extras/postfix-smtp

@@ -18,7 +18,6 @@ profile postfix-smtp /usr/lib/postfix/{bin/,sbin/,}smtp {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/postfix-common>
-  include <abstractions/openssl>
 
   capability dac_override,
   capability dac_read_search,

profiles/apparmor/profiles/extras/postfix-smtpd

@@ -18,7 +18,6 @@ profile postfix-smtpd /usr/lib/postfix/{bin/,sbin/,}smtpd {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/postfix-common>
-  include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/ssl_keys>
 

profiles/apparmor/profiles/extras/postfix-tlsmgr

@@ -17,7 +17,6 @@ include <tunables/global>
 profile postfix-tlsmgr /usr/lib/postfix/{bin/,sbin/,}tlsmgr {
   include <abstractions/base>
   include <abstractions/nameservice>
-  include <abstractions/openssl>
   include <abstractions/postfix-common>
 
   /usr/lib/postfix/{bin/,sbin/,}tlsmgr mrix,

profiles/apparmor/profiles/extras/sbin.dhclient

@@ -26,7 +26,6 @@ include <tunables/global>
 profile dhclient /{usr/,}sbin/dhclient {
   include <abstractions/base>
   include <abstractions/bash>
-  include <abstractions/openssl>
   include <abstractions/nameservice>
 
   capability net_raw,

profiles/apparmor/profiles/extras/unshare-userns-restrict

@@ -0,0 +1,65 @@
+# This profile allows almost everything and only exists to allow
+# unshare to work on a system with user namespace restrictions
+# being enforced.
+# unshare is allowed access to user namespaces and capabilities
+# within the user namespace, but its children do not have
+# capabilities, blocking unshare from being able to be used to
+# arbitrarily by-pass the user namespace restrictions.
+# We restrict x mapping of any code that is unknown while unshare
+# has privilige within the namespace. To help ensure unshare can't
+# be used to attack the kernel.
+#
+# disabled by default as it can break some use cases on a system that
+# doesn't have or has disable user namespace restrictions for unconfined
+# use aa-enforce to enable it
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile unshare /usr/bin/unshare flags=(attach_disconnected) {
+  # not allow all, to allow for cix transition
+  # and to limit executable mapping to just unshare
+  allow capability,
+  allow file rwlk /{**,},
+  allow network,
+  allow unix,
+  allow ptrace,
+  allow signal,
+  allow mqueue,
+  allow io_uring,
+  allow userns,
+  allow mount,
+  allow umount,
+  allow pivot_root,
+  allow dbus,
+  audit allow cx /** -> unpriv,
+
+  allow file m /usr/lib/@{multiarch}/libc.so.6,
+  allow file m /usr/bin/unshare,
+
+  # the local include should not be used without understanding the userns
+  # restriction.
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/unshare-userns-restrict>
+
+  profile unpriv flags=(attach_disconnected) {
+    # not allow all, to allow for pix stack
+    allow file rwlkm /{**,},
+    allow network,
+    allow unix,
+    allow ptrace,
+    allow signal,
+    allow mqueue,
+    allow io_uring,
+    allow userns,
+    allow mount,
+    allow umount,
+    allow pivot_root,
+    allow dbus,
+
+    allow pix /** -> &unshare//unpriv,
+
+    audit deny capability,
+  }
+}

profiles/apparmor/profiles/extras/usr.bin.freshclam

@@ -17,7 +17,6 @@ include <tunables/global>
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice>
-  include <abstractions/openssl>
 
   capability setgid,
   capability setuid,

profiles/apparmor/profiles/extras/usr.sbin.clamd

@@ -13,7 +13,6 @@ include <tunables/global>
 profile clamd /usr/sbin/clamd {
   include <abstractions/base>
   include <abstractions/nameservice>
-  include <abstractions/openssl>
 
   capability setgid,
   capability setuid,

profiles/apparmor/profiles/extras/usr.sbin.haproxy

@@ -13,7 +13,6 @@ include <tunables/global>
 profile haproxy /usr/sbin/haproxy {
   include <abstractions/base>
   include <abstractions/nameservice>
-  include <abstractions/openssl>
   capability net_admin,
   capability net_bind_service,
   capability setgid,

profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork

@@ -20,7 +20,6 @@ include <tunables/global>
   include <abstractions/kerberosclient>
   include <abstractions/nameservice>
   include <abstractions/perl>
-  include <abstractions/openssl>
 
   capability kill,
   capability net_bind_service,

profiles/apparmor/profiles/extras/usr.sbin.imapd

@@ -17,7 +17,6 @@ include <tunables/global>
   include <abstractions/nameservice>
   include <abstractions/authentication>
   include <abstractions/user-mail>
-  include <abstractions/openssl>
 
   /dev/urandom                              r,
   /tmp/*                                    rwl,

profiles/apparmor/profiles/extras/usr.sbin.ipop2d

@@ -17,7 +17,6 @@ include <tunables/global>
   include <abstractions/nameservice>
   include <abstractions/authentication>
   include <abstractions/user-mail>
-  include <abstractions/openssl>
 
   /dev/urandom                           r     ,
   /tmp/.*                                rwl   ,

profiles/apparmor/profiles/extras/usr.sbin.ipop3d

@@ -17,7 +17,6 @@ include <tunables/global>
   include <abstractions/nameservice>
   include <abstractions/authentication>
   include <abstractions/user-mail>
-  include <abstractions/openssl>
 
   /dev/urandom                           r     ,
   /tmp/.*                                rwl   ,

profiles/apparmor/profiles/extras/usr.sbin.sshd

@@ -50,6 +50,15 @@ include <tunables/global>
   # needed when /proc is mounted with hidepid>=1
   ptrace (read,trace) peer="unconfined",
 
+  unix (bind) type=stream addr="@*/bus/sshd/system",
+
+  dbus (send)
+       bus=system
+       path=/org/freedesktop/login1
+       interface=org.freedesktop.login1.Manager
+       member=CreateSessionWithPIDFD
+       peer=(label=unconfined),
+
   /dev/ptmx rw,
   /dev/pts/[0-9]* rw,
   /dev/urandom r,

tests/regression/apparmor/Makefile

@@ -111,8 +111,8 @@ SRC=access.c \
     mount.c \
     move_mount.c \
     named_pipe.c \
-    net_finegrained_rcv.c \
-    net_finegrained_snd.c \
+    net_inet_rcv.c \
+    net_inet_snd.c \
     net_raw.c \
     open.c \
     openat.c \
@@ -364,10 +364,10 @@ unix_fd_client: unix_fd_client.c unix_fd_common.o
 attach_disconnected: attach_disconnected.c unix_fd_common.o
 	${CC} ${CFLAGS} ${LDFLAGS} $^ -o $@ ${LDLIBS}
 
-userns: userns.c userns.h
+userns: userns.c pipe_helper.h
 	${CC} ${CFLAGS} ${LDFLAGS} $^ -o $@ ${LDLIBS}
 
-userns_setns: userns_setns.c userns.h
+userns_setns: userns_setns.c pipe_helper.h
 	${CC} ${CFLAGS} ${LDFLAGS} $^ -o $@ ${LDLIBS}
 
 mount: mount.c

tests/regression/apparmor/aa_exec.sh

@@ -79,3 +79,16 @@ runchecktest "complain (--namespace=${ns})" pass "$aa_exec -n $ns -p $test" "$te
 
 genprofile_aa_exec "$test" 0
 runchecktest "negative test: bad ns (--namespace=${ns}XXX)" fail "$aa_exec -n ${ns}XXX -p $test" "$test (enforce)"
+
+if [ "$(parser_supports 'all,')" = "true" ]; then
+    genprofile --stdin <<EOF
+$test {
+  all,
+}
+
+:${ns}:${test} {
+  all,
+}
+EOF
+    runchecktest "allow all" pass "$aa_exec -p $test" "$test (enforce)"
+fi

tests/regression/apparmor/access.sh

@@ -28,7 +28,14 @@ wxperm=wix
 touch $file
 chmod 777 $file	# full perms so discretionary access checks succeed
 
-# PASS TEST 
+# PASS TEST
+if [ "$(parser_supports 'all,')" = "true" ]; then
+    genprofile "all"
+    runchecktest "ACCESS allow all r (rwx)" pass $file r
+    runchecktest "ACCESS allow all rx (rwx)" pass $file rx
+    runchecktest "ACCESS allow all rwx (rwx)" pass $file rwx
+fi
+
 genprofile $file:$rwxperm
 runchecktest "ACCESS file r (rwx)" pass $file r
 runchecktest "ACCESS file rx (rwx)" pass $file rx

tests/regression/apparmor/attach_disconnected.sh

@@ -105,6 +105,15 @@ do_test "attach_disconnected" pass $file $att_dis_client $socket $loop_device $n
 
 # TODO: adding attach_disconnected.path to a replaced unconfined
 
+# ALLOW ALL does not include attach_disconnected
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all" flag:attach_disconnected -- image=$att_dis_client "all"
+	do_test "attach_disconnected allow all" pass $file $att_dis_client $socket $loop_device $new_root $put_old
+
+	genprofile "all" -- image=$att_dis_client "all"
+	do_test "attach_disconnected allow all no flag" fail $file $att_dis_client $socket $loop_device $new_root $put_old
+fi
+
 genprofile $file_perm unix:create $socket_perm $att_dis_client:px -- image=$att_dis_client $file_perm unix:create $socket_perm $create_dir $cap "pivot_root:ALL" "mount:ALL" flag:attach_disconnected
 
 do_test "attach_disconnected" pass $file $att_dis_client $socket $loop_device $new_root $put_old