Preoarse for AppArmor 4.1 release

- update version file
- bump library version

Signed-off-by: John Johansen <john.johansen@canonical.com>

.gitignore

@@ -1,4 +1,4 @@
-apparmor-*
+apparmor-
 cscope.*
 binutils/aa-enabled
 binutils/aa-enabled.1
@@ -7,15 +7,28 @@ binutils/aa-exec.1
 binutils/aa-features-abi
 binutils/aa-features-abi.1
 binutils/aa-load
+binutils/aa-load.8
 binutils/aa-status
 binutils/aa-status.8
 binutils/cJSON.o
 binutils/po/*.mo
+changehat/mod_apparmor/.libs
+changehat/mod_apparmor/mod_apparmor.8
+changehat/mod_apparmor/mod_apparmor.8.html
+changehat/mod_apparmor/mod_apparmor.la
+changehat/mod_apparmor/mod_apparmor.lo
+changehat/mod_apparmor/mod_apparmor.slo
+changehat/mod_apparmor/mod_apparmor.so
+changehat/mod_apparmor/pod2htmd.tmp
+changehat/pam_apparmor/get_options.o
+changehat/pam_apparmor/pam_apparmor.o
+changehat/pam_apparmor/pam_apparmor.so
 parser/po/*.mo
 parser/af_names.h
 parser/cap_names.h
 parser/generated_cap_names.h
 parser/generated_af_names.h
+parser/errnos.h
 parser/tst_lib
 parser/tst_misc
 parser/tst_regex
@@ -27,42 +40,9 @@ parser/parser_version.h
 parser/parser_yacc.c
 parser/parser_yacc.h
 parser/pod2htm*.tmp
-parser/af_rule.o
-parser/af_unix.o
-parser/all_rule.o
-parser/common_optarg.o
-parser/dbus.o
-parser/default_features.o
-parser/lib.o
-parser/libapparmor_re/aare_rules.o
-parser/libapparmor_re/chfa.o
-parser/libapparmor_re/expr-tree.o
-parser/libapparmor_re/hfa.o
+parser/libapparmor_re/*.o
 parser/libapparmor_re/libapparmor_re.a
-parser/libapparmor_re/parse.o
-parser/mount.o
-parser/mqueue.o
-parser/network.o
-parser/parser_alias.o
-parser/parser_common.o
-parser/parser_include.o
-parser/parser_interface.o
-parser/parser_lex.o
-parser/parser_main.o
-parser/parser_merge.o
-parser/parser_misc.o
-parser/parser_policy.o
-parser/parser_regex.o
-parser/parser_symtab.o
-parser/parser_variable.o
-parser/parser_yacc.o
-parser/policy_cache.o
-parser/profile.o
-parser/ptrace.o
-parser/rule.o
-parser/signal.o
-parser/userns.o
-parser/io_uring.o
+parser/*.o
 parser/*.7
 parser/*.5
 parser/*.8
@@ -141,6 +121,18 @@ libraries/libapparmor/src/tst_aalogmisc
 libraries/libapparmor/src/tst_aalogmisc.log
 libraries/libapparmor/src/tst_aalogmisc.o
 libraries/libapparmor/src/tst_aalogmisc.trs
+libraries/libapparmor/src/tst_aalogparse_cpp
+libraries/libapparmor/src/tst_aalogparse_cpp.log
+libraries/libapparmor/src/tst_aalogparse_cpp.o
+libraries/libapparmor/src/tst_aalogparse_cpp.trs
+libraries/libapparmor/src/tst_aalogparse_reentrancy
+libraries/libapparmor/src/tst_aalogparse_reentrancy.log
+libraries/libapparmor/src/tst_aalogparse_reentrancy.o
+libraries/libapparmor/src/tst_aalogparse_reentrancy.trs
+libraries/libapparmor/src/tst_aalogparse_oldname
+libraries/libapparmor/src/tst_aalogparse_oldname.log
+libraries/libapparmor/src/tst_aalogparse_oldname.o
+libraries/libapparmor/src/tst_aalogparse_oldname.trs
 libraries/libapparmor/src/tst_features
 libraries/libapparmor/src/tst_features.log
 libraries/libapparmor/src/tst_features.o
@@ -201,7 +193,6 @@ libraries/libapparmor/testsuite/libaalogparse.test/Makefile
 libraries/libapparmor/testsuite/libaalogparse.test/Makefile.in
 libraries/libapparmor/testsuite/test_multi/out
 libraries/libapparmor/testsuite/test_multi_multi-test_multi.o
-changehat/mod_apparmor/.libs
 utils/*.8
 utils/*.8.html
 utils/*.5
@@ -212,6 +203,7 @@ utils/apparmor/*.pyc
 utils/apparmor/rule/*.pyc
 utils/apparmor.egg-info/
 utils/build/
+!utils/emacs/apparmor-mode.el
 utils/htmlcov/
 utils/test/common_test.pyc
 utils/test/.coverage
@@ -240,6 +232,7 @@ tests/regression/apparmor/chgrp
 tests/regression/apparmor/chmod
 tests/regression/apparmor/chown
 tests/regression/apparmor/clone
+tests/regression/apparmor/complain
 tests/regression/apparmor/dbus_eavesdrop
 tests/regression/apparmor/dbus_message
 tests/regression/apparmor/dbus_service
@@ -266,8 +259,8 @@ tests/regression/apparmor/mmap
 tests/regression/apparmor/mount
 tests/regression/apparmor/move_mount
 tests/regression/apparmor/named_pipe
-tests/regression/apparmor/net_finegrained_rcv
-tests/regression/apparmor/net_finegrained_snd
+tests/regression/apparmor/net_inet_rcv
+tests/regression/apparmor/net_inet_snd
 tests/regression/apparmor/net_raw
 tests/regression/apparmor/open
 tests/regression/apparmor/openat
@@ -315,3 +308,15 @@ tests/regression/apparmor/xattrs_profile
 tests/regression/apparmor/coredump
 **/__pycache__/
 *.orig
+
+# Patterns related to spread integration tests
+*.img
+*.iso
+*.lock
+*.log
+*.qcow2
+*.run
+.spread-reuse.yaml
+.spread-reuse.*.yaml
+spread-artifacts/
+spread-logs/

.gitlab-ci.yml

@@ -4,25 +4,41 @@ image: ubuntu:latest
 # XXX - add a deploy stage to publish man pages, docs, and coverage
 # reports
 
+workflow:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+    - if: $CI_COMMIT_TAG
+    - if: $CI_COMMIT_BRANCH
+
 stages:
   - build
   - test
+  - spread
 
-.ubuntu-before_script:
+.ubuntu-common:
   before_script:
-    - export DEBIAN_FRONTEND=noninteractive
+    # Install build-dependencies by loading the package list from the ubuntu/debian cloud-init profile.
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_deps "Installing dependencies..."
     - apt-get update -qq
-    - apt-get install --no-install-recommends -y gcc perl liblocale-gettext-perl linux-libc-dev lsb-release make
+    - apt-get install --yes yq make lsb-release
+    - |
+      printf 'include .image-garden.mk\n$(info $(UBUNTU_CLOUD_INIT_USER_DATA_TEMPLATE))\n.PHONY: nothing\nnothing:\n' \
+      | make -f - nothing \
+      | yq '.packages | .[]' \
+      | xargs apt-get install --yes --no-install-recommends
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_deps
+  after_script:
+    # Inspect the kernel and lsb-release.
     - lsb_release -a
     - uname -a
 
-.install-c-build-deps: &install-c-build-deps
-  - apt-get install --no-install-recommends -y build-essential apache2-dev autoconf autoconf-archive automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev
-
 build-all:
   stage: build
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
+  script:
+    # Run the spread prepare section to build everything.
+    - yq -r '.prepare' <spread.yaml | SPREAD_PATH=. bash -xeu
   artifacts:
     name: ${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
     expire_in: 30 days
@@ -35,39 +51,33 @@ build-all:
       - changehat/mod_apparmor/
       - changehat/pam_apparmor/
       - profiles/
-  script:
-    - *install-c-build-deps
-    - cd libraries/libapparmor && ./autogen.sh && ./configure --with-perl --with-python --prefix=/usr && make && cd ../.. || { cat config.log ; exit 1 ; }
-    - make -C parser
-    - make -C binutils
-    - make -C utils
-    - make -C changehat/mod_apparmor
-    - make -C changehat/pam_apparmor
-    - make -C profiles
 
 test-libapparmor:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
-    - *install-c-build-deps
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C libraries/libapparmor --touch
     - make -C libraries/libapparmor check
 
 test-parser:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
-    - *install-c-build-deps
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C parser --touch
+    - make -C parser -j $(nproc) tst_binaries
     - make -C parser check
 
 test-binutils:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
     - make -C binutils check
 
@@ -75,9 +85,16 @@ test-utils:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
-    - apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter pyflakes3 python3-coverage python3-notify2 python3-psutil python3-setuptools
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C utils --touch
+
+    # TODO: move those to cloud-init list?
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
+    - apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter flake8 python3-coverage python3-notify2 python3-psutil python3-setuptools python3-tk python3-ttkthemes python3-gi
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
+
     # See apparmor/apparmor#221
     - make -C parser/tst gen_dbus
     - make -C parser/tst gen_xtrans
@@ -92,31 +109,37 @@ test-mod-apparmor:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C changehat/mod_apparmor --touch
     - make -C changehat/mod_apparmor check
 
 test-profiles:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C profiles --touch
     - make -C profiles check-parser
     - make -C profiles check-abstractions.d
-    - make -C profiles check-extras
+    - make -C profiles check-local
 
 shellcheck:
   stage: test
   needs: []
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
-  - apt-get install --no-install-recommends -y file shellcheck xmlstarlet
-  - shellcheck --version
-  - './tests/bin/shellcheck-tree --format=checkstyle
-       | xmlstarlet tr tests/checkstyle2junit.xslt
-       > shellcheck.xml'
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
+    - apt-get install --no-install-recommends -y python3-minimal file shellcheck xmlstarlet
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
+    - shellcheck --version
+    - "./tests/bin/shellcheck-tree --format=checkstyle
+      | xmlstarlet tr tests/checkstyle2junit.xslt
+      > shellcheck.xml"
   artifacts:
     when: always
     reports:
@@ -138,29 +161,146 @@ variables:
   SAST_EXCLUDED_ANALYZERS: "eslint,flawfinder,semgrep,spotbugs"
   SAST_BANDIT_EXCLUDED_PATHS: "*/tst/*, */test/*"
 
-.send-to-coverity: &send-to-coverity
-  - curl https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
-    --form token=$COVERITY_SCAN_TOKEN --form email=$GITLAB_USER_EMAIL
-    --form file=@$(ls apparmor-*-cov-int.tar.gz) --form version="$(git describe --tags)"
-    --form description="$(git describe --tags) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID"
-
 coverity:
   stage: .post
   extends:
-    - .ubuntu-before_script
-  only:
-    refs:
-      - master
+    - .ubuntu-common
   script:
-      - apt-get install --no-install-recommends -y curl git texlive-latex-recommended
-      - *install-c-build-deps
-      - curl -o /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64
-        --form project=$COVERITY_SCAN_PROJECT_NAME --form token=$COVERITY_SCAN_TOKEN
-      - tar xfz /tmp/cov-analysis-linux64.tgz
-      - COV_VERSION=$(ls -dt cov-analysis-linux64-* | head -1)
-      - PATH=$PATH:$(pwd)/$COV_VERSION/bin
-      - make coverity
-      - *send-to-coverity
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
+    - apt-get install --no-install-recommends -y curl git texlive-latex-recommended
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
+    - curl -o /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64
+      --form project=$COVERITY_SCAN_PROJECT_NAME --form token=$COVERITY_SCAN_TOKEN
+    - tar xfz /tmp/cov-analysis-linux64.tgz
+    - COV_VERSION=$(ls -dt cov-analysis-linux64-* | head -1)
+    - PATH=$PATH:$(pwd)/$COV_VERSION/bin
+    - make coverity
+    - curl https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
+      --form token=$COVERITY_SCAN_TOKEN --form email=$GITLAB_USER_EMAIL
+      --form file=@$(ls apparmor-*-cov-int.tar.gz) --form version="$(git describe --tags)"
+      --form description="$(git describe --tags) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID"
   artifacts:
     paths:
       - "apparmor-*.tar.gz"
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PROJECT_PATH == "apparmor/apparmor"
+
+.image-garden-x86_64:
+  stage: spread
+  # TODO: use tagged release once container tagging is improved upstream.
+  image: registry.gitlab.com/zygoon/image-garden:latest
+  tags:
+    - linux
+    - x86_64
+    - kvm
+  variables:
+    ARCH: x86_64
+    GARDEN_DL_DIR: dl
+    CACHE_POLICY: pull-push
+    CACHE_COMPRESSION_LEVEL: fastest
+  before_script:
+    # Prepare the image in dry-run mode. This helps in debugging cache misses
+    # when files are not cached correctly by the runner, causing the build section
+    # below to always do hevy-duty work.
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" prepare_image_dry_run "Prepare image (dry run)"
+    - image-garden make --dry-run --debug "$GARDEN_SYSTEM.$ARCH.run" "$GARDEN_SYSTEM.$ARCH.qcow2" "$GARDEN_SYSTEM.seed.iso" "$GARDEN_SYSTEM.user-data" "$GARDEN_SYSTEM.meta-data"
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" prepare_image_dry_run
+  script:
+    # Prepare the image, for real.
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" prepare_image "Prepare image"
+    - image-garden make "$GARDEN_SYSTEM.$ARCH.run" "$GARDEN_SYSTEM.$ARCH.qcow2" "$GARDEN_SYSTEM.seed.iso" "$GARDEN_SYSTEM.user-data" "$GARDEN_SYSTEM.meta-data"
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" prepare_image
+  cache:
+    # Cache the base image (pre-customization).
+    - key: image-garden-base-${GARDEN_SYSTEM}.${ARCH}
+      policy: $CACHE_POLICY
+      when: always
+      paths:
+        - $GARDEN_DL_DIR
+        # Those are never mutated so they are safe to share.
+        - efi-code.*.img
+        - efi-vars.*.img
+    # Cache the customized system. This cache depends on .image-garden.mk file
+    # so that any customization updates are immediately acted upon.
+    - key:
+        prefix: image-garden-custom-${GARDEN_SYSTEM}.${ARCH}-
+        files:
+          - .image-garden.mk
+      policy: $CACHE_POLICY
+      when: always
+      paths:
+        - $GARDEN_SYSTEM.*
+        - $GARDEN_SYSTEM.seed.iso
+        - $GARDEN_SYSTEM.meta-data
+        - $GARDEN_SYSTEM.user-data
+
+# This job builds and caches the image that the job below looks at.
+image-ubuntu-cloud-24.04-x86_64:
+  extends: .image-garden-x86_64
+  variables:
+    GARDEN_SYSTEM: ubuntu-cloud-24.04
+  needs: []
+  dependencies: []
+  rules:
+    - if: $CI_COMMIT_TAG
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_BRANCH
+      changes:
+        paths:
+          - .image-garden.mk
+          - .gitlab-ci.yml
+        compare_to: "refs/heads/master"
+
+.spread-x86_64:
+  extends: .image-garden-x86_64
+  variables:
+    # GitLab project identifier of zygoon/spread-dist can be seen on
+    # https://gitlab.com/zygoon/spread-dist, under the three-dot menu on
+    # top-right.
+    SPREAD_GITLAB_PROJECT_ID: "65375371"
+    # Git revision of spread to install.
+    # This must have been built via spread-dist.
+    # TODO: switch to upstream 1.0 release when available.
+    SPREAD_REV: 413817eda7bec07a3885e0717c178b965f8924e1
+    # Run all the tasks for a given system.
+    SPREAD_ARGS: "garden:$GARDEN_SYSTEM:"
+    SPREAD_GOARCH: amd64
+  before_script:
+    # Prepare the image in dry-run mode. This helps in debugging cache misses
+    # when files are not cached correctly by the runner, causing the build section
+    # below to always do hevy-duty work.
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" prepare_image_dry_run "Prepare image (dry run)"
+    - image-garden make --dry-run --debug "$GARDEN_SYSTEM.$ARCH.run" "$GARDEN_SYSTEM.$ARCH.qcow2" "$GARDEN_SYSTEM.seed.iso" "$GARDEN_SYSTEM.user-data" "$GARDEN_SYSTEM.meta-data"
+    - stat .image-garden.mk "$GARDEN_SYSTEM".* || true
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" prepare_image_dry_run
+    # Install the selected revision of spread.
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_spread "Installing spread..."
+    # Install pre-built spread from https://gitlab.com/zygoon/spread-dist generic package repository.
+    - |
+      curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --location --output spread "${CI_API_V4_URL}/projects/${SPREAD_GITLAB_PROJECT_ID}/packages/generic/spread/${SPREAD_REV}/spread.${SPREAD_GOARCH}"
+    - chmod +x spread
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_spread
+  script:
+    - printf '\e[0K%s:%s:%s\r\e[0K%s\n' section_start "$(date +%s)" run_spread "Running spread for $GARDEN_SYSTEM..."
+    # TODO: transform to inject ^...$ to properly select jobs to run.
+    - mkdir -p spread-logs spread-artifacts
+    - ./spread -list $SPREAD_ARGS |
+      split --number=l/"${CI_NODE_INDEX:-1}"/"${CI_NODE_TOTAL:-1}" |
+      xargs --verbose ./spread -v -artifacts ./spread-artifacts -v | tee spread-logs/"$GARDEN_SYSTEM".log
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" run_spread
+  artifacts:
+    paths:
+      - spread-logs
+      - spread-artifacts
+    when: always
+
+spread-ubuntu-cloud-24.04-x86_64:
+  extends: .spread-x86_64
+  variables:
+    GARDEN_SYSTEM: ubuntu-cloud-24.04
+    SPREAD_ARGS: garden:$GARDEN_SYSTEM:tests/regression/ garden:$GARDEN_SYSTEM:tests/profiles/
+    CACHE_POLICY: pull
+  dependencies: []
+  needs:
+    - job: image-ubuntu-cloud-24.04-x86_64
+      optional: true
+  parallel: 4

.image-garden.mk

@@ -0,0 +1,128 @@
+# This file is read by image-garden when spread is allocating test machines.
+# All the package installation happens through cloud-init profiles defined
+# below.
+
+# NOTE: Should the kernel be out of date, just increment this value. Make will
+# re-create the image whenever the .image-garden.mk file is more recent than
+# the image itself. In reality all you need is touch(1), but this is more apt.
+unused=1
+
+# This is the cloud-init user-data profile for all Debian systems. Note that it
+# is an extension of the default profile necessary for operation of
+# image-garden.
+define DEBIAN_CLOUD_INIT_USER_DATA_TEMPLATE
+$(CLOUD_INIT_USER_DATA_TEMPLATE)
+packages:
+- apache2-dev
+- attr
+- autoconf
+- autoconf-archive
+- automake
+- bison
+- build-essential
+- dejagnu
+- dosfstools
+- flake8
+- flex
+- fuse-overlayfs
+- gdb
+- gettext
+- libdbus-1-dev
+- libpam0g-dev
+- libtool
+- liburing-dev
+- pkg-config
+- python3-all-dev
+- python3-gi
+- python3-notify2
+- python3-psutil
+- python3-setuptools
+- python3-tk
+- python3-ttkthemes
+- swig
+- toybox
+# Update all the packages. This allows us to be on the up-to-date kernel
+# version that we cannot otherwise easily select with cloud init alone.  Note
+# that we do not need to reboot the system as image garden shuts down the image
+# after first boot. On subsequent boot we will be running the latest kernel.
+package_upgrade: true
+package_update: true
+endef
+
+# Ubuntu shares cloud-init profile with Debian.
+UBUNTU_CLOUD_INIT_USER_DATA_TEMPLATE=$(DEBIAN_CLOUD_INIT_USER_DATA_TEMPLATE)
+
+# This is the cloud-init user-data profile for openSUSE Tumbleweed.
+define OPENSUSE_tumbleweed_CLOUD_INIT_USER_DATA_TEMPLATE
+$(CLOUD_INIT_USER_DATA_TEMPLATE)
+- sed -i -e 's/security=selinux/security=apparmor/g' /etc/default/grub
+- update-bootloader
+packages:
+- apache2-devel
+- attr
+- autoconf
+- autoconf-archive
+- automake
+- bison
+- dbus-1-devel
+- dejagnu
+- dosfstools
+- flex
+- fuse-overlayfs
+- gcc
+- gcc-c++
+- gdb
+- gettext
+- gobject-introspection
+- libtool
+- liburing2-devel
+- make
+- pam-devel
+- pkg-config
+- python3-devel
+- python3-flake8
+- python3-notify2
+- python3-psutil
+- python3-setuptools
+- python3-setuptools
+- python3-tk
+- python311
+- python311-devel
+- swig
+- which
+# See above for rationale.
+package_upgrade: true
+package_update: true
+endef
+
+define FEDORA_CLOUD_INIT_USER_DATA_TEMPLATE
+$(CLOUD_INIT_USER_DATA_TEMPLATE)
+packages:
+- attr
+- autoconf
+- autoconf-archive
+- automake
+- bison
+- dbus-devel
+- dejagnu
+- dosfstools
+- flex
+- gdb
+- gettext
+- httpd-devel
+- libstdc++-static
+- libtool
+- liburing-devel
+- pam-devel
+- perl
+- pkg-config
+- python3-devel
+- python3-flake8
+- python3-gobject-base
+- python3-notify2
+- python3-tkinter
+- swig
+# See above for rationale.
+package_upgrade: true
+package_update: true
+endef

Makefile

@@ -59,7 +59,7 @@ coverity: snapshot
 		mv $(COVERITY_DIR)/build-log.txt $(COVERITY_DIR)/build-log-python-$(subst /,.,$(dir)).txt ;)
 	cov-build --dir $(COVERITY_DIR) -- sh -c \
 	"$(foreach dir, $(filter-out utils profiles tests, $(DIRS)), \
-		$(MAKE) -C $(SNAPSHOT_NAME)/$(dir);) "
+		$(MAKE) -j $$(nproc) -C $(SNAPSHOT_NAME)/$(dir);) "
 	tar -cvzf $(SNAPSHOT_NAME)-$(COVERITY_DIR).tar.gz $(COVERITY_DIR)
 
 .PHONY: export_dir

README.md

@@ -197,6 +197,46 @@ usage and how to update and add tests. Below is a quick overview of their
 location and how to run them.
 
 
+Using spread with local virtual machines
+----------------------------------------
+
+It may be convenient to use the spread tool to provision and run the test suite
+in an ephemeral virtual machine. This allows testing in isolation from the
+host, as well as testing across different commonly used distributions and their
+real kernels.
+
+Image Garden is available as a snap. If you wish to use it this way then snap
+then install the snap with:
+
+```sh
+sudo snap install image-garden
+```
+
+If you need to install snapd first, see https://snapcraft.io/docs/installing-snapd
+
+Alternatively you may build image-garden and spread from source, and install
+dependencies manually.
+
+```sh
+sudo apt install git golang whois ovmf genisoimage qemu-utils qemu-system
+go install github.com/snapcore/spread/cmd/spread@latest
+git clone https://gitlab.com/zygoon/image-garden
+make -C image-garden
+sudo make -C image-garden install
+image-garden make ubuntu-cloud-24.10.x86_64.run
+cd $APPARMOR_PATH
+git clean -xdf
+~/go/bin/spread -artifacts ./spread-artifacts -v ubuntu-cloud-24.10
+# or ~/go/bin/spread -v garden:ubuntu-cloud-24.04:tests/regression/apparmor:at_secure
+```
+
+Running the `run_spread.sh` script, with `image-garden` snap installed or with
+`spread` on `PATH` will run all the tests across several supported systems
+(Debian, Ubuntu and openSUSE).
+
+If you include a `bzImage` file in the root of the repository then that kernel
+will be used in the integration test. Please look at `spread.yaml` for details.
+
 Regression tests
 ----------------
 For details on structure and adding tests, see
@@ -354,6 +394,10 @@ The aa-notify tool's Python dependencies can be satisfied by installing the
 following packages (Debian package names, other distros may vary):
 * python3-notify2
 * python3-psutil
+* python3-sqlite (part of the python3.NN-stdlib package)
+* python3-tk
+* python3-ttkthemes
+* python3-gi
 
 Perl is no longer needed since none of the utilities shipped to end users depend
 on it anymore.

binutils/Makefile

@@ -21,7 +21,7 @@ DESTDIR=/
 BINDIR=${DESTDIR}/usr/bin
 SBINDIR=${DESTDIR}/usr/sbin
 LOCALEDIR=/usr/share/locale
-MANPAGES=aa-enabled.1 aa-exec.1 aa-features-abi.1 aa-status.8
+MANPAGES=aa-enabled.1 aa-exec.1 aa-features-abi.1 aa-load.8 aa-status.8
 
 WARNINGS = -Wall
 CPP_WARNINGS =

binutils/aa-exec.pod

@@ -80,6 +80,109 @@ aa-exec.
 
 =back
 
+=head1 RESTRICTIONS
+
+aa-exec uses I<aa_change_profile(3)> to change application confinement.
+The use of I<aa_change_profile(3)> may be restricted by policy in ways
+that will cause failure or results different than expected.
+
+Even when using I<aa-exec> from unconfined restrictions in policy can
+causes failure or the confinement entered to be different than requested
+
+See the unpriviled unconfined restriction documentation for more detail.
+https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined_restriction
+
+=head1 STACKING
+
+aa-exec can be used to setup a stack of profiles as confinement. When an
+application is confined by a stack, all profiles in the stack are checked
+as if they were the profile confining the application. The resulting
+mediation is the intersection of what is allowed by each profile in the
+stack.
+
+The profiles in a stack are treated independently. Each profile can have
+its own flags and profile transitions. During an exec each profile gets
+to specify its transition and the results brought together to form a
+new canonicalized stack.
+
+The profile separator indicating a stack is the character sequence I<//&>.
+Thus a stack can be expressed using
+
+=over 4
+
+  $ aa-exec -p "unconfined//&firefox" -- bash
+  $ ps -Z
+  LABEL                               PID TTY          TIME CMD
+  unconfined                        30714 pts/12   00:00:00 bash
+  firefox//&unconfined (unconfined) 31160 pts/12   00:00:00 bash
+  firefox//&unconfined (unconfined) 31171 pts/12   00:00:00 ps
+
+=back
+
+=head1 NAMESPACES
+
+aa-exec can be used to enter confinement in another policy namespace
+if the policy namespaces exists, is visible, and the profile exists in
+the namespace. Note applications launched within the namespace will
+not be able to exit the namespace, and may be restricted by additional
+confinement around namespacing. Files and resources visible to the
+parent that launches the application may not be visible in the policy
+namespace resulting in access denials.
+
+To enter a policy namespace the profile is prefixed with the namespace's
+name, using a I<:> prefix and suffix.
+
+Eg.
+
+=over 4
+
+  $ aa-exec -p :ex1:unconfined -- bash
+  $ ps -Z
+  LABEL                               PID TTY          TIME CMD
+  -                                 30714 pts/12   00:00:00 bash
+  unconfined                        34372 pts/12   00:00:00 bash
+  unconfined                        34379 pts/12   00:00:00 ps
+
+=back
+
+Confinement of processes outside of the namespace may not be visible
+in which case the confinement will be represented with a -. If policy
+is stacked only part of the confinement might be visible. However
+confinement is usually fully visible from the parent policy namespace.
+
+Eg. the confinement of the child can be queried in the parent to see
+
+=over 4
+
+  $ ps -Z 34372
+  LABEL                               PID TTY      STAT   TIME COMMAND
+  :ex1:unconfined                   34372 pts/12   S+     0:00 bash
+
+=back
+
+And in the case of stacking with namespaces
+
+=over 4
+
+  $ aa-exec -p "unconfined//&:ex1:unconfined" -- bash
+  $ ps -Z
+  LABEL                               PID TTY          TIME CMD
+  -                                 30714 pts/12   00:00:00 bash
+  unconfined                        36298 pts/12   00:00:00 bash
+  unconfined                        36305 pts/12   00:00:00 ps
+
+=back
+
+while from the parent namespace the full confinement can be seen
+
+=over 4
+
+  $ ps -Z 36298
+  LABEL                               PID TTY      STAT   TIME COMMAND
+  unconfined//&:ex1:unconfined      36298 pts/12   S+     0:00 bash
+
+=back
+
 =head1 BUGS
 
 If you find any bugs, please report them at
@@ -87,7 +190,7 @@ L<https://gitlab.com/apparmor/apparmor/-/issues>
 
 =head1 SEE ALSO
 
-aa-stack(8), aa-namespace(8), apparmor(7), apparmor.d(5), aa_change_profile(3),
+apparmor(7), apparmor.d(5), aa_change_profile(3),
 aa_change_onexec(3) and L<https://wiki.apparmor.net>.
 
 =cut

binutils/aa-load.pod

@@ -0,0 +1,77 @@
+# This publication is intellectual property of Canonical Ltd. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither Canonical Ltd, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. Canonical Ltd
+# essentially adheres to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa-load - load precompiled AppArmor policy from cache location(s)
+
+=head1 SYNOPSIS
+
+B<aa-load> [options] (cache file|cache dir|cache base dir)+
+
+=head1 DESCRIPTION
+
+B<aa-load> loads precompiled AppArmor policy from the specified locations.
+
+=head1 OPTIONS
+
+B<aa-load> accepts the following arguments:
+
+=over 4
+
+=item -f, --force
+
+Force B<aa-load> to load a policy even if its abi does not match the kernel abi.
+
+=item -d, --debug
+
+Display debug messages.
+
+=item -v, --verbose
+
+Display progress and error messages.
+
+=item -n, --dry-run
+
+Do not actually load the specified policy/policies into the kernel.
+
+=item -h, --help
+
+Display a brief usage guide.
+
+=back
+
+=head1 EXIT STATUS
+
+Upon exiting, B<aa-load> returns 0 upon success and 1 upon an error loading
+the precompiled policy.
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L<https://gitlab.com/apparmor/apparmor/-/issues>.
+
+=head1 SEE ALSO
+
+apparmor(7), apparmor.d(5), apparmor_parser(8), and L<https://wiki.apparmor.net>.
+
+=cut

binutils/aa-status.pod

@@ -117,13 +117,13 @@ display only counts for selected information.
 =item --filter.mode=filter
 
 Allows specifying a posix regular expression filter that will be
-applied against the displayed processess and profiles apparmor profile
+applied against the displayed processes and profiles apparmor profile
 mode, reducing the output.
 
 =item --filter.profiles=filter
 
 Allows specifying a posix regular expression filter that will be
-applied against the displayed processess and profiles confining
+applied against the displayed processes and profiles confining
 profile, reducing the output.
 
 =item --filter.pid=filter

binutils/aa_load.c

@@ -172,7 +172,8 @@ static int load_policy_dir(const char *dir_path)
 	while ((dir = readdir(d)) != NULL) {
 		/* Only check regular files for now */
 		if (dir->d_type == DT_REG) {
-			len = strnlen(dir->d_name, PATH_MAX);
+			/* As per POSIX dir->d_name has at most NAME_MAX characters */
+			len = strnlen(dir->d_name, NAME_MAX);
 			/* Ignores .features */
 			if (strncmp(dir->d_name, CACHE_FEATURES_FILE, len) == 0) {
 				continue;
@@ -308,9 +309,8 @@ static int load_arg(char *arg)
 
 static void print_usage(const char *command)
 {
-	printf("Usage: %s [OPTIONS] (cache file|cache dir|cache base dir)]*\n"
-	       "Load Precompiled AppArmor policy from a cache location or \n"
-	       "locations.\n\n"
+	printf("Usage: %s [OPTIONS] (cache file|cache dir|cache base dir)+\n"
+	       "Load precompiled AppArmor policy from cache location(s)\n\n"
 	       "Options:\n"
 	       "  -f, --force     load policy even if abi does not match the kernel\n"
 	       "  -d, --debug     display debug messages\n"

binutils/aa_status.c

@@ -488,7 +488,7 @@ static int filter_processes(struct process *processes,
  *
  * Return: 0 on success, else shell error code
  */
-static int simple_filtered_count(FILE *outf, filters_t *filters,
+static int simple_filtered_count(FILE *outf, filters_t *filters, bool json,
 				 struct profile *profiles, size_t nprofiles)
 {
 	struct profile *filtered = NULL;
@@ -497,7 +497,13 @@ static int simple_filtered_count(FILE *outf, filters_t *filters,
 
 	ret = filter_profiles(profiles, nprofiles, filters,
 			      &filtered, &nfiltered);
-	fprintf(outf, "%zd\n", nfiltered);
+
+	if (!json) {
+		fprintf(outf, "%zd\n", nfiltered);
+	} else {
+		fprintf(outf, "\"profile_count\": %zd", nfiltered);
+	}
+
 	free_profiles(filtered, nfiltered);
 
 	return ret;
@@ -512,7 +518,7 @@ static int simple_filtered_count(FILE *outf, filters_t *filters,
  *
  * Return: 0 on success, else shell error code
  */
-static int simple_filtered_process_count(FILE *outf, filters_t *filters,
+static int simple_filtered_process_count(FILE *outf, filters_t *filters, bool json,
 					 struct process *processes, size_t nprocesses) {
 	struct process *filtered = NULL;
 	size_t nfiltered;
@@ -520,7 +526,12 @@ static int simple_filtered_process_count(FILE *outf, filters_t *filters,
 
 	ret = filter_processes(processes, nprocesses, filters, &filtered,
 			       &nfiltered);
-	fprintf(outf, "%zd\n", nfiltered);
+	if (!json) {
+		fprintf(outf, "%zd\n", nfiltered);
+	} else {
+		fprintf(outf, "\"process_count\": %zd", nfiltered);
+	}
+	
 	free_processes(filtered, nfiltered);
 
 	return ret;
@@ -539,7 +550,12 @@ static int compare_processes_by_executable(const void *a, const void *b) {
 
 static void json_header(FILE *outf)
 {
-	fprintf(outf, "{\"version\": \"%s\", ", aa_status_json_version);
+	fprintf(outf, "{\"version\": \"%s\"", aa_status_json_version);
+}
+
+static void json_seperator(FILE *outf)
+{
+	fprintf(outf, ", ");
 }
 
 static void json_footer(FILE *outf)
@@ -607,7 +623,7 @@ static int detailed_profiles(FILE *outf, filters_t *filters, bool json,
 		free_profiles(filtered, nfiltered);
 	}
 	if (json)
-		fprintf(outf, "}, ");
+		fprintf(outf, "}");
 
 	return AA_EXIT_ENABLED;
 }
@@ -700,7 +716,7 @@ static int detailed_processes(FILE *outf, filters_t *filters, bool json,
 			fprintf(outf, "]");
 		}
 
-		fprintf(outf, "}\n");
+		fprintf(outf, "}");
 	}
 
 exit:
@@ -1028,8 +1044,10 @@ int main(int argc, char **argv)
 	if (opt_json)
 		json_header(outf);
 	if (opt_show & SHOW_PROFILES) {
+		if (opt_json)
+			json_seperator(outf);
 		if (opt_count) {
-			ret = simple_filtered_count(outf, &filters,
+			ret = simple_filtered_count(outf, &filters, opt_json,
 						    profiles, nprofiles);
 		} else {
 			ret = detailed_profiles(outf, &filters, opt_json,
@@ -1040,6 +1058,9 @@ int main(int argc, char **argv)
 	}
 
 	if (opt_show & SHOW_PROCESSES) {
+		if (opt_json)
+			json_seperator(outf);
+
 		struct process *processes = NULL;
 		size_t nprocesses = 0;
 
@@ -1047,7 +1068,7 @@ int main(int argc, char **argv)
 		if (ret != 0) {
 			eprintf("Failed to get processes: %d....\n", ret);
 		} else if (opt_count) {
-			ret = simple_filtered_process_count(outf, &filters,
+			ret = simple_filtered_process_count(outf, &filters, opt_json,
 							processes, nprocesses);
 		} else {
 			ret = detailed_processes(outf, &filters, opt_json,

binutils/po/aa_load.pot

@@ -0,0 +1,34 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR Canonical Ltd
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
+"POT-Creation-Date: 2025-02-18 07:37-0800\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../aa_load.c:40
+msgid "aa-load: WARN: "
+msgstr ""
+
+#: ../aa_load.c:41
+msgid "aa-load: ERROR: "
+msgstr ""
+
+#: ../aa_load.c:51
+msgid "\n"
+msgstr ""
+
+#: ../aa_load.c:52
+msgid "aa-load: DEBUG: "
+msgstr ""

binutils/po/be.po

@@ -0,0 +1,67 @@
+# Belarusian translation for apparmor
+# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2020-05-05 21:55+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Belarusian <be@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2020-05-06 05:41+0000\n"
+"X-Generator: Launchpad (build fbdff7602bd10fb883bf7e2ddcc7fd5a16f60398)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr ""
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr ""
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr ""
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr ""
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr ""
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr ""
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr ""
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr ""

binutils/po/ca.po

@@ -0,0 +1,71 @@
+# Catalan translation for apparmor
+# Copyright (c) 2024 Rosetta Contributors and Canonical Ltd 2024
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2024.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2024-09-14 10:17+0000\n"
+"Last-Translator: Walter Garcia-Fontes <walter.garcia@upf.edu>\n"
+"Language-Team: Catalan <ca@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2024-09-15 07:16+0000\n"
+"X-Generator: Launchpad (build 1b1ed1ad2dbfc71ee62b5c5491c975135a771bf0)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+"%s: [opcions]\n"
+"  opcions:\n"
+"  -q | --quiet        No imprimeixis cap missatge\n"
+"  -h | --help         Imprimeix l'ajuda\n"
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr "opcions desconegudes o incompatibles\n"
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr "opció desconeguda «%s»\n"
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr "Sí\n"
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr "No - no esta disponible a aquest sistema\n"
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr "No - desactivat a l'inici.\n"
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr "Potser - la interfície de política no està disponible.\n"
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr "Potser - permisos insuficient per determinar la disponibilitat.\n"
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr "Error - '%s'\n"

binutils/po/cs.po

@@ -0,0 +1,67 @@
+# Czech translation for apparmor
+# Copyright (c) 2022 Rosetta Contributors and Canonical Ltd 2022
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2022.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2022-01-09 11:59+0000\n"
+"Last-Translator: Marek Hladík <mhladik@seznam.cz>\n"
+"Language-Team: Czech <cs@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2022-01-10 06:32+0000\n"
+"X-Generator: Launchpad (build 1682fd44eec4f62371f0bed122a83482daf08e23)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr "neznámé nebo nekompatibilní volby\n"
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr "neznámá volba '%s'\n"
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr "Ano\n"
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr "Ne - není v tomto systému k dispozici.\n"
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr "Ne - zakázáno při startu.\n"
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr "Možná - rozhraní zásad není k dispozici.\n"
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr "Možná - nedostatečná oprávnění k určení dostupnosti.\n"
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr "Chyba - '%s'\n"

binutils/po/en_AU.po

@@ -0,0 +1,67 @@
+# English (Australia) translation for apparmor
+# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2020-11-28 04:45+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: English (Australia) <en_AU@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2020-11-29 06:26+0000\n"
+"X-Generator: Launchpad (build 12d09381f8e8eee3115395875b132e165fa96574)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr ""
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr ""
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr ""
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr ""
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr ""
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr ""
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr ""
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr ""

binutils/po/en_CA.po

@@ -0,0 +1,67 @@
+# English (Canada) translation for apparmor
+# Copyright (c) 2021 Rosetta Contributors and Canonical Ltd 2021
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2021.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2021-10-01 04:55+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: English (Canada) <en_CA@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2021-10-02 06:17+0000\n"
+"X-Generator: Launchpad (build 1ce78163f6a09ed42b4201fe7d3f0e3a2eba7d02)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr ""
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr ""
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr ""
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr ""
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr ""
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr ""
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr ""
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr ""

binutils/po/et.po

@@ -0,0 +1,71 @@
+# Estonian translation for apparmor
+# Copyright (c) 2023 Rosetta Contributors and Canonical Ltd 2023
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2023.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2023-07-04 08:52+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Estonian <et@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2023-07-05 04:31+0000\n"
+"X-Generator: Launchpad (build beda0e9dd2b131780db60fe479d4b43618b27243)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+"%s: [valikud]\n"
+"   valikud:\n"
+"   -q | --quiet Ärge printige sõnumeid välja\n"
+"   -h | --help Prindi abiinfo\n"
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr "tundmatud või ühildumatud valikud\n"
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr "tundmatu valik '%s'\n"
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr "Jah\n"
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr "Ei – pole selles süsteemis saadaval.\n"
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr "Ei – käivitamisel keelatud.\n"
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr "Võib-olla – poliisiliides pole saadaval.\n"
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr "Võib-olla - kättesaadavuse määramiseks pole piisavalt õigusi.\n"
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr "Viga – '%s'\n"

binutils/po/gl.po

@@ -0,0 +1,67 @@
+# Galician translation for apparmor
+# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2020-04-21 14:59+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Galician <gl@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2020-04-22 06:10+0000\n"
+"X-Generator: Launchpad (build aad6b57d58e2f621954298e262c1cc904860f5d2)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr ""
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr ""
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr ""
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr ""
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr ""
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr ""
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr ""
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr ""

binutils/po/he.po

@@ -0,0 +1,71 @@
+# Hebrew translation for apparmor
+# Copyright (c) 2023 Rosetta Contributors and Canonical Ltd 2023
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2023.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2023-10-05 05:12+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Hebrew <he@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2023-10-06 08:32+0000\n"
+"X-Generator: Launchpad (build bd6cfd0cfc024dbe1dcd7d5d91165fb4f6a6c596)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+"%s: [אפשרויות]\n"
+"  אפשרויות:\n"
+"  ‎-q | --quiet        לא להציג הודעות\n"
+"  ‎-h | --help         הצגת עזרה\n"
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr "אפשרויות לא ידועות או לא נתמכות\n"
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr "האפשרות ‚%s’ לא מוכרת\n"
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr "כן\n"
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr "לא - לא זמין במערכת הזאת.\n"
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr "לא - מושבת בעלייה.\n"
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr "אולי - מנשק המדיניות לא זמין.\n"
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr "אולי - אין מספיק הרשאות לקבוע זמינות.\n"
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr "שגיאה - ‚%s’\n"

binutils/po/hi.po

@@ -0,0 +1,67 @@
+# Hindi translation for apparmor
+# Copyright (c) 2023 Rosetta Contributors and Canonical Ltd 2023
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2023.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2023-01-09 07:39+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Hindi <hi@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2023-01-10 06:22+0000\n"
+"X-Generator: Launchpad (build 87bfee1fd14ea3245297d63eeec1e4c8a1d203a8)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr ""
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr ""
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr ""
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr ""
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr ""
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr ""
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr ""
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr ""

binutils/po/hr.po

@@ -0,0 +1,71 @@
+# Croatian translation for apparmor
+# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2021-10-03 10:17+0000\n"
+"Last-Translator: gogo <trebelnik2@gmail.com>\n"
+"Language-Team: Croatian <hr@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2021-10-04 06:23+0000\n"
+"X-Generator: Launchpad (build 1ce78163f6a09ed42b4201fe7d3f0e3a2eba7d02)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+"%s: [mogućnosti]\n"
+"  options:\n"
+"  -q | --quiet        Ne prikazuj poruke\n"
+"  -h | --help         Prikaži pomoć\n"
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr "nepoznata ili nepotpuna mogućnost\n"
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr "nepoznata mogućnost '%s'\n"
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr "Da\n"
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr "Ne - nedostupno na ovom sustavu.\n"
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr "Ne - onemogućeno pri pokretanju.\n"
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr "Možda - pravilo sučelja nedostupno.\n"
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr "Možda - nedovoljna dozvola za određivanje dostupnosti.\n"
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr "Greška - '%s'\n"

binutils/po/it.po

@@ -0,0 +1,72 @@
+# Italian translation for apparmor
+# Copyright (c) 2022 Rosetta Contributors and Canonical Ltd 2022
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2022.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2022-06-30 17:54+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Italian <it@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2022-07-01 04:30+0000\n"
+"X-Generator: Launchpad (build f48158886a49da429840bcd298f0c7ed60f9ad7b)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+"%s: [opzioni]\n"
+"  opzioni:\n"
+"  -q | --quiet Non stampa nessun messaggio\n"
+"  -h | --help Stampa la guida\n"
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr "opzioni sconosciute o incompatibili\n"
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr "opzione sconosciuta '%s'\n"
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr "Si\n"
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr "No - non disponibile su questo sistema.\n"
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr "No - disabilitato all'avvio.\n"
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr "Forse - interfaccia dei criteri non disponibile.\n"
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr ""
+"Forse - autorizzazioni insufficienti per determinare la disponibilità.\n"
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr "Errore - '%s'\n"

binutils/po/ka.po

@@ -0,0 +1,72 @@
+# Georgian translation for apparmor
+# Copyright (c) 2023 Rosetta Contributors and Canonical Ltd 2023
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2023.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2023-06-26 15:06+0000\n"
+"Last-Translator: NorwayFun <temuri.doghonadze@gmail.com>\n"
+"Language-Team: Georgian <ka@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2023-06-27 04:31+0000\n"
+"X-Generator: Launchpad (build aedf8597c50c1abc5fb7f9e871e686dfcb381fde)\n"
+"Language: aa\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+"%s: [პარამეტრები]\n"
+"  პარამეტრები:\n"
+"  -q | --quiet        შეტყობინებები გამოტანილი არ იქნება\n"
+"  -h | --help         დახმარების გამოტანა\n"
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr "უცნობი ან შეუთავსებელი პარამეტრები\n"
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr "უცნობი პარამეტრი \"%s\"-სთვის\n"
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr "დიახ\n"
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr "არა - მიუწვდომელია ამ სისტემაზე\n"
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr "არა - გამორთულია ჩატვირთვისას\n"
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr "შეიძლება - პოლიტიკის ინტერფეისი ხელმისაწვდომი არაა.\n"
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr "შეიძლება - არასაკმარისი წვდომები ხელმისაწვდომობის დასადგენად.\n"
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr "შეცდომა - \"%s\"\n"

binutils/po/kab.po

@@ -0,0 +1,67 @@
+# Kabyle translation for apparmor
+# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2020-04-29 14:31+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Kabyle <kab@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2020-04-30 05:44+0000\n"
+"X-Generator: Launchpad (build fbdff7602bd10fb883bf7e2ddcc7fd5a16f60398)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr ""
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr ""
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr ""
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr ""
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr ""
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr ""
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr ""
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr ""

binutils/po/my.po

@@ -0,0 +1,73 @@
+# Burmese translation for apparmor
+# Copyright (c) 2022 Rosetta Contributors and Canonical Ltd 2022
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2022.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2022-06-26 11:50+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Burmese <my@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2022-06-27 04:30+0000\n"
+"X-Generator: Launchpad (build 51a2e4fa2e9b8e45f00904ad7f53546f45ac48a5)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+"%s- [options]\n"
+"  ရွေးချယ်စရာများ-\n"
+"  -q | --quiet မည်သည့်စာတိုကိုမှ ပရင့်မထုတ်ပါနှင့်။\n"
+"  -h | --help ပရင့်အကူအညီ\n"
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr "အမည်မသိ သို့မဟုတ် သဟဇာတမဖြစ်သော ရွေးချယ်စရာများ\n"
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr "အမည်မသိရွေးချယ်မှု '%s'\n"
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr "ဟုတ်\n"
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr "မဟုတ်ပါ - ဤစနစ်တွင် မရနိုင်ပါ။\n"
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr "မဟုတ်ပါ - boot တွင် ပိတ်ထားပါသည်။\n"
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr "ဖြစ်နိုင်ပါသည် - မူဝါဒ interface ကို မရနိုင်ပါ။\n"
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr ""
+"ဖြစ်နိုင်ပါသည် - ရရှိနိုင်မှုကို ဆုံးဖြတ်ရန်အတွက် ခွင့်ပြုချက်များမှာ "
+"လုံလောက်မှုမရှိပါ။\n"
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr "အမှား- '%s'\n"

binutils/po/oc.po

@@ -0,0 +1,67 @@
+# Occitan (post 1500) translation for apparmor
+# Copyright (c) 2021 Rosetta Contributors and Canonical Ltd 2021
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2021.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2021-01-14 18:26+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Occitan (post 1500) <oc@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2021-01-15 07:59+0000\n"
+"X-Generator: Launchpad (build 511b4a3b6512aa3d421c5f7d74f3527e78bff26e)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr ""
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr ""
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr ""
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr ""
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr ""
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr ""
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr ""
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr ""

binutils/po/pl.po

@@ -0,0 +1,71 @@
+# Polish translation for apparmor
+# Copyright (c) 2021 Rosetta Contributors and Canonical Ltd 2021
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2021.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2021-07-22 20:10+0000\n"
+"Last-Translator: Marek Adamski <Unknown>\n"
+"Language-Team: Polish <pl@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2021-07-23 06:03+0000\n"
+"X-Generator: Launchpad (build 7edebbcd0516593cf020aaa3c59299732a7c73cc)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+"%s: [opcje]\n"
+"  opcje:\n"
+"  -q | --quiet Nie wyświetlaj żadnych komunikatów\n"
+"  -h | --help Wyświetl pomoc\n"
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr "nieznane lub niekompatybilne opcje\n"
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr "nieznana opcja '%s'\n"
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr "Tak\n"
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr "Nie - nie jest dostępne w tym systemie.\n"
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr "Nie - wyłączone podczas rozruchu.\n"
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr "Może - interfejs zasad nie jest dostępny.\n"
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr "Może - brak wystarczających uprawnień do określenia dostępności.\n"
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr "Błąd - '%s'\n"

binutils/po/pt_BR.po

@@ -0,0 +1,71 @@
+# Brazilian Portuguese translation for apparmor
+# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2020-04-27 20:32+0000\n"
+"Last-Translator: Rodrigo Farias <Unknown>\n"
+"Language-Team: Brazilian Portuguese <pt_BR@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2020-04-28 05:52+0000\n"
+"X-Generator: Launchpad (build d1105341713c5be348effe2a5142c4a210ce4cde)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+"%s: [options]\n"
+"  opções:\n"
+"  -q | --quiet        Não imprimir nenhum mensagem\n"
+"  -h | --help         Assistente de impressão\n"
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr "opções incompatíveis ou desconhecidas\n"
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr "opção desconhecida '%s'\n"
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr "Sim\n"
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr "Não - não disponível neste sistema.\n"
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr "Não - desabilitado na inicialização.\n"
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr "Talvez - interface de política não disponível.\n"
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr "Talvez - permissões insuficientes para determinar disponibilidade.\n"
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr "Erro - '%s'\n"

binutils/po/ro.po

@@ -1,21 +1,26 @@
-# Romanian translation for apparmor
-# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
+# Romanian translation for apparmor, "apparmor-binutils" component.
+# Mesajele în limba română pentru pachetul „apparmor”, componenta „apparmor-binutils”.
+# Copyright © 2020 Rosetta Contributors and Canonical Ltd.
+# Copyright © 2024 Canonical Ltd.
 # This file is distributed under the same license as the apparmor package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
+#
+# Daniel Slavu <Unknown>, feb-2020.
+# Remus-Gabriel Chelu <remusgabriel.chelu@disroot.org>, sep-2024.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: apparmor\n"
-"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"Project-Id-Version: apparmor-binutils\n"
+"Report-Msgid-Bugs-To: <apparmor@lists.ubuntu.com>\n"
 "POT-Creation-Date: 2015-11-28 10:23-0800\n"
-"PO-Revision-Date: 2020-02-20 21:47+0000\n"
-"Last-Translator: Daniel Slavu <Unknown>\n"
-"Language-Team: Romanian <ro@li.org>\n"
+"PO-Revision-Date: 2024-09-23 22:45+0000\n"
+"Last-Translator: Remus-Gabriel Chelu <Unknown>\n"
+"Language-Team: Romanian <debian-l10n-romanian@lists.debian.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2020-02-21 05:39+0000\n"
-"X-Generator: Launchpad (build 19413b719a8df7423ab1390528edadce9e0e4aca)\n"
+"X-Launchpad-Export-Date: 2024-09-25 04:33+0000\n"
+"X-Generator: Launchpad (build 1b1ed1ad2dbfc71ee62b5c5491c975135a771bf0)\n"
+"Language: ro\n"
 
 #: ../aa_enabled.c:26
 #, c-format
@@ -27,8 +32,8 @@ msgid ""
 msgstr ""
 "%s: [opțiuni]\n"
 "  opțiuni:\n"
-"  -q | --calm Nu imprima niciun mesaj\n"
-"  -h | - ajutor Imprimare ajutor\n"
+"  -q | --quiet        nu afișează niciun mesaj\n"
+"  -h | --help        imprimă ajutorul\n"
 
 #: ../aa_enabled.c:45
 #, c-format
@@ -38,7 +43,7 @@ msgstr "opțiuni necunoscute sau incompatibile\n"
 #: ../aa_enabled.c:55
 #, c-format
 msgid "unknown option '%s'\n"
-msgstr "opțiune necunoscută '%s'\n"
+msgstr "opțiune necunoscută „%s”\n"
 
 #: ../aa_enabled.c:64
 #, c-format
@@ -58,7 +63,8 @@ msgstr "Nu - dezactivat la pornire.\n"
 #: ../aa_enabled.c:77
 #, c-format
 msgid "Maybe - policy interface not available.\n"
-msgstr "Poate - interfața politică nu este disponibilă.\n"
+msgstr ""
+"Poate - interfața politică (de directive politice) nu este disponibilă.\n"
 
 #: ../aa_enabled.c:81
 #, c-format
@@ -69,4 +75,4 @@ msgstr ""
 #: ../aa_enabled.c:84
 #, c-format
 msgid "Error - '%s'\n"
-msgstr "Eroare - '%s'\n"
+msgstr "Eroare - „%s”\n"

binutils/po/sr.po

@@ -0,0 +1,67 @@
+# Serbian translation for apparmor
+# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2020-11-23 18:06+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Serbian <sr@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2020-11-24 05:55+0000\n"
+"X-Generator: Launchpad (build c35ff22711d15549e2303ae18ae521fd91f6bf00)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr ""
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr ""
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr ""
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr ""
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr ""
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr ""
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr ""
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr ""

binutils/po/uk.po

@@ -0,0 +1,71 @@
+# Ukrainian translation for apparmor
+# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2020-05-19 21:48+0000\n"
+"Last-Translator: Nazarii Ritter <nazariy.ritter@gmail.com>\n"
+"Language-Team: Ukrainian <uk@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2020-05-20 05:42+0000\n"
+"X-Generator: Launchpad (build 0385b538081bc4718df6fb844a3afc89729c94ce)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+"%s: [опції]\n"
+"  опції:\n"
+"  -q | --quiet Не виводити жодних повідомлень\n"
+"  -h | --help Вивести довідку\n"
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr "невідомі або несумісні опції\n"
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr "невідомий параметр «%s»\n"
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr "Так\n"
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr "Ні – недоступно на цій системі.\n"
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr "Ні – вимкнено під час завантаження.\n"
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr "Можливо – інтерфейс політики недоступний.\n"
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr "Можливо – недостатньо дозволів для визначення наявності.\n"
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr "Помилка - '%s'\n"

binutils/po/zh_CN.po

@@ -0,0 +1,71 @@
+# Chinese (Simplified) translation for apparmor
+# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2020-05-14 09:16+0000\n"
+"Last-Translator: 玉堂白鹤 <yjwork@qq.com>\n"
+"Language-Team: Chinese (Simplified) <zh_CN@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2020-05-15 05:51+0000\n"
+"X-Generator: Launchpad (build 0385b538081bc4718df6fb844a3afc89729c94ce)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+"%s: [选项]\n"
+"  选项:\n"
+"  -q | --quiet        不要打印任何消息\n"
+"  -h | --help         打印帮助\n"
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr "未知或不兼容的选项\n"
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr "未知选项 '%s'\n"
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr "是\n"
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr "否 - 在此系统上不可用。\n"
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr "否 - 引导时被禁用。\n"
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr "也许 - 策略界面不可用\n"
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr "也许 - 没有足够的权限确定可用性。\n"
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr "错误 - '%s'\n"

common/Make.rules

@@ -35,17 +35,14 @@ VERSION=$(shell cat $(COMMONDIR)/Version)
 pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH)))))
 map = $(foreach a,$(2),$(call $(1),$(a)))
 
-AWK:=$(shell which awk)
-ifndef AWK
-$(error awk utility required for build but not available)
-endif
+AWK?=$(or $(shell which awk),$(error awk utility required for build but not available))
 
 define nl
 
 
 endef
 
-REPO_VERSION_CMD=[ -x /usr/bin/git ] && /usr/bin/git describe --tags --long --abbrev=16 --match 'v*' 2> /dev/null || awk '{ print $2 }' common/.stamp_rev
+REPO_VERSION_CMD=[ -x /usr/bin/git ] && /usr/bin/git describe --tags --long --abbrev=16 --match 'v*' 2> /dev/null || $(AWK) '{ print $2 }' common/.stamp_rev
 
 ifndef PYTHON_VERSIONS
 PYTHON_VERSIONS = $(call map, pathsearch, python3)

common/Version

@@ -1 +1 @@
-4.0.0~beta3
+4.1.0

libraries/libapparmor/configure.ac

@@ -92,6 +92,8 @@ if test "$ac_cv_prog_cc_c99" = "no"; then
   AC_MSG_ERROR([C99 mode is required to build libapparmor])
 fi
 
+AC_PROG_CXX
+
 m4_ifndef([AX_CHECK_COMPILE_FLAG], [AC_MSG_ERROR(['autoconf-archive' missing])])
 EXTRA_CFLAGS="-Wall $EXTRA_WARNINGS -fPIC"
 AX_CHECK_COMPILE_FLAG([-flto-partition=none], , , [-Werror])
@@ -99,6 +101,7 @@ AS_VAR_IF([ax_cv_check_cflags__Werror__flto_partition_none], [yes],
 	[EXTRA_CFLAGS="$EXTRA_CFLAGS -flto-partition=none"]
 	,)
 AC_SUBST([AM_CFLAGS], ["$EXTRA_CFLAGS"])
+AC_SUBST([AM_CXXFLAGS], ["$EXTRA_CFLAGS"])
 
 AC_OUTPUT(
 Makefile

libraries/libapparmor/include/aalogparse.h

@@ -19,6 +19,10 @@
 #ifndef __LIBAALOGPARSE_H_
 #define __LIBAALOGPARSE_H_
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 #define AA_RECORD_EXEC_MMAP	1
 #define AA_RECORD_READ		2
 #define AA_RECORD_WRITE		4
@@ -26,10 +30,10 @@
 #define AA_RECORD_LINK		16
 
 /**
- * This is just for convenience now that we have two 
- * wildly different grammars.
+ * Enum representing which syntax version the log entry used.
+ * Support for V1 parsing was completely removed in 2011 and that enum entry
+ * is only still there for API compatibility reasons.
  */
-
 typedef enum
 {
 	AA_RECORD_SYNTAX_V1,
@@ -48,70 +52,23 @@ typedef enum
 	AA_RECORD_STATUS	/* Configuration change */
 } aa_record_event_type;
 
-/**
- * With the sole exception of active_hat, this is a 1:1
- * mapping from the keys that the new syntax uses.
+/*
+ * Use this preprocessor dance to maintain backcompat for field names
+ * This will break C code that used the C++ reserved keywords "namespace"
+ * and "class" as identifiers, but this is bad practice anyways, and we
+ * hope that we are the only ones in a given C file that messed up this way
  *
- * Some examples of the old syntax and how they're mapped with the aa_log_record struct:
- *
- * "PERMITTING r access to /path (program_name(12345) profile /profile active hat)"
- * - operation: access
- * - requested_mask: r
- * - pid: 12345
- * - profile: /profile
- * - name: /path
- * - info: program_name
- * - active_hat: hat
- *
- * "REJECTING mkdir on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out"
- * - operation: mkdir
- * - name: /path/to/something
- * - info: bash
- * - pid: 23415
- * - profile: /bin/freak-aa-out 
- * - active_hat: /bin/freak-aa-out 
- * 
- * "REJECTING xattr set on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
- * - operation: xattr
- * - attribute: set
- * - name: /path/to/something
- * - info: bash
- * - pid: 23415
- * - profile: /bin/freak-aa-out
- * - active_hat: /bin/freak-aa-out
- *
- * "PERMITTING attribute (something) change to /else (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
- * - operation: setattr
- * - attribute: something
- * - name: /else
- * - info: bash
- * - pid: 23415
- * - profile: /bin/freak-aa-out
- * - active_hat: /bin/freak-aa-out
- * 
- * "PERMITTING access to capability 'cap' (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
- * - operation: capability
- * - name: cap
- * - info: bash
- * - pid: 23415
- * - profile: /bin/freak-aa-out
- * - active_hat: /bin/freak-aa-out
- * 
- * "LOGPROF-HINT unknown_hat TESTHAT pid=27764 profile=/change_hat_test/test_hat active=/change_hat_test/test_hat"
- * - operation: change_hat
- * - name: TESTHAT
- * - info: unknown_hat
- * - pid: 27764
- * - profile: /change_hat_test/test_hat
- * - active_hat: /change_hat_test/test_hat
- *
- * "LOGPROF-HINT fork pid=27764 child=38229"
- * - operation: clone
- * - task: 38229
- * - pid: 27764
- **/
+ * TODO: document this in a man page for aalogparse?
+ */
+#if defined(SWIG) && defined(__cplusplus)
+#error "SWIG and __cplusplus are defined together"
+#elif !defined(SWIG) && !defined(__cplusplus)
+/* Use SWIG's %rename feature to preserve backcompat */
+#define class rule_class
+#define namespace aa_namespace
+#endif
 
-typedef struct
+typedef struct aa_log_record
 {
 	aa_record_syntax_version version;
 	aa_record_event_type event;	/* Event type */
@@ -134,7 +91,7 @@ typedef struct
 	char *comm;			/* Command that triggered msg */
 	char *name;
 	char *name2;
-	char *namespace;
+	char *aa_namespace;
 	char *attribute;
 	unsigned long parent;	
 	char *info;
@@ -148,6 +105,7 @@ typedef struct
 	unsigned long net_local_port;
 	char *net_foreign_addr;
 	unsigned long net_foreign_port;
+
 	char *dbus_bus;
 	char *dbus_path;
 	char *dbus_interface;
@@ -160,7 +118,11 @@ typedef struct
 	char *flags;
 	char *src_name;
 
-	char *class;
+	char *rule_class;
+
+	char *net_addr;
+	char *peer_addr;
+	char *execpath;
 } aa_log_record;
 
 /**
@@ -171,7 +133,7 @@ typedef struct
  * @return Parsed data.
  */
 aa_log_record *
-parse_record(char *str);
+parse_record(const char *str);
 
 /**
  * Frees all struct data.
@@ -180,5 +142,9 @@ parse_record(char *str);
 void
 free_record(aa_log_record *record);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif
 

libraries/libapparmor/include/sys/apparmor.h

@@ -105,8 +105,8 @@ extern int aa_getpeercon(int fd, char **label, char **mode);
 #define AA_QUERY_CMD_LABEL		"label"
 #define AA_QUERY_CMD_LABEL_SIZE		sizeof(AA_QUERY_CMD_LABEL)
 
-extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
-			  int *audit);
+extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
+			  int *audited);
 extern int aa_query_file_path_len(uint32_t mask, const char *label,
 				  size_t label_len, const char *path,
 				  size_t path_len, int *allowed, int *audited);

libraries/libapparmor/src/Makefile.am

@@ -32,10 +32,10 @@ INCLUDES = $(all_includes)
 #
 # After changing the AA_LIB_* variables, also update EXPECTED_SO_NAME.
 
-AA_LIB_CURRENT = 18
-AA_LIB_REVISION = 1
-AA_LIB_AGE = 17
-EXPECTED_SO_NAME = libapparmor.so.1.17.1
+AA_LIB_CURRENT = 25
+AA_LIB_REVISION = 2
+AA_LIB_AGE = 24
+EXPECTED_SO_NAME = libapparmor.so.1.24.2
 
 SUFFIXES = .pc.in .pc
 
@@ -44,7 +44,7 @@ include $(COMMONDIR)/Make.rules
 
 BUILT_SOURCES = grammar.h scanner.h af_protos.h
 AM_LFLAGS = -v
-AM_YFLAGS = -d -p aalogparse_
+AM_YFLAGS = -Wno-yacc -d -p aalogparse_
 AM_CPPFLAGS = -D_GNU_SOURCE -I$(top_srcdir)/include/
 scanner.h: scanner.l
 	$(LEX) -v $<
@@ -52,7 +52,7 @@ scanner.h: scanner.l
 scanner.c: scanner.l
 
 af_protos.h:
-	 echo '#include <netinet/in.h>' | $(CC) $(CPPFLAGS) -E -dM - | LC_ALL=C  sed  -n -e "/IPPROTO_MAX/d"  -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@
+	 echo '#include <netinet/in.h>' | $(CC) $(CPPFLAGS) -E -dD - | LC_ALL=C  sed  -n -e "/IPPROTO_MAX/d"  -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@
 
 lib_LTLIBRARIES = libapparmor.la
 noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h private.h PMurHash.h
@@ -73,6 +73,16 @@ CLEANFILES = libapparmor.pc
 tst_aalogmisc_SOURCES = tst_aalogmisc.c
 tst_aalogmisc_LDADD = .libs/libapparmor.a
 
+tst_aalogparse_cpp_SOURCES = tst_aalogparse_cpp.cpp
+tst_aalogparse_cpp_LDADD = .libs/libapparmor.a
+
+tst_aalogparse_oldname_SOURCES = tst_aalogparse_oldname.c
+tst_aalogparse_oldname_LDADD = .libs/libapparmor.a
+
+tst_aalogparse_reentrancy_SOURCES = tst_aalogparse_reentrancy.c
+tst_aalogparse_reentrancy_LDADD = .libs/libapparmor.a
+tst_aalogparse_reentrancy_LDFLAGS = -pthread
+
 tst_features_SOURCES = tst_features.c
 tst_features_LDADD = .libs/libapparmor.a
 
@@ -80,7 +90,7 @@ tst_kernel_SOURCES = tst_kernel.c
 tst_kernel_LDADD = .libs/libapparmor.a
 tst_kernel_LDFLAGS = -pthread
 
-check_PROGRAMS = tst_aalogmisc tst_features tst_kernel
+check_PROGRAMS = tst_aalogmisc tst_aalogparse_cpp tst_aalogparse_reentrancy tst_aalogparse_oldname tst_features tst_kernel
 TESTS = $(check_PROGRAMS)
 
 .PHONY: check-local

libraries/libapparmor/src/features.c

@@ -399,6 +399,10 @@ static bool walk_one(const char **str, const struct component *component,
 			i = 0;
 
 		cur++;
+
+		/* Partial match, continue to search */
+		if (i == component->len && !isbrace_space_or_nul(*cur))
+			i = 0;
 	}
 
 	/* Return false if a full match was not found */

libraries/libapparmor/src/grammar.y

@@ -15,17 +15,15 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+/* aalogparse_error now requires visibility of the aa_log_record type
+ * Also include in a %code requires block to add it to the header
+ */
+%code requires{
+	#include <aalogparse.h>
+}
 
 %{
 
-/* set the following to non-zero to get bison to emit debugging
- * information about tokens given and rules matched.
- * Also:
- *   Uncomment the %defines
- *   parse.error
- *   parse.trace
- */
-#define YYDEBUG 0
 #include <string.h>
 #include <aalogparse.h>
 #include "parser.h"
@@ -41,12 +39,10 @@
 #define debug_unused_ unused_
 #endif
 
-aa_log_record *ret_record;
-
 /* Since we're a library, on any errors we don't want to print out any
  * error messages. We should probably add a debug interface that does
  * emit messages when asked for. */
-void aalogparse_error(unused_ void *scanner, debug_unused_ char const *s)
+void aalogparse_error(unused_ void *scanner, aa_log_record *ret_record, debug_unused_ char const *s)
 {
 #if (YYDEBUG != 0)
 	printf("ERROR: %s\n", s);
@@ -89,9 +85,10 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %define parse.trace
 */
 
-%define api.pure
+%define api.pure full
 %lex-param{void *scanner}
 %parse-param{void *scanner}
+%parse-param{aa_log_record *ret_record}
 
 %union
 {
@@ -114,6 +111,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_PERIOD
 %token TOK_QUESTION_MARK
 %token TOK_SINGLE_QUOTE
+%token TOK_NONE
 
 %token TOK_TYPE_REJECT
 %token TOK_TYPE_AUDIT
@@ -187,6 +185,8 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_FSTYPE
 %token TOK_KEY_FLAGS
 %token TOK_KEY_SRCNAME
+%token TOK_KEY_UNIX_PEER_ADDR
+%token TOK_KEY_EXECPATH
 %token TOK_KEY_CLASS
 
 %token TOK_SOCKLOGD_KERNEL
@@ -281,8 +281,9 @@ audit_user_msg: TOK_KEY_MSG TOK_EQUALS audit_id audit_user_msg_tail
 
 audit_id: TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS TOK_COLON TOK_AUDIT_DIGITS TOK_CLOSE_PAREN TOK_COLON
 	{
-		if (!asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7))
-			yyerror(scanner, YY_("Out of memory"));
+		if (!asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7)) {
+			yyerror(scanner, ret_record, YY_("Out of memory"));
+		}
 		ret_record->epoch = atol($3);
 		ret_record->audit_sub_id = atoi($7);
 		free($3);
@@ -305,7 +306,7 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	| TOK_KEY_NAME TOK_EQUALS safe_string
 	{ ret_record->name = $3;}
 	| TOK_KEY_NAMESPACE TOK_EQUALS safe_string
-	{ ret_record->namespace = $3;}
+	{ ret_record->aa_namespace = $3;}
 	| TOK_KEY_NAME2 TOK_EQUALS safe_string
 	{ ret_record->name2 = $3;}
 	| TOK_KEY_MASK TOK_EQUALS TOK_QUOTED_STRING
@@ -354,6 +355,13 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->fsuid = $3;}
 	| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
 	{ ret_record->ouid = $3;}
+	| TOK_KEY_ADDR TOK_EQUALS TOK_QUESTION_MARK
+	| TOK_KEY_ADDR TOK_EQUALS TOK_NONE
+	| TOK_KEY_ADDR TOK_EQUALS safe_string
+	{ ret_record->net_addr = $3; }
+	| TOK_KEY_UNIX_PEER_ADDR TOK_EQUALS TOK_NONE
+	| TOK_KEY_UNIX_PEER_ADDR TOK_EQUALS safe_string
+	{ ret_record->peer_addr = $3; }
 	| TOK_KEY_FSUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
 	{ free($3);} /* Ignore - fsuid username */
 	| TOK_KEY_OUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
@@ -363,10 +371,7 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	| TOK_KEY_HOSTNAME TOK_EQUALS safe_string
 	{ free($3); /* Ignore - hostname from user AVC messages */ }
 	| TOK_KEY_HOSTNAME TOK_EQUALS TOK_QUESTION_MARK
-	| TOK_KEY_ADDR TOK_EQUALS TOK_QUESTION_MARK
 	| TOK_KEY_TERMINAL TOK_EQUALS TOK_QUESTION_MARK
-	| TOK_KEY_ADDR TOK_EQUALS safe_string
-	{ free($3); /* Ignore - IP address from user AVC messages */ }
 	| TOK_KEY_TERMINAL TOK_EQUALS safe_string
 	{ free($3); /* Ignore - TTY from user AVC messages */ }
 	| TOK_KEY_EXE TOK_EQUALS safe_string
@@ -419,21 +424,21 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->dbus_member = $3; }
 	| TOK_KEY_SIGNAL TOK_EQUALS TOK_ID
 	{ ret_record->signal = $3; }
-
 	| TOK_KEY_FSTYPE TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->fs_type = $3; }
 	| TOK_KEY_FLAGS TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->flags = $3; }
 	| TOK_KEY_SRCNAME TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->src_name = $3; }
-
+	| TOK_KEY_EXECPATH TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->execpath = $3; }
 	| TOK_MSG_REST
 	{
 		ret_record->event = AA_RECORD_INVALID;
 		ret_record->info = $1;
 	}
 	| TOK_KEY_CLASS TOK_EQUALS TOK_QUOTED_STRING
-	{ ret_record->class = $3; }
+	{ ret_record->rule_class = $3; }
 	;
 
 apparmor_event:
@@ -470,31 +475,3 @@ protocol: TOK_QUOTED_STRING
 	}
 	;
 %%
-
-aa_log_record *
-_parse_yacc(char *str)
-{
-	/* yydebug = 1;  */
-	YY_BUFFER_STATE lex_buf;
-	yyscan_t scanner;
-
-	ret_record = NULL;
-	ret_record = malloc(sizeof(aa_log_record));
-
-	_init_log_record(ret_record);
-
-	if (ret_record == NULL)
-		return NULL;
-
-#if (YYDEBUG != 0)
-	yydebug = 1;
-#endif
-
-	aalogparse_lex_init(&scanner);
-	lex_buf = aalogparse__scan_string(str, scanner);
-	/* Ignore return value to return an AA_RECORD_INVALID event */
-	(void)aalogparse_parse(scanner);
-	aalogparse__delete_buffer(lex_buf, scanner);
-	aalogparse_lex_destroy(scanner);
-	return ret_record;
-}

libraries/libapparmor/src/libaalogparse.c

@@ -34,13 +34,42 @@
 #include <aalogparse.h>
 #include "parser.h"
 
+#include "grammar.h"
+#include "scanner.h"
+
 /* This is mostly just a wrapper around the code in grammar.y */
-aa_log_record *parse_record(char *str)
+aa_log_record *parse_record(const char *str)
 {
+	YY_BUFFER_STATE lex_buf;
+	yyscan_t scanner;
+	aa_log_record *ret_record;
+
 	if (str == NULL)
 		return NULL;
 
-	return _parse_yacc(str);
+	ret_record = malloc(sizeof(aa_log_record));
+
+	_init_log_record(ret_record);
+
+	if (ret_record == NULL)
+		return NULL;
+
+	struct string_buf string_buf = {.buf = NULL, .buf_len = 0, .buf_alloc = 0};
+
+#if (YYDEBUG != 0)
+	/* Warning: this is still a global even in reentrant parsers */
+	aalogparse_debug = 1;
+#endif
+
+	aalogparse_lex_init_extra(&string_buf, &scanner);
+	lex_buf = aalogparse__scan_string(str, scanner);
+	/* Ignore return value to return an AA_RECORD_INVALID event */
+	(void)aalogparse_parse(scanner, ret_record);
+	aalogparse__delete_buffer(lex_buf, scanner);
+	aalogparse_lex_destroy(scanner);
+	/* free(NULL) is a no-op */
+	free(string_buf.buf);
+	return ret_record;
 }
 
 void free_record(aa_log_record *record)
@@ -63,8 +92,8 @@ void free_record(aa_log_record *record)
 			free(record->name);
 		if (record->name2 != NULL)
 			free(record->name2);
-		if (record->namespace != NULL)
-			free(record->namespace);
+		if (record->aa_namespace != NULL)
+			free(record->aa_namespace);
 		if (record->attribute != NULL)
 			free(record->attribute);
 		if (record->info != NULL)
@@ -103,8 +132,15 @@ void free_record(aa_log_record *record)
 			free(record->flags);
 		if (record->src_name != NULL)
 			free(record->src_name);
-		if (record->class != NULL)
-			free(record->class);
+		if (record->net_addr != NULL)
+			free(record->net_addr);
+		if (record->peer_addr != NULL)
+			free(record->peer_addr);
+		if (record->execpath != NULL)
+			free(record->execpath);
+
+		if (record->rule_class != NULL)
+			free(record->rule_class);
 
 		free(record);
 	}

libraries/libapparmor/src/libapparmor.map

@@ -127,6 +127,7 @@ APPARMOR_3.0 {
 APPARMOR_3.1 {
   global:
 	aa_features_check;
+	aa_split_overlay_str;
   local:
 	*;
 } APPARMOR_3.0;

libraries/libapparmor/src/parser.h

@@ -19,8 +19,14 @@
 #ifndef __AA_LOG_PARSER_H__
 #define __AA_LOG_PARSER_H__
 
+// Internal-only type
+struct string_buf {
+	char *buf;
+	unsigned int buf_len;
+	unsigned int buf_alloc;
+};
+
 extern void _init_log_record(aa_log_record *record);
-extern aa_log_record *_parse_yacc(char *str);
 extern char *hex_to_string(char *str);
 extern char *ipproto_to_string(unsigned int proto);
 

libraries/libapparmor/src/scanner.l

@@ -19,6 +19,7 @@
 %option nounput
 %option noyy_top_state
 %option reentrant
+%option extra-type="struct string_buf*"
 %option prefix="aalogparse_"
 %option bison-bridge
 %option header-file="scanner.h"
@@ -34,40 +35,37 @@
 
 #define YY_NO_INPUT
 
-unsigned int string_buf_alloc = 0;
-unsigned int string_buf_len = 0;
-char *string_buf = NULL;
-
-void string_buf_reset()
+void string_buf_reset(struct string_buf* char_buf)
 {
 	/* rewind buffer to zero, possibly doing initial allocation too */
-	string_buf_len = 0;
- 	if (string_buf == NULL) {
-		string_buf_alloc = 128;
-		string_buf = malloc(string_buf_alloc);
-		assert(string_buf != NULL);
+	char_buf->buf_len = 0;
+	if (char_buf->buf == NULL) {
+		char_buf->buf_alloc = 128;
+		char_buf->buf = malloc(char_buf->buf_alloc);
+		assert(char_buf->buf != NULL);
 	}
 	/* always start with a valid but empty string */
-	string_buf[0] = '\0';
+	char_buf->buf[0] = '\0';
 }
 
-void string_buf_append(unsigned int length, char *text)
+void string_buf_append(struct string_buf* char_buf, unsigned int length, char *text)
 {
-	unsigned int current_length = string_buf_len;
+	unsigned int current_length = char_buf->buf_len;
 
 	/* handle calling ..._append before ..._reset */
-	if (string_buf == NULL) string_buf_reset();
+	if (char_buf->buf == NULL) string_buf_reset(char_buf);
 
-	string_buf_len += length;
+	char_buf->buf_len += length;
 	/* expand allocation if this append would exceed the allocation */
-	while (string_buf_len >= string_buf_alloc) {
-		string_buf_alloc *= 2;
-		string_buf = realloc(string_buf, string_buf_alloc);
-		assert(string_buf != NULL);
+	while (char_buf->buf_len >= char_buf->buf_alloc) {
+		// TODO: overflow?
+		char_buf->buf_alloc *= 2;
+		char_buf->buf = realloc(char_buf->buf, char_buf->buf_alloc);
+		assert(char_buf->buf != NULL);
 	}
 	/* copy and unconditionally terminate */
-	memcpy(string_buf+current_length, text, length);
-	string_buf[string_buf_len] = '\0';
+	memcpy(char_buf->buf+current_length, text, length);
+	char_buf->buf[char_buf->buf_len] = '\0';
 }
 
 %}
@@ -90,6 +88,7 @@ question_mark	"?"
 single_quote	"'"
 mode_chars      ([RrWwaLlMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])|([Pp][Ii][Xx])
 modes		({mode_chars}+)|({mode_chars}+::{mode_chars}*)|(::{mode_chars}*)
+none		"none"
 /* New message types */
 
 aa_reject_type		"APPARMOR_DENIED"
@@ -157,9 +156,13 @@ key_capname		"capname"
 key_offset		"offset"
 key_target		"target"
 key_laddr		"laddr"
+key_saddr		"saddr"
 key_faddr		"faddr"
+key_daddr		"daddr"
 key_lport		"lport"
+key_srcport		"src"
 key_fport		"fport"
+key_destport		"dest"
 key_bus			"bus"
 key_dest		"dest"
 key_path		"path"
@@ -173,6 +176,8 @@ key_flags		"flags"
 key_srcname		"srcname"
 key_class		"class"
 key_tcontext		"tcontext"
+key_unix_peer_addr	"peer_addr"
+key_execpath		"execpath"
 audit			"audit"
 
 /* network addrs */
@@ -225,7 +230,7 @@ yy_flex_debug = 0;
 	{open_paren}		{ return(TOK_OPEN_PAREN); }
 	{close_paren}		{ BEGIN(INITIAL); return(TOK_CLOSE_PAREN); }
 	{ws}		{ }
-	\"			{ string_buf_reset(); BEGIN(quoted_string); }
+	\"			{ string_buf_reset(yyextra); BEGIN(quoted_string); }
 	{ID}+	{
 			yylval->t_str = strdup(yytext);
 			BEGIN(INITIAL);
@@ -234,20 +239,20 @@ yy_flex_debug = 0;
 	{equals}		{ return(TOK_EQUALS); }
 	}
 
-\"			{ string_buf_reset(); BEGIN(quoted_string); }
+\"			{ string_buf_reset(yyextra); BEGIN(quoted_string); }
 <quoted_string>\"	{ /* End of the quoted string */
 				BEGIN(INITIAL);
-				yylval->t_str = strdup(string_buf);
+				yylval->t_str = strdup(yyextra->buf);
 				return(TOK_QUOTED_STRING);
 			}
 
 
-<quoted_string>\\(.|\n) { string_buf_append(1, &yytext[1]); }
+<quoted_string>\\(.|\n) { string_buf_append(yyextra, 1, &yytext[1]); }
 
-<quoted_string>[^\\\n\"]+ { string_buf_append(yyleng, yytext); }
+<quoted_string>[^\\\n\"]+ { string_buf_append(yyextra, yyleng, yytext); }
 
 <safe_string>{
-	\"		{ string_buf_reset(); BEGIN(quoted_string); }
+	\"		{ string_buf_reset(yyextra); BEGIN(quoted_string); }
 	{hexstring}	{ yylval->t_str = hex_to_string(yytext); BEGIN(INITIAL); return(TOK_HEXSTRING);}
 	{equals}	{ return(TOK_EQUALS); }
 	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
@@ -303,6 +308,8 @@ yy_flex_debug = 0;
 {period}		{ return(TOK_PERIOD); }
 {question_mark}		{ return(TOK_QUESTION_MARK); }
 {single_quote}		{ return(TOK_SINGLE_QUOTE); }
+{none}			{ return(TOK_NONE); }
+
 
 {key_apparmor}		{ BEGIN(audit_types); return(TOK_KEY_APPARMOR); }
 {key_type}		{ BEGIN(audit_types); return(TOK_KEY_TYPE); }
@@ -342,7 +349,7 @@ yy_flex_debug = 0;
 {key_sauid}		{ return(TOK_KEY_SAUID); }
 {key_ses}		{ return(TOK_KEY_SES); }
 {key_hostname}		{ return(TOK_KEY_HOSTNAME); }
-{key_addr}		{ return(TOK_KEY_ADDR); }
+{key_addr}		{ BEGIN(safe_string); return(TOK_KEY_ADDR); }
 {key_terminal}		{ return(TOK_KEY_TERMINAL); }
 {key_exe}		{ BEGIN(safe_string); return(TOK_KEY_EXE); }
 {key_comm}		{ BEGIN(safe_string); return(TOK_KEY_COMM); }
@@ -351,9 +358,13 @@ yy_flex_debug = 0;
 {key_offset}		{ return(TOK_KEY_OFFSET); }
 {key_target}		{ return(TOK_KEY_TARGET); }
 {key_laddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
+{key_saddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
 {key_faddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
+{key_daddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
 {key_lport}		{ return(TOK_KEY_LPORT); }
+{key_srcport}		{ return(TOK_KEY_LPORT); }
 {key_fport}		{ return(TOK_KEY_FPORT); }
+{key_destport}		{ return(TOK_KEY_FPORT); }
 {key_bus}		{ return(TOK_KEY_BUS); }
 {key_path}		{ return(TOK_KEY_PATH); }
 {key_interface}		{ return(TOK_KEY_INTERFACE); }
@@ -364,6 +375,8 @@ yy_flex_debug = 0;
 {key_fstype}		{ return(TOK_KEY_FSTYPE); }
 {key_flags}		{ BEGIN(safe_string); return(TOK_KEY_FLAGS); }
 {key_srcname}		{ BEGIN(safe_string); return(TOK_KEY_SRCNAME); }
+{key_unix_peer_addr}    { BEGIN(safe_string); return(TOK_KEY_UNIX_PEER_ADDR); }
+{key_execpath}		{ BEGIN(safe_string); return(TOK_KEY_EXECPATH); }
 {key_class}		{ BEGIN(safe_string); return(TOK_KEY_CLASS); }
 
 {socklogd_kernel}	{ BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }

libraries/libapparmor/src/tst_aalogparse_cpp.cpp

@@ -0,0 +1,20 @@
+#include <aalogparse.h>
+#include <string.h>
+
+#include "private.h"
+
+const char* log_line = "[23342.075380] audit: type=1400 audit(1725487203.971:1831): apparmor=\"DENIED\" operation=\"open\" class=\"file\" profile=\"snap-update-ns.firmware-updater\" name=\"/proc/202964/maps\" pid=202964 comm=\"5\" requested_mask=\"r\" denied_mask=\"r\" fsuid=1000 ouid=0";
+
+int main(void) {
+    int rc = 0;
+
+    /* Very basic test to ensure we can do aalogparse stuff in C++ */
+    aa_log_record *record = parse_record(log_line);
+    MY_TEST(record != NULL, "Log failed to parse");
+    MY_TEST(record->version == AA_RECORD_SYNTAX_V2, "Log should have parsed as v2 form");
+    MY_TEST(record->aa_namespace == NULL, "Log should have NULL namespace");
+    MY_TEST((record->rule_class != NULL) && (strcmp(record->rule_class, "file") == 0), "Log should have file class");
+    free_record(record);
+
+    return rc;
+}

libraries/libapparmor/src/tst_aalogparse_oldname.c

@@ -0,0 +1,20 @@
+#include <aalogparse.h>
+#include <string.h>
+
+#include "private.h"
+
+const char* log_line = "[23342.075380] audit: type=1400 audit(1725487203.971:1831): apparmor=\"DENIED\" operation=\"open\" class=\"file\" profile=\"snap-update-ns.firmware-updater\" name=\"/proc/202964/maps\" pid=202964 comm=\"5\" requested_mask=\"r\" denied_mask=\"r\" fsuid=1000 ouid=0";
+
+int main(void) {
+    int rc = 0;
+
+    /* Very basic test to ensure we can use the C++-incompatible field names */
+    aa_log_record *record = parse_record(log_line);
+    MY_TEST(record != NULL, "Log failed to parse");
+    MY_TEST(record->version == AA_RECORD_SYNTAX_V2, "Log should have parsed as v2 form");
+    MY_TEST(record->namespace == NULL, "Log should have NULL namespace");
+    MY_TEST((record->class != NULL) && (strcmp(record->class, "file") == 0), "Log should have file class");
+    free_record(record);
+
+    return rc;
+}

libraries/libapparmor/src/tst_aalogparse_reentrancy.c

@@ -0,0 +1,154 @@
+#include <pthread.h>
+#include <string.h>
+
+#include <aalogparse.h>
+
+#include "private.h"
+
+const char* log_line = "[23342.075380] audit: type=1400 audit(1725487203.971:1831): apparmor=\"DENIED\" operation=\"open\" class=\"file\" profile=\"snap-update-ns.firmware-updater\" name=\"/proc/202964/maps\" pid=202964 comm=\"5\" requested_mask=\"r\" denied_mask=\"r\" fsuid=1000 ouid=0";
+const char* log_line_2 = "[ 4074.372559] audit: type=1400 audit(1725553393.143:793): apparmor=\"DENIED\" operation=\"capable\" class=\"cap\" profile=\"/usr/lib/snapd/snap-confine\" pid=19034 comm=\"snap-confine\" capability=12  capname=\"net_admin\"";
+
+static int pthread_barrier_ok(int barrier_result) {
+	return barrier_result == 0 || barrier_result == PTHREAD_BARRIER_SERIAL_THREAD;
+}
+
+static int nullcmp_and_strcmp(const void *s1, const void *s2)
+{
+	/* Return 0 if both pointers are NULL & non-zero if only one is NULL */
+	if (!s1 || !s2)
+		return s1 != s2;
+
+	return strcmp(s1, s2);
+}
+
+int aa_log_record_eq(aa_log_record *record1, aa_log_record *record2) {
+	int are_eq = 1;
+
+	are_eq &= (record1->version == record2->version);
+	are_eq &= (record1->event == record2->event);
+	are_eq &= (record1->pid == record2->pid);
+	are_eq &= (record1->peer_pid == record2->peer_pid);
+	are_eq &= (record1->task == record2->task);
+	are_eq &= (record1->magic_token == record2->magic_token);
+	are_eq &= (record1->epoch == record2->epoch);
+	are_eq &= (record1->audit_sub_id == record2->audit_sub_id);
+
+	are_eq &= (record1->bitmask == record2->bitmask);
+	are_eq &= (nullcmp_and_strcmp(record1->audit_id, record2->audit_id) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->operation, record2->operation) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->denied_mask, record2->denied_mask) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->requested_mask, record2->requested_mask) == 0);
+	are_eq &= (record1->fsuid == record2->fsuid);
+	are_eq &= (record1->ouid == record2->ouid);
+	are_eq &= (nullcmp_and_strcmp(record1->profile, record2->profile) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->peer_profile, record2->peer_profile) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->comm, record2->comm) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->name, record2->name) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->name2, record2->name2) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->namespace, record2->namespace) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->attribute, record2->attribute) == 0);
+	are_eq &= (record1->parent == record2->parent);
+	are_eq &= (nullcmp_and_strcmp(record1->info, record2->info) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->peer_info, record2->peer_info) == 0);
+	are_eq &= (record1->error_code == record2->error_code);
+	are_eq &= (nullcmp_and_strcmp(record1->active_hat, record2->active_hat) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->net_family, record2->net_family) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->net_protocol, record2->net_protocol) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->net_sock_type, record2->net_sock_type) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->net_local_addr, record2->net_local_addr) == 0);
+	are_eq &= (record1->net_local_port == record2->net_local_port);
+	are_eq &= (nullcmp_and_strcmp(record1->net_foreign_addr, record2->net_foreign_addr) == 0);
+	are_eq &= (record1->net_foreign_port == record2->net_foreign_port);
+
+	are_eq &= (nullcmp_and_strcmp(record1->execpath, record2->execpath) == 0);
+
+	are_eq &= (nullcmp_and_strcmp(record1->dbus_bus, record2->dbus_bus) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->dbus_path, record2->dbus_path) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->dbus_interface, record2->dbus_interface) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->dbus_member, record2->dbus_member) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->signal, record2->signal) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->peer, record2->peer) == 0);
+
+	are_eq &= (nullcmp_and_strcmp(record1->fs_type, record2->fs_type) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->flags, record2->flags) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->src_name, record2->src_name) == 0);
+
+	are_eq &= (nullcmp_and_strcmp(record1->class, record2->class) == 0);
+
+	are_eq &= (nullcmp_and_strcmp(record1->net_addr, record2->net_addr) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->peer_addr, record2->peer_addr) == 0);
+	return are_eq;
+}
+
+typedef struct {
+	const char* log;
+	pthread_barrier_t *barrier;
+} pthread_parse_args;
+
+void* pthread_parse_log(void* args) {
+	pthread_parse_args *args_real = (pthread_parse_args *) args;
+	int barrier_wait_result = pthread_barrier_wait(args_real->barrier);
+	/* Return NULL and fail test if barrier wait fails */
+	if (!pthread_barrier_ok(barrier_wait_result)) {
+		return NULL;
+	}
+	aa_log_record *record = parse_record(args_real->log);
+	return (void*) record;
+}
+
+#define NUM_THREADS 16
+
+int main(void) {
+	pthread_t thread_ids[NUM_THREADS];
+	pthread_barrier_t barrier;
+	int barrier_wait_result;
+	aa_log_record* parsed_logs[NUM_THREADS];
+	int rc = 0;
+	/* Set up arguments to be passed to threads */
+	pthread_parse_args args = {.log=log_line, .barrier=&barrier};
+	pthread_parse_args args2 = {.log=log_line_2, .barrier=&barrier};
+
+	MY_TEST(NUM_THREADS > 2, "Test requires more than 2 threads");
+
+	/* Use barrier to synchronize the start of log parsing among all the threads
+	 * This increases the likelihood of tickling race conditions, if there are any
+	 */
+	MY_TEST(pthread_barrier_init(&barrier, NULL, NUM_THREADS+1) == 0,
+		"Could not init pthread barrier");
+	for (int i=0; i<NUM_THREADS; i++) {
+		if (i%2 == 0) {
+			pthread_create(&thread_ids[i], NULL, pthread_parse_log, (void *) &args);
+		} else {
+			pthread_create(&thread_ids[i], NULL, pthread_parse_log, (void *) &args2);
+		}
+	}
+	/* Final barrier_wait to set off the thread race */
+	barrier_wait_result = pthread_barrier_wait(&barrier);
+	MY_TEST(pthread_barrier_ok(barrier_wait_result), "Could not wait on pthread barrier");
+
+	/* Wait for threads to finish parsing the logs */
+	for (int i=0; i<NUM_THREADS; i++) {
+		MY_TEST(pthread_join(thread_ids[i], (void*) &parsed_logs[i]) == 0, "Could not join thread");
+	}
+
+	/* Check that all logs parsed and are equal */
+	for (int i=0; i<NUM_THREADS; i++) {
+		MY_TEST(parsed_logs[i] != NULL, "Log failed to parse");
+		MY_TEST(parsed_logs[i]->version == AA_RECORD_SYNTAX_V2, "Log should have parsed as v2 form");
+		MY_TEST(parsed_logs[i]->event == AA_RECORD_DENIED, "Log should have parsed as denied");
+
+		/* Also check i==0 and i==1 as a sanity check for aa_log_record_eq */
+		if (i%2 == 0) {
+			MY_TEST(aa_log_record_eq(parsed_logs[0], parsed_logs[i]), "Log 0 != Log even");
+		} else {
+			MY_TEST(aa_log_record_eq(parsed_logs[1], parsed_logs[i]), "Log 1 != Log odd");
+		}
+	}
+	MY_TEST(!aa_log_record_eq(parsed_logs[0], parsed_logs[1]), "Log 0 and log 1 shouldn't be equal");
+	/* Clean up */
+	MY_TEST(pthread_barrier_destroy(&barrier) == 0, "Could not destroy pthread barrier");
+	for (int i=0; i<NUM_THREADS; i++) {
+		free_record(parsed_logs[i]);
+	}
+	return rc;
+}

libraries/libapparmor/src/tst_features.c

@@ -135,7 +135,7 @@ static int do_test_walk_one(const char **str, const struct component *component,
 
 static int test_walk_one(void)
 {
-	struct component c;
+	struct component c = (struct component) { NULL, 0 };
 	const char *str;
 	int rc = 0;
 

libraries/libapparmor/swig/SWIG/libapparmor.i

@@ -5,9 +5,98 @@
 #include <sys/apparmor.h>
 #include <sys/apparmor_private.h>
 
+// Include static_assert if the C compiler supports it
+// static_assert standardized since C11, assert.h not needed since C23
+#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L && __STDC_VERSION__ < 202311L
+#include <assert.h>
+#endif
 %}
 
 %include "typemaps.i"
+%include <cstring.i>
+%include <stdint.i>
+%include <exception.i>
+
+/*
+ * SWIG 4.3 included https://github.com/swig/swig/pull/2907 to distinguish
+ * between Py_None being returned as a default void and Py_None being returned
+ * as the equivalent of C NULL. Unfortunately, this turns into an API breaking
+ * change with our use of %append_output when we want the Python function to
+ * return something even when the C function has a void return type. Thus, we
+ * need an additional macro to smooth over the differences. Include all affected
+ * languages, even ones we don't build bindings for, for completeness.
+ */
+#if SWIG_VERSION >= 0x040300
+#ifdef SWIGPYTHON
+#define ISVOID_APPEND_OUTPUT(value) {$result = SWIG_Python_AppendOutput($result, value, 1);}
+#elif defined(SWIGRUBY)
+#define ISVOID_APPEND_OUTPUT(value) {$result = SWIG_Ruby_AppendOutput($result, value, 1);}
+#elif defined(SWIGPHP)
+#define ISVOID_APPEND_OUTPUT(value) {$result = SWIG_Php_AppendOutput($result, value, 1);}
+#else
+#define ISVOID_APPEND_OUTPUT(value) %append_output(value)
+#endif
+#else
+#define ISVOID_APPEND_OUTPUT(value) %append_output(value)
+#endif
+
+%newobject parse_record;
+%delobject free_record;
+/*
+ * Despite its name, %delobject does not hook up destructors to language
+ * deletion mechanisms. Instead, it sets flags so that manually calling the
+ * free function and then deleting by language mechanisms doesn't cause a
+ * double-free.
+ *
+ * Additionally, we can manually extend the struct with a C++-like
+ * destructor. This ensures that the record struct is freed 
+ * automatically when the high-level object goes out of scope.
+ */
+%extend aa_log_record {
+	~aa_log_record() {
+		free_record($self);
+	}
+}
+
+/*
+ * Generate a no-op free_record wrapper to avoid making a double-free footgun.
+ * Use rename directive to avoid colliding with the actual free_record, which
+ * we use above to clean up when the higher-level language deletes the object.
+ * 
+ * Ideally we would not expose a free_record at all, but we need to maintain
+ * backwards compatibility with the existing high-level code that uses it.
+ */
+%rename(free_record) noop_free_record;
+#ifdef SWIGPYTHON
+%pythonprepend noop_free_record %{
+import warnings
+warnings.warn("free_record is now a no-op as the record's memory is handled automatically", DeprecationWarning)
+%}
+#endif
+%feature("autodoc",
+  "This function used to free aa_log_record objects. Freeing is now handled "
+  "automatically, so this no-op function remains for backwards compatibility.") noop_free_record;
+%inline %{
+  void noop_free_record(aa_log_record *record) {(void) record;}
+%}
+
+/*
+ * Do not autogenerate a wrapper around free_record. This does not prevent us
+ * from calling it ourselves in %extend C code.
+ */
+%ignore free_record;
+
+
+/*
+ * Map names to preserve backwards compatibility
+ */
+#ifdef SWIGPYTHON
+%rename("_class") aa_log_record::rule_class;
+#else
+%rename("class") aa_log_record::rule_class;
+#endif
+%rename("namespace") aa_log_record::aa_namespace;
+
 %include <aalogparse.h>
 
 /**
@@ -21,18 +110,75 @@
 
 /* apparmor.h */
 
+/*
+ * label is a heap-allocated pointer, but when label and mode occur together,
+ * the freeing of label must be deferred because mode points into label.
+ *
+ * %cstring_output_allocate((char **label, char **mode), free(*$1))
+ * does not handle multi-argument typemaps correctly, so we write our own
+ * typemap based on it instead.
+ */
+%typemap(in,noblock=1,numinputs=0) (char **label, char **mode) ($*1_ltype temp_label = 0, $*2_ltype temp_mode = 0) {
+  $1 = &temp_label;
+  $2 = &temp_mode;
+}
+%typemap(freearg,match="in") (char **label, char **mode) ""
+%typemap(argout,noblock=1,fragment="SWIG_FromCharPtr") (char **label, char **mode) {
+  ISVOID_APPEND_OUTPUT(SWIG_FromCharPtr(*$1));
+  ISVOID_APPEND_OUTPUT(SWIG_FromCharPtr(*$2));
+  free(*$1);
+}
+
+/*
+ * mode also occurs in combination with con in aa_splitcon
+ * typemap based on %cstring_mutable but with substantial modifications
+ */
+%typemap(in,numinputs=1,fragment="SWIG_AsCharPtrAndSize") (char *con, char **mode) ($*2_ltype temp_mode = 0) {
+  int alloc_status = 0;
+  $1_ltype con_ptr = NULL;
+  size_t con_len = 0;
+  int char_ptr_res = SWIG_AsCharPtrAndSize($input, &con_ptr, &con_len, &alloc_status);
+  if (!SWIG_IsOK(char_ptr_res)) {
+    %argument_fail(char_ptr_res, "char *con", $symname, $argnum);
+  }
+  if (alloc_status != SWIG_NEWOBJ) {
+    // Unconditionally copy because the C function modifies the string in place
+    $1 = %new_copy_array(con_ptr, con_len+1, char);
+  } else {
+    $1 = con_ptr;
+  }
+
+  $2 = &temp_mode;
+}
+%typemap(freearg,noblock=1,match="in") (char *con, char **mode) {
+  %delete_array($1);
+}
+%typemap(argout,noblock=1,fragment="SWIG_FromCharPtr") (char *con, char **mode) {
+  /*
+   * aa_splitcon returns either con or NULL so we don't need to explicitly
+   * append it to the output, and we don't need the ISVOID helper here
+   * 
+   * SWIG_FromCharPtr does NULL checks for us
+   */
+  %append_output(SWIG_FromCharPtr(*$2));
+}
+
+%exception aa_splitcon {
+  $action
+  if (result == NULL) {
+    SWIG_exception_fail(SWIG_ValueError, "received invalid confinement context");
+  }
+}
+
 extern char *aa_splitcon(char *con, char **mode);
 
-/* apparmor_private.h */
-
-extern int _aa_is_blacklisted(const char *name);
-
 #ifdef SWIGPYTHON
 %exception {
   $action
   if (result < 0) {
+    // Unfortunately SWIG_exception does not support OSError
     PyErr_SetFromErrno(PyExc_OSError);
-    return NULL;
+    SWIG_fail;
   }
 }
 #endif
@@ -41,33 +187,248 @@ extern int _aa_is_blacklisted(const char *name);
 
 /* apparmor.h */
 
+/*
+ * aa_is_enabled returns a boolean as an int with failure reason in errno 
+ * Therefore, aa_is_enabled either returns True or throws an exception
+ *
+ * Keep that behavior for backwards compatibilty but return a boolean on Python
+ * where it makes more sense, which isn't a breaking change because a boolean is
+ * a subclass of int
+ */
+#ifdef SWIGPYTHON
+%typemap(out) int {
+	$result = PyBool_FromLong($1);
+}
+#endif
 extern int aa_is_enabled(void);
-extern int aa_find_mountpoint(char **mnt);
+
+#ifdef SWIGPYTHON
+// Based on SWIG's argcargv.i but we don't have an argc
+%typemap(in,fragment="SWIG_AsCharPtr") const char *subprofiles[] (Py_ssize_t seq_len=0, int* alloc_tracking = NULL) {
+  void* arg_as_ptr = NULL;
+  int res_convertptr = SWIG_ConvertPtr($input, &arg_as_ptr, $descriptor(char*[]), 0);
+  if (SWIG_IsOK(res_convertptr)) {
+    $1 = %static_cast(arg_as_ptr, $1_ltype);
+  } else {
+    // Clear error that would be set if ptr conversion failed
+    PyErr_Clear();
+
+    int is_list = PyList_Check($input);
+    if (is_list || PyTuple_Check($input)) {
+      seq_len = PySequence_Length($input);
+      /*
+       * %new_array zero-inits for cleaner error handling and memory cleanup
+       * %delete_array(NULL) is no-op (either free or delete), and
+       * alloc_tracking of 0 is uninit
+       * 
+       * Further note: SWIG_exception_fail jumps to the freearg typemap
+       */
+      $1 = %new_array(seq_len+1, char *);
+      if ($1 == NULL) {
+        SWIG_exception_fail(SWIG_MemoryError, "could not allocate C subprofiles");
+      }
+
+      alloc_tracking = %new_array(seq_len, int);
+      if (alloc_tracking == NULL) {
+        SWIG_exception_fail(SWIG_MemoryError, "could not allocate C alloc track arr");
+      }
+      for (Py_ssize_t i=0; i<seq_len; i++) {
+        PyObject *o = is_list ? PyList_GetItem($input, i) : PyTuple_GetItem($input, i);
+        if (o == NULL) {
+          // Failed to get item-Python already set exception info
+          SWIG_fail;
+        } else if (o == Py_None) {
+          // SWIG_AsCharPtr(Py_None, ...) succeeds with ptr output being NULL
+          SWIG_exception_fail(SWIG_ValueError, "sequence contains a None object");
+        }
+        int res = SWIG_AsCharPtr(o, &$1[i], &alloc_tracking[i]);
+        if (!SWIG_IsOK(res)) {
+          // Could emit idx of error here, maybe?
+          SWIG_exception_fail(SWIG_ArgError(res), "sequence does not contain all strings");
+        }
+      }
+    } else {
+      SWIG_exception_fail(SWIG_TypeError, "subprofiles is not a list or tuple");
+    }
+  }
+}
+%typemap(freearg,noblock=1) const char *subprofiles[] {
+/*
+ * If static_assert is present, use it to verify the assumption that
+ * allocation uninitialized (0) != SWIG_NEWOBJ
+ */
+%#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L
+  /* 
+   * Some older versions of SWIG place this right after a goto label
+   * This would then be a label followed by a declaration, a C23 extension (!)
+   * To ensure this works for older SWIG versions and older compilers,
+   * make this a block element with curly braces.
+   */
+  {static_assert(SWIG_NEWOBJ != 0, "SWIG_NEWOBJ is 0");}
+%#endif
+  if ($1 != NULL && alloc_tracking$argnum != NULL) {
+    for (Py_ssize_t i=0; i<seq_len$argnum; i++) {
+      if (alloc_tracking$argnum[i] == SWIG_NEWOBJ) {
+        %delete_array($1[i]);
+      }
+    }
+  }
+  %delete_array(alloc_tracking$argnum);
+  %delete_array($1);
+}
+#endif
+
+#ifdef SWIGPERL
+// Copied from perl's argcargv.i, which should be good enough for us
+%typemap(in) (const char *subprofiles[]) {
+  int i;
+  SSize_t len;
+  AV *av = (AV *)SvRV($input);
+  if (SvTYPE(av) != SVt_PVAV) {
+    SWIG_croak("in method '$symname', Expecting reference to argv array");
+    goto fail;
+  }
+  len = av_len(av) + 1;
+  $1 = (char **) malloc((len+1)*sizeof(char *));
+  for (i = 0; i < len; i++) {
+    SV **tv = av_fetch(av, i, 0);
+    $1[i] = SvPV_nolen(*tv);
+  }
+  $1[i] = NULL;
+}
+
+%typemap(typecheck, precedence=SWIG_TYPECHECK_STRING_ARRAY) (const char *subprofiles[]) {
+  AV *av = (AV *)SvRV($input);
+  $1 = SvTYPE(av) == SVt_PVAV;
+}
+
+%typemap(freearg) (const char *subprofiles[]) {
+  free((void *)$1);
+}
+#endif
+
+/* These should not receive the VOID_Object typemap */
 extern int aa_change_hat(const char *subprofile, unsigned long magic_token);
 extern int aa_change_profile(const char *profile);
 extern int aa_change_onexec(const char *profile);
 extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
-extern int aa_change_hat_vargs(unsigned long token, int count, ...);
 extern int aa_stack_profile(const char *profile);
 extern int aa_stack_onexec(const char *profile);
-extern int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
-			      char **mode);
-extern int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode);
+
+/*
+ * aa_find_mountpoint mnt is an output pointer to a heap-allocated string
+ *
+ * This is a replica of %cstring_output_allocate(char **mnt, free(*$1))
+ * that uses the ISVOID helper to work correctly on SWIG 4.3 or later.
+ */
+%typemap(in,noblock=1,numinputs=0) (char **mnt) ($*1_ltype temp_mnt = 0) {
+  $1 = &temp_mnt;
+}
+%typemap(freearg,match="in") (char **mnt) ""
+%typemap(argout,noblock=1,fragment="SWIG_FromCharPtr") (char **mnt) {
+  ISVOID_APPEND_OUTPUT(SWIG_FromCharPtr(*$1));
+  free(*$1);
+}
+/* The other errno-based functions should not always be returning the int value:
+ * - Python exceptions signal success/failure status instead via the %exception 
+ *   handler above.
+ * - Perl (the other binding) has $! for accessing errno but would check the int
+ *   return status first.
+ *
+ * The generated C code for (out) resets the return value to None
+ * before appending the returned data (argout generated by %cstring stuff)
+ */
+#ifdef SWIGPYTHON
+%typemap(out,noblock=1) int {
+#if defined(VOID_Object)
+	$result = VOID_Object;
+#endif
+}
+#endif
+
+/*
+ * We can't use "typedef int pid_t" because we still support systems
+ * with 16-bit PIDs and SWIG can't find sys/types.h
+ *
+ * Capture the passed-in value as a long because pid_t is guaranteed
+ * to be a signed integer and because the aalogparse struct uses
+ * (unsigned) longs to store pid values. While intmax_t would be more
+ * technically correct, if sizeof(pid_t) > sizeof(long) then aalogparse
+ * itself would also need fixing.
+ */
+%typemap(in,noblock=1,fragment="SWIG_AsVal_long") pid_t (int conv_pid, long pid_large) {
+%#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L
+  static_assert(sizeof(pid_t) <= sizeof(long),
+    "pid_t type is too large to be stored in a long");
+%#endif
+  conv_pid = SWIG_AsVal_long($input, &pid_large);
+  if (!SWIG_IsOK(conv_pid)) {
+    %argument_fail(conv_pid, "pid_t", $symname, $argnum);
+  }
+  /*
+   * Cast the long to a pid_t and then cast back to check for overflow
+   * Technically this is implementation-defined behaviour but we should be fine
+   */
+  $1 = (pid_t) pid_large;
+  if ((long) $1 != pid_large) {
+    SWIG_exception_fail(SWIG_OverflowError, "pid_t is too large");
+  }
+}
+
+extern int aa_find_mountpoint(char **mnt);
+extern int aa_getprocattr(pid_t tid, const char *attr, char **label, char **mode);
 extern int aa_gettaskcon(pid_t target, char **label, char **mode);
 extern int aa_getcon(char **label, char **mode);
-extern int aa_getpeercon_raw(int fd, char *buf, int *len, char **mode);
 extern int aa_getpeercon(int fd, char **label, char **mode);
-extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
-			  int *audit);
-extern int aa_query_file_path_len(uint32_t mask, const char *label,
-				  size_t label_len, const char *path,
-				  size_t path_len, int *allowed, int *audited);
+
+/*
+ * Typemaps for the boolean outputs of the query functions
+ * Use boolean types for Python and int types elsewhere
+ */
+#ifdef SWIGPYTHON
+// TODO: find a way to deduplicate these
+%typemap(in, numinputs=0) int *allowed (int temp) {
+  $1 = &temp;
+}
+%typemap(argout) int *allowed {
+  ISVOID_APPEND_OUTPUT(PyBool_FromLong(*$1));
+}
+
+%typemap(in, numinputs=0) int *audited (int temp) {
+  $1 = &temp;
+}
+%typemap(argout) int *audited {
+  ISVOID_APPEND_OUTPUT(PyBool_FromLong(*$1));
+}
+#else
+%apply int *OUTPUT { int *allowed };
+%apply int *OUTPUT { int *audited };
+#endif
+
+/* Sync this with the apparmor.h */
+/* Permission flags for the AA_CLASS_FILE mediation class */
+#define AA_MAY_EXEC			(1 << 0)
+#define AA_MAY_WRITE			(1 << 1)
+#define AA_MAY_READ			(1 << 2)
+#define AA_MAY_APPEND			(1 << 3)
+#define AA_MAY_CREATE			(1 << 4)
+#define AA_MAY_DELETE			(1 << 5)
+#define AA_MAY_OPEN			(1 << 6)
+#define AA_MAY_RENAME			(1 << 7)
+#define AA_MAY_SETATTR			(1 << 8)
+#define AA_MAY_GETATTR			(1 << 9)
+#define AA_MAY_SETCRED			(1 << 10)
+#define AA_MAY_GETCRED			(1 << 11)
+#define AA_MAY_CHMOD			(1 << 12)
+#define AA_MAY_CHOWN			(1 << 13)
+#define AA_MAY_LOCK			0x8000
+#define AA_EXEC_MMAP			0x10000
+#define AA_MAY_LINK			0x40000
+#define AA_MAY_ONEXEC			0x20000000
+#define AA_MAY_CHANGE_PROFILE		0x40000000
+
 extern int aa_query_file_path(uint32_t mask, const char *label,
 			      const char *path, int *allowed, int *audited);
-extern int aa_query_link_path_len(const char *label, size_t label_len,
-				  const char *target, size_t target_len,
-				  const char *link, size_t link_len,
-				  int *allowed, int *audited);
 extern int aa_query_link_path(const char *label, const char *target,
 			      const char *link, int *allowed, int *audited);
 

libraries/libapparmor/swig/python/Makefile.am

@@ -14,7 +14,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.py
 
 all-local: libapparmor_wrap.c setup.py
 	if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
-	CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS) $(EXTRA_WARNINGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS) $(LDFLAGS)" $(PYTHON) setup.py build
+	CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS) $(CFLAGS) $(EXTRA_WARNINGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS) $(LDFLAGS)" $(PYTHON) setup.py build
 
 install-exec-local:
 	$(PYTHON) setup.py install --root="/$(DESTDIR)" --prefix="$(prefix)"

libraries/libapparmor/swig/python/setup.py.in

@@ -2,7 +2,7 @@ from setuptools import setup, Extension
 import string
 
 setup(name          = 'LibAppArmor',
-      version       = '@VERSION@',
+      version       = '@VERSION@'.replace('~', '-'),
       author        = 'AppArmor Dev Team',
       author_email  = 'apparmor@lists.ubuntu.com',
       url           = 'https://wiki.apparmor.net',

libraries/libapparmor/swig/python/test/buildpath.py

@@ -7,7 +7,7 @@ import sysconfig
 import setuptools
 
 
-if tuple(map(int, setuptools.__version__.split("."))) >= (62, 1):
+if tuple(map(int, setuptools.__version__.split(".")[:2])) >= (62, 1):
     identifier = sys.implementation.cache_tag
 else:
     identifier = "%d.%d" % sys.version_info[:2]

libraries/libapparmor/swig/python/test/test_python.py.in

@@ -55,10 +55,100 @@ NO_VALUE_MAP = {
     'fsuid': int(ctypes.c_ulong(-1).value),
     'ouid':  int(ctypes.c_ulong(-1).value),
 }
-
-
 class AAPythonBindingsTests(unittest.TestCase):
 
+    def setUp(self):
+        # REPORT ALL THE OUTPUT
+        self.maxDiff = None
+
+    def test_aa_splitcon(self):
+        AA_SPLITCON_EXPECT = [
+            ("unconfined", "unconfined", None),
+            ("unconfined\n", "unconfined", None),
+            ("/bin/ping (enforce)", "/bin/ping", "enforce"),
+            ("/bin/ping (enforce)\n", "/bin/ping", "enforce"),
+            ("/usr/sbin/rsyslog (complain)", "/usr/sbin/rsyslog", "complain"),
+        ]
+        for context, expected_label, expected_mode in AA_SPLITCON_EXPECT:
+            actual_label, actual_mode = libapparmor.aa_splitcon(context)
+            if expected_label is None:
+                self.assertIsNone(actual_label)
+            else:
+                self.assertIsInstance(actual_label, str)
+                self.assertEqual(expected_label, actual_label)
+
+            if expected_mode is None:
+                self.assertIsNone(actual_mode)
+            else:
+                self.assertIsInstance(actual_mode, str)
+                self.assertEqual(expected_mode, actual_mode)
+
+        with self.assertRaises(ValueError):
+            libapparmor.aa_splitcon("")
+
+    def test_aa_is_enabled(self):
+        aa_enabled = libapparmor.aa_is_enabled()
+        self.assertIsInstance(aa_enabled, bool)
+
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_aa_find_mountpoint(self):
+        mount_point = libapparmor.aa_find_mountpoint()
+        self.assertIsInstance(mount_point, str)
+        self.assertGreater(len(mount_point), 0, "mount point should not be empty")
+        self.assertTrue(os.path.isdir(mount_point))
+
+    # TODO: test commented out functions (or at least their prototypes)
+    # extern int aa_change_profile(const char *profile);
+    # extern int aa_change_onexec(const char *profile);
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_change_hats(self):
+        # Changing hats will fail because we have no valid hats to change to
+        # However, we still verify that we get an OSError instead of a TypeError
+        with self.assertRaises(OSError):
+            libapparmor.aa_change_hat("nonexistent_profile", 12345678)
+
+        with self.assertRaises(OSError):
+            libapparmor.aa_change_hatv(["nonexistent_1", "nonexistent_2"], 0xabcdef)
+            libapparmor.aa_change_hatv(("nonexistent_1", "nonexistent_2"), 0xabcdef)
+
+    # extern int aa_stack_profile(const char *profile);
+    # extern int aa_stack_onexec(const char *profile);
+    # extern int aa_getprocattr(pid_t tid, const char *attr, char **label, char **mode);
+    # extern int aa_gettaskcon(pid_t target, char **label, char **mode);
+
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_aa_gettaskcon(self):
+        # Our test harness should be running us as unconfined
+        # Get our own pid and this should be equivalent to aa_getcon
+        pid = os.getpid()
+
+        label, mode = libapparmor.aa_gettaskcon(pid)
+        self.assertEqual(label, "unconfined", "aa_gettaskcon label should be unconfined")
+        self.assertIsNone(mode, "aa_gettaskcon mode should be unconfined")
+
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_aa_getcon(self):
+        # Our test harness should be running us as unconfined
+        label, mode = libapparmor.aa_getcon()
+        self.assertEqual(label, "unconfined", "aa_getcon label should be unconfined")
+        self.assertIsNone(mode, "aa_getcon mode should be unconfined")
+
+    # extern int aa_getpeercon(int fd, char **label, char **mode);
+
+    # extern int aa_query_file_path(uint32_t mask, const char *label,
+    #                 const char *path, int *allowed, int *audited);
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_aa_query_file_path(self):
+        aa_query_mask = libapparmor.AA_MAY_EXEC | libapparmor.AA_MAY_READ | libapparmor.AA_MAY_WRITE
+        allowed, audited = libapparmor.aa_query_file_path(aa_query_mask, "unconfined", "/tmp/hello")
+        self.assertTrue(allowed)
+        self.assertFalse(audited)
+    # extern int aa_query_link_path(const char *label, const char *target,
+    #                 const char *link, int *allowed, int *audited);
+
+
+class AALogParsePythonBindingsTests(unittest.TestCase):
+
     def setUp(self):
         # REPORT ALL THE OUTPUT
         self.maxDiff = None
@@ -118,6 +208,9 @@ class AAPythonBindingsTests(unittest.TestCase):
                 # FIXME: out files should report log version?
                 # FIXME: or can we just deprecate v1 logs?
                 continue
+            elif key == "thisown":
+                # SWIG generates this key to track memory allocation
+                continue
             elif key in NO_VALUE_MAP:
                 if NO_VALUE_MAP[key] == value:
                     continue
@@ -142,7 +235,7 @@ def main():
         def stub_test(self, testname=f):
             self._runtest(testname)
         stub_test.__doc__ = "test " + f
-        setattr(AAPythonBindingsTests, 'test_' + f, stub_test)
+        setattr(AALogParsePythonBindingsTests, 'test_' + f, stub_test)
     return unittest.main(verbosity=2)
 
 

libraries/libapparmor/testsuite/test_multi.c

@@ -1,5 +1,3 @@
-#define _GNU_SOURCE /* for glibc's basename version */
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -7,6 +5,12 @@
 
 #include <aalogparse.h>
 
+static const char *basename(const char *path)
+{
+	const char *p = strrchr(path, '/');
+	return p ? p + 1 : path;
+}
+
 int print_results(aa_log_record *record);
 
 int main(int argc, char **argv)
@@ -103,7 +107,7 @@ int print_results(aa_log_record *record)
 		print_string("Name", record->name);
 		print_string("Command", record->comm);
 		print_string("Name2", record->name2);
-		print_string("Namespace", record->namespace);
+		print_string("Namespace", record->aa_namespace);
 		print_string("Attribute", record->attribute);
 		print_long("Task", record->task, 0);
 		print_long("Parent", record->parent, 0);
@@ -115,6 +119,8 @@ int print_results(aa_log_record *record)
 		print_long("Peer PID", record->peer_pid, 0);
 		print_string("Active hat", record->active_hat);
 
+		print_string("Net Addr", record->net_addr);
+		print_string("Peer Addr", record->peer_addr);
 		print_string("Network family", record->net_family);
 		print_string("Socket type", record->net_sock_type);
 		print_string("Protocol", record->net_protocol);
@@ -134,7 +140,9 @@ int print_results(aa_log_record *record)
 		print_string("Flags", record->flags);
 		print_string("Src name", record->src_name);
 
-		print_string("Class", record->class);
+		print_string("Execpath", record->execpath);
+
+		print_string("Class", record->rule_class);
 
 		print_long("Epoch", record->epoch, 0);
 		print_long("Audit subid", (long) record->audit_sub_id, 0);

libraries/libapparmor/testsuite/test_multi/file_inherit_network_lp1509030.profile

@@ -1,4 +1,4 @@
 /usr/lib/NetworkManager/nm-dhcp-client.action {
-  network inet6 dgram,
+  network inet6 dgram port=10580,
 
 }

libraries/libapparmor/testsuite/test_multi/file_perm_network_lp1466812.profile

@@ -1,4 +1,4 @@
 /usr/sbin/apache2 {
-  network inet6 stream,
+  network inet6 stream ip=::ffff:192.168.236.159 port=80 peer=(ip=::ffff:192.168.103.80 port=61985),
 
 }

libraries/libapparmor/testsuite/test_multi/file_perm_network_receive_lp1577051.profile

@@ -1,7 +1,7 @@
 /usr/sbin/apache2 {
 
   ^www.xxxxxxxxxx.co.uk {
-    network inet6 stream,
+    network (send) inet6 stream ip=::ffff:192.168.1.100 port=80 peer=(ip=::ffff:192.168.1.100 port=45658),
 
   }
 }

libraries/libapparmor/testsuite/test_multi/file_perm_network_receive_lp1582374.profile

@@ -1,7 +1,7 @@
 /usr/local/apache-tomcat-8.0.33/bin/catalina.sh {
 
   ^/usr/local/jdk1.8.0_92/bin/java {
-    network inet6 stream,
+    network (receive) inet6 stream ip=::ffff:127.0.0.1 port=8080 peer=(ip=::ffff:127.0.0.1 port=52308),
 
   }
 }

libraries/libapparmor/testsuite/test_multi/testcase36.in

@@ -0,0 +1 @@
+2025-01-27T13:01:36.226987+05:30 sec-plucky-amd64 kernel: audit: type=1400 audit(1737963096.225:3240): apparmor="AUDIT" operation="getattr" class="file" profile="/usr/sbin/mosquitto" name="/etc/mosquitto/pwfile" pid=8119 comm="mosquitto" requested_mask="r" fsuid=122 ouid=122

libraries/libapparmor/testsuite/test_multi/testcase36.out

@@ -0,0 +1,15 @@
+START
+File: testcase36.in
+Event type: AA_RECORD_AUDIT
+Audit ID: 1737963096.225:3240
+Operation: getattr
+Mask: r
+fsuid: 122
+ouid: 122
+Profile: /usr/sbin/mosquitto
+Name: /etc/mosquitto/pwfile
+Command: mosquitto
+PID: 8119
+Class: file
+Epoch: 1737963096
+Audit subid: 3240

libraries/libapparmor/testsuite/test_multi/testcase36.profile

@@ -0,0 +1,4 @@
+/usr/sbin/mosquitto {
+  /etc/mosquitto/pwfile r,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_mount_01.profile

@@ -1,4 +1,4 @@
 /home/ubuntu/bzr/apparmor/tests/regression/apparmor/mount {
-  mount fstype=ext2 options="rw, mand" /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/,
+  mount fstype=(ext2) options=(mand, rw) /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1715045678.914:344186): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="steam" name="/newroot/dev/" pid=26487 comm="srt-bwrap" flags="rw, nosuid, nodev, remount, bind, silent, relatime"

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.out

@@ -0,0 +1,14 @@
+START
+File: testcase_mount_02.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1715045678.914:344186
+Operation: mount
+Profile: steam
+Name: /newroot/dev/
+Command: srt-bwrap
+Info: failed flags match
+ErrorCode: 13
+PID: 26487
+Flags: rw, nosuid, nodev, remount, bind, silent, relatime
+Epoch: 1715045678
+Audit subid: 344186

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.profile

@@ -0,0 +1,4 @@
+profile steam {
+  mount options=(bind, nodev, nosuid, relatime, remount, rw, silent) -> /newroot/dev/,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_01.profile

@@ -1,4 +1,4 @@
 /usr/bin/evince-thumbnailer {
-  network inet stream,
+  network inet stream ip=192.168.66.150 port=765 peer=(ip=192.168.66.200 port=2049),
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_network_02.profile

@@ -1,4 +1,4 @@
 /usr/bin/evince-thumbnailer {
-  network inet stream,
+  network inet stream port=765 peer=(port=2049),
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_network_03.profile

@@ -1,4 +1,4 @@
 /usr/lib/dovecot/imap-login {
-  network inet6 stream,
+  network inet6 stream port=143,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_network_04.profile

@@ -1,4 +1,4 @@
 /home/ubuntu/tmp/nc {
-  network inet6 stream,
+  network inet6 stream ip=::1 port=2048 peer=(ip=::1 port=33986),
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_network_05.profile

@@ -1,4 +1,4 @@
 /home/ubuntu/tmp/nc {
-  network inet6 stream,
+  network inet6 stream ip=::ffff:127.0.0.1 port=2048 peer=(ip=::ffff:127.0.0.1 port=59180),
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_network_06.in

@@ -0,0 +1 @@
+[319992.813426] audit: type=1400 audit(1716557137.764:477): apparmor="DENIED" operation="recvmsg" class="net" info="failed remote addr match" error=-13 profile="/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv" pid=22237 comm="net_inet_rcv" laddr=127.0.97.3 lport=3456 saddr=127.0.97.3 src=3456 family="inet" sock_type="dgram" protocol=17 requested="receive" denied="receive"

libraries/libapparmor/testsuite/test_multi/testcase_network_06.out

@@ -0,0 +1,20 @@
+START
+File: testcase_network_06.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1716557137.764:477
+Operation: recvmsg
+Mask: receive
+Denied Mask: receive
+Profile: /home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv
+Command: net_inet_rcv
+Info: failed remote addr match
+ErrorCode: 13
+PID: 22237
+Network family: inet
+Socket type: dgram
+Protocol: udp
+Local addr: 127.0.97.3
+Local port: 3456
+Class: net
+Epoch: 1716557137
+Audit subid: 477

libraries/libapparmor/testsuite/test_multi/testcase_network_06.profile

@@ -0,0 +1,4 @@
+/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv {
+  network (receive) inet dgram ip=127.0.97.3 port=3456,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_07.in

@@ -0,0 +1 @@
+[321266.557863] audit: type=1400 audit(1716558411.518:583): apparmor="DENIED" operation="bind" class="net" profile="/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv" pid=23602 comm="net_inet_rcv" saddr=127.0.97.3 src=3456 family="inet" sock_type="dgram" protocol=17 requested="bind" denied="bind"

libraries/libapparmor/testsuite/test_multi/testcase_network_07.out

@@ -0,0 +1,18 @@
+START
+File: testcase_network_07.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1716558411.518:583
+Operation: bind
+Mask: bind
+Denied Mask: bind
+Profile: /home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv
+Command: net_inet_rcv
+PID: 23602
+Network family: inet
+Socket type: dgram
+Protocol: udp
+Local addr: 127.0.97.3
+Local port: 3456
+Class: net
+Epoch: 1716558411
+Audit subid: 583

libraries/libapparmor/testsuite/test_multi/testcase_network_07.profile

@@ -0,0 +1,4 @@
+/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv {
+  network (bind) inet dgram ip=127.0.97.3 port=3456,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_08.in

@@ -0,0 +1 @@
+[321557.117710] audit: type=1400 audit(1716558702.097:793): apparmor="DENIED" operation="setsockopt" class="net" info="failed cmd selection match" error=-13 profile="/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv" pid=26135 comm="net_inet_rcv" family="inet" sock_type="dgram" protocol=17 requested="setopt" denied="setopt"

libraries/libapparmor/testsuite/test_multi/testcase_network_08.out

@@ -0,0 +1,18 @@
+START
+File: testcase_network_08.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1716558702.097:793
+Operation: setsockopt
+Mask: setopt
+Denied Mask: setopt
+Profile: /home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv
+Command: net_inet_rcv
+Info: failed cmd selection match
+ErrorCode: 13
+PID: 26135
+Network family: inet
+Socket type: dgram
+Protocol: udp
+Class: net
+Epoch: 1716558702
+Audit subid: 793

libraries/libapparmor/testsuite/test_multi/testcase_network_08.profile

@@ -0,0 +1,4 @@
+/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv {
+  network (setopt) inet dgram,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_09.in

@@ -0,0 +1 @@
+[338728.513756] audit: type=1400 audit(1716575873.613:1160): apparmor="DENIED" operation="sendmsg" class="net" profile="/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_snd" pid=31340 comm="net_inet_snd" laddr=127.187.243.54 lport=3457 saddr=127.187.243.54 src=3457 daddr=127.0.97.3 dest=3456 family="inet" sock_type="dgram" protocol=17 requested="send" denied="send"

libraries/libapparmor/testsuite/test_multi/testcase_network_09.out

@@ -0,0 +1,20 @@
+START
+File: testcase_network_09.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1716575873.613:1160
+Operation: sendmsg
+Mask: send
+Denied Mask: send
+Profile: /home/ubuntu/apparmor/tests/regression/apparmor/net_inet_snd
+Command: net_inet_snd
+PID: 31340
+Network family: inet
+Socket type: dgram
+Protocol: udp
+Local addr: 127.187.243.54
+Foreign addr: 127.0.97.3
+Local port: 3457
+Foreign port: 3456
+Class: net
+Epoch: 1716575873
+Audit subid: 1160

libraries/libapparmor/testsuite/test_multi/testcase_network_09.profile

@@ -0,0 +1,4 @@
+/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_snd {
+  network (send) inet dgram ip=127.187.243.54 port=3457 peer=(ip=127.0.97.3 port=3456),
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_10.in

@@ -0,0 +1 @@
+[341455.536270] audit: type=1400 audit(1716578600.733:1467): apparmor="DENIED" operation="bind" class="net" profile="/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv" pid=35013 comm="net_inet_rcv" saddr=fd74:1820:b03a:b361::cf32 src=3456 family="inet6" sock_type="dgram" protocol=17 requested="bind" denied="bind"

libraries/libapparmor/testsuite/test_multi/testcase_network_10.out

@@ -0,0 +1,18 @@
+START
+File: testcase_network_10.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1716578600.733:1467
+Operation: bind
+Mask: bind
+Denied Mask: bind
+Profile: /home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv
+Command: net_inet_rcv
+PID: 35013
+Network family: inet6
+Socket type: dgram
+Protocol: udp
+Local addr: fd74:1820:b03a:b361::cf32
+Local port: 3456
+Class: net
+Epoch: 1716578600
+Audit subid: 1467

libraries/libapparmor/testsuite/test_multi/testcase_network_10.profile

@@ -0,0 +1,4 @@
+/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_rcv {
+  network (bind) inet6 dgram ip=fd74:1820:b03a:b361::cf32 port=3456,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_11.in

@@ -0,0 +1 @@
+[342092.040080] audit: type=1400 audit(1716579237.240:2187): apparmor="DENIED" operation="sendmsg" class="net" profile="/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_snd" pid=43431 comm="net_inet_snd" laddr=fd74:1820:b03a:b361::a0f9 lport=3457 saddr=fd74:1820:b03a:b361::a0f9 src=3457 daddr=fd74:1820:b03a:b361::cf32 dest=3456 family="inet6" sock_type="dgram" protocol=17 requested="send" denied="send"

libraries/libapparmor/testsuite/test_multi/testcase_network_11.out

@@ -0,0 +1,20 @@
+START
+File: testcase_network_11.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1716579237.240:2187
+Operation: sendmsg
+Mask: send
+Denied Mask: send
+Profile: /home/ubuntu/apparmor/tests/regression/apparmor/net_inet_snd
+Command: net_inet_snd
+PID: 43431
+Network family: inet6
+Socket type: dgram
+Protocol: udp
+Local addr: fd74:1820:b03a:b361::a0f9
+Foreign addr: fd74:1820:b03a:b361::cf32
+Local port: 3457
+Foreign port: 3456
+Class: net
+Epoch: 1716579237
+Audit subid: 2187

libraries/libapparmor/testsuite/test_multi/testcase_network_11.profile

@@ -0,0 +1,4 @@
+/home/ubuntu/apparmor/tests/regression/apparmor/net_inet_snd {
+  network (send) inet6 dgram ip=fd74:1820:b03a:b361::a0f9 port=3457 peer=(ip=fd74:1820:b03a:b361::cf32 port=3456),
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_12.in

@@ -0,0 +1 @@
+[  310.308737] audit: type=1400 audit(1724847289.985:631): apparmor="ALLOWED" operation="getsockname" class="net" profile="/usr/bin/wg" pid=15374 comm="wg" laddr=::ffff:127.0.0.1 lport=53131 faddr=::ffff:127.0.0.1 fport=51821 saddr=::ffff:127.0.0.1 src=53131 family="inet6" sock_type="dgram" protocol=17 requested="getattr" denied="getattr"

libraries/libapparmor/testsuite/test_multi/testcase_network_12.out

@@ -0,0 +1,20 @@
+START
+File: testcase_network_12.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1724847289.985:631
+Operation: getsockname
+Mask: getattr
+Denied Mask: getattr
+Profile: /usr/bin/wg
+Command: wg
+PID: 15374
+Network family: inet6
+Socket type: dgram
+Protocol: udp
+Local addr: ::ffff:127.0.0.1
+Foreign addr: ::ffff:127.0.0.1
+Local port: 53131
+Foreign port: 51821
+Class: net
+Epoch: 1724847289
+Audit subid: 631