Prepare for 4.1.0~beta5 release

- bump version

Signed-off-by: John Johansen <john.johansen@canonical.com>

.gitignore

@@ -7,10 +7,22 @@ binutils/aa-exec.1
 binutils/aa-features-abi
 binutils/aa-features-abi.1
 binutils/aa-load
+binutils/aa-load.8
 binutils/aa-status
 binutils/aa-status.8
 binutils/cJSON.o
 binutils/po/*.mo
+changehat/mod_apparmor/.libs
+changehat/mod_apparmor/mod_apparmor.8
+changehat/mod_apparmor/mod_apparmor.8.html
+changehat/mod_apparmor/mod_apparmor.la
+changehat/mod_apparmor/mod_apparmor.lo
+changehat/mod_apparmor/mod_apparmor.slo
+changehat/mod_apparmor/mod_apparmor.so
+changehat/mod_apparmor/pod2htmd.tmp
+changehat/pam_apparmor/get_options.o
+changehat/pam_apparmor/pam_apparmor.o
+changehat/pam_apparmor/pam_apparmor.so
 parser/po/*.mo
 parser/af_names.h
 parser/cap_names.h
@@ -109,6 +121,18 @@ libraries/libapparmor/src/tst_aalogmisc
 libraries/libapparmor/src/tst_aalogmisc.log
 libraries/libapparmor/src/tst_aalogmisc.o
 libraries/libapparmor/src/tst_aalogmisc.trs
+libraries/libapparmor/src/tst_aalogparse_cpp
+libraries/libapparmor/src/tst_aalogparse_cpp.log
+libraries/libapparmor/src/tst_aalogparse_cpp.o
+libraries/libapparmor/src/tst_aalogparse_cpp.trs
+libraries/libapparmor/src/tst_aalogparse_reentrancy
+libraries/libapparmor/src/tst_aalogparse_reentrancy.log
+libraries/libapparmor/src/tst_aalogparse_reentrancy.o
+libraries/libapparmor/src/tst_aalogparse_reentrancy.trs
+libraries/libapparmor/src/tst_aalogparse_oldname
+libraries/libapparmor/src/tst_aalogparse_oldname.log
+libraries/libapparmor/src/tst_aalogparse_oldname.o
+libraries/libapparmor/src/tst_aalogparse_oldname.trs
 libraries/libapparmor/src/tst_features
 libraries/libapparmor/src/tst_features.log
 libraries/libapparmor/src/tst_features.o
@@ -169,7 +193,6 @@ libraries/libapparmor/testsuite/libaalogparse.test/Makefile
 libraries/libapparmor/testsuite/libaalogparse.test/Makefile.in
 libraries/libapparmor/testsuite/test_multi/out
 libraries/libapparmor/testsuite/test_multi_multi-test_multi.o
-changehat/mod_apparmor/.libs
 utils/*.8
 utils/*.8.html
 utils/*.5
@@ -209,6 +232,7 @@ tests/regression/apparmor/chgrp
 tests/regression/apparmor/chmod
 tests/regression/apparmor/chown
 tests/regression/apparmor/clone
+tests/regression/apparmor/complain
 tests/regression/apparmor/dbus_eavesdrop
 tests/regression/apparmor/dbus_message
 tests/regression/apparmor/dbus_service
@@ -284,3 +308,15 @@ tests/regression/apparmor/xattrs_profile
 tests/regression/apparmor/coredump
 **/__pycache__/
 *.orig
+
+# Patterns related to spread integration tests
+*.img
+*.iso
+*.lock
+*.log
+*.qcow2
+*.run
+.spread-reuse.yaml
+.spread-reuse.*.yaml
+spread-artifacts/
+spread-logs/

.gitlab-ci.yml

@@ -4,25 +4,41 @@ image: ubuntu:latest
 # XXX - add a deploy stage to publish man pages, docs, and coverage
 # reports
 
+workflow:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+    - if: $CI_COMMIT_TAG
+    - if: $CI_COMMIT_BRANCH
+
 stages:
   - build
   - test
+  - spread
 
-.ubuntu-before_script:
+.ubuntu-common:
   before_script:
-    - export DEBIAN_FRONTEND=noninteractive
+    # Install build-dependencies by loading the package list from the ubuntu/debian cloud-init profile.
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_deps "Installing dependencies..."
     - apt-get update -qq
-    - apt-get install --no-install-recommends -y gcc perl liblocale-gettext-perl linux-libc-dev lsb-release make
+    - apt-get install --yes yq make lsb-release
+    - |
+      printf 'include .image-garden.mk\n$(info $(UBUNTU_CLOUD_INIT_USER_DATA_TEMPLATE))\n.PHONY: nothing\nnothing:\n' \
+      | make -f - nothing \
+      | yq '.packages | .[]' \
+      | xargs apt-get install --yes --no-install-recommends
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_deps
+  after_script:
+    # Inspect the kernel and lsb-release.
     - lsb_release -a
     - uname -a
 
-.install-c-build-deps: &install-c-build-deps
-  - apt-get install --no-install-recommends -y build-essential apache2-dev autoconf autoconf-archive automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev
-
 build-all:
   stage: build
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
+  script:
+    # Run the spread prepare section to build everything.
+    - yq -r '.prepare' <spread.yaml | SPREAD_PATH=. bash -xeu
   artifacts:
     name: ${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
     expire_in: 30 days
@@ -35,39 +51,33 @@ build-all:
       - changehat/mod_apparmor/
       - changehat/pam_apparmor/
       - profiles/
-  script:
-    - *install-c-build-deps
-    - cd libraries/libapparmor && ./autogen.sh && ./configure --with-perl --with-python --prefix=/usr && make && cd ../.. || { cat config.log ; exit 1 ; }
-    - make -C parser
-    - make -C binutils
-    - make -C utils
-    - make -C changehat/mod_apparmor
-    - make -C changehat/pam_apparmor
-    - make -C profiles
 
 test-libapparmor:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
-    - *install-c-build-deps
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C libraries/libapparmor --touch
     - make -C libraries/libapparmor check
 
 test-parser:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
-    - *install-c-build-deps
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C parser --touch
+    - make -C parser -j $(nproc) tst_binaries
     - make -C parser check
 
 test-binutils:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
     - make -C binutils check
 
@@ -75,9 +85,15 @@ test-utils:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C utils --touch
+
+    # TODO: move those to cloud-init list?
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
     - apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter flake8 python3-coverage python3-notify2 python3-psutil python3-setuptools python3-tk python3-ttkthemes python3-gi
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
 
     # See apparmor/apparmor#221
     - make -C parser/tst gen_dbus
@@ -93,16 +109,20 @@ test-mod-apparmor:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C changehat/mod_apparmor --touch
     - make -C changehat/mod_apparmor check
 
 test-profiles:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C profiles --touch
     - make -C profiles check-parser
     - make -C profiles check-abstractions.d
     - make -C profiles check-local
@@ -111,13 +131,15 @@ shellcheck:
   stage: test
   needs: []
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
-  - apt-get install --no-install-recommends -y python3-minimal file shellcheck xmlstarlet
-  - shellcheck --version
-  - './tests/bin/shellcheck-tree --format=checkstyle
-       | xmlstarlet tr tests/checkstyle2junit.xslt
-       > shellcheck.xml'
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
+    - apt-get install --no-install-recommends -y python3-minimal file shellcheck xmlstarlet
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
+    - shellcheck --version
+    - "./tests/bin/shellcheck-tree --format=checkstyle
+      | xmlstarlet tr tests/checkstyle2junit.xslt
+      > shellcheck.xml"
   artifacts:
     when: always
     reports:
@@ -139,29 +161,146 @@ variables:
   SAST_EXCLUDED_ANALYZERS: "eslint,flawfinder,semgrep,spotbugs"
   SAST_BANDIT_EXCLUDED_PATHS: "*/tst/*, */test/*"
 
-.send-to-coverity: &send-to-coverity
-  - curl https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
-    --form token=$COVERITY_SCAN_TOKEN --form email=$GITLAB_USER_EMAIL
-    --form file=@$(ls apparmor-*-cov-int.tar.gz) --form version="$(git describe --tags)"
-    --form description="$(git describe --tags) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID"
-
 coverity:
   stage: .post
   extends:
-    - .ubuntu-before_script
-  only:
-    refs:
-      - master
+    - .ubuntu-common
   script:
-      - apt-get install --no-install-recommends -y curl git texlive-latex-recommended
-      - *install-c-build-deps
-      - curl -o /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64
-        --form project=$COVERITY_SCAN_PROJECT_NAME --form token=$COVERITY_SCAN_TOKEN
-      - tar xfz /tmp/cov-analysis-linux64.tgz
-      - COV_VERSION=$(ls -dt cov-analysis-linux64-* | head -1)
-      - PATH=$PATH:$(pwd)/$COV_VERSION/bin
-      - make coverity
-      - *send-to-coverity
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
+    - apt-get install --no-install-recommends -y curl git texlive-latex-recommended
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
+    - curl -o /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64
+      --form project=$COVERITY_SCAN_PROJECT_NAME --form token=$COVERITY_SCAN_TOKEN
+    - tar xfz /tmp/cov-analysis-linux64.tgz
+    - COV_VERSION=$(ls -dt cov-analysis-linux64-* | head -1)
+    - PATH=$PATH:$(pwd)/$COV_VERSION/bin
+    - make coverity
+    - curl https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
+      --form token=$COVERITY_SCAN_TOKEN --form email=$GITLAB_USER_EMAIL
+      --form file=@$(ls apparmor-*-cov-int.tar.gz) --form version="$(git describe --tags)"
+      --form description="$(git describe --tags) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID"
   artifacts:
     paths:
       - "apparmor-*.tar.gz"
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PROJECT_PATH == "apparmor/apparmor"
+
+.image-garden-x86_64:
+  stage: spread
+  # TODO: use tagged release once container tagging is improved upstream.
+  image: registry.gitlab.com/zygoon/image-garden:latest
+  tags:
+    - linux
+    - x86_64
+    - kvm
+  variables:
+    ARCH: x86_64
+    GARDEN_DL_DIR: dl
+    CACHE_POLICY: pull-push
+    CACHE_COMPRESSION_LEVEL: fastest
+  before_script:
+    # Prepare the image in dry-run mode. This helps in debugging cache misses
+    # when files are not cached correctly by the runner, causing the build section
+    # below to always do hevy-duty work.
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" prepare_image_dry_run "Prepare image (dry run)"
+    - image-garden make --dry-run --debug "$GARDEN_SYSTEM.$ARCH.run" "$GARDEN_SYSTEM.$ARCH.qcow2" "$GARDEN_SYSTEM.seed.iso" "$GARDEN_SYSTEM.user-data" "$GARDEN_SYSTEM.meta-data"
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" prepare_image_dry_run
+  script:
+    # Prepare the image, for real.
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" prepare_image "Prepare image"
+    - image-garden make "$GARDEN_SYSTEM.$ARCH.run" "$GARDEN_SYSTEM.$ARCH.qcow2" "$GARDEN_SYSTEM.seed.iso" "$GARDEN_SYSTEM.user-data" "$GARDEN_SYSTEM.meta-data"
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" prepare_image
+  cache:
+    # Cache the base image (pre-customization).
+    - key: image-garden-base-${GARDEN_SYSTEM}.${ARCH}
+      policy: $CACHE_POLICY
+      when: always
+      paths:
+        - $GARDEN_DL_DIR
+        # Those are never mutated so they are safe to share.
+        - efi-code.*.img
+        - efi-vars.*.img
+    # Cache the customized system. This cache depends on .image-garden.mk file
+    # so that any customization updates are immediately acted upon.
+    - key:
+        prefix: image-garden-custom-${GARDEN_SYSTEM}.${ARCH}-
+        files:
+          - .image-garden.mk
+      policy: $CACHE_POLICY
+      when: always
+      paths:
+        - $GARDEN_SYSTEM.*
+        - $GARDEN_SYSTEM.seed.iso
+        - $GARDEN_SYSTEM.meta-data
+        - $GARDEN_SYSTEM.user-data
+
+# This job builds and caches the image that the job below looks at.
+image-ubuntu-cloud-24.04-x86_64:
+  extends: .image-garden-x86_64
+  variables:
+    GARDEN_SYSTEM: ubuntu-cloud-24.04
+  needs: []
+  dependencies: []
+  rules:
+    - if: $CI_COMMIT_TAG
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_BRANCH
+      changes:
+        paths:
+          - .image-garden.mk
+          - .gitlab-ci.yml
+        compare_to: "refs/heads/master"
+
+.spread-x86_64:
+  extends: .image-garden-x86_64
+  variables:
+    # GitLab project identifier of zygoon/spread-dist can be seen on
+    # https://gitlab.com/zygoon/spread-dist, under the three-dot menu on
+    # top-right.
+    SPREAD_GITLAB_PROJECT_ID: "65375371"
+    # Git revision of spread to install.
+    # This must have been built via spread-dist.
+    # TODO: switch to upstream 1.0 release when available.
+    SPREAD_REV: 413817eda7bec07a3885e0717c178b965f8924e1
+    # Run all the tasks for a given system.
+    SPREAD_ARGS: "garden:$GARDEN_SYSTEM:"
+    SPREAD_GOARCH: amd64
+  before_script:
+    # Prepare the image in dry-run mode. This helps in debugging cache misses
+    # when files are not cached correctly by the runner, causing the build section
+    # below to always do hevy-duty work.
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" prepare_image_dry_run "Prepare image (dry run)"
+    - image-garden make --dry-run --debug "$GARDEN_SYSTEM.$ARCH.run" "$GARDEN_SYSTEM.$ARCH.qcow2" "$GARDEN_SYSTEM.seed.iso" "$GARDEN_SYSTEM.user-data" "$GARDEN_SYSTEM.meta-data"
+    - stat .image-garden.mk "$GARDEN_SYSTEM".* || true
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" prepare_image_dry_run
+    # Install the selected revision of spread.
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_spread "Installing spread..."
+    # Install pre-built spread from https://gitlab.com/zygoon/spread-dist generic package repository.
+    - |
+      curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --location --output spread "${CI_API_V4_URL}/projects/${SPREAD_GITLAB_PROJECT_ID}/packages/generic/spread/${SPREAD_REV}/spread.${SPREAD_GOARCH}"
+    - chmod +x spread
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_spread
+  script:
+    - printf '\e[0K%s:%s:%s\r\e[0K%s\n' section_start "$(date +%s)" run_spread "Running spread for $GARDEN_SYSTEM..."
+    # TODO: transform to inject ^...$ to properly select jobs to run.
+    - mkdir -p spread-logs spread-artifacts
+    - ./spread -list $SPREAD_ARGS |
+      split --number=l/"${CI_NODE_INDEX:-1}"/"${CI_NODE_TOTAL:-1}" |
+      xargs --verbose ./spread -v -artifacts ./spread-artifacts -v | tee spread-logs/"$GARDEN_SYSTEM".log
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" run_spread
+  artifacts:
+    paths:
+      - spread-logs
+      - spread-artifacts
+    when: always
+
+spread-ubuntu-cloud-24.04-x86_64:
+  extends: .spread-x86_64
+  variables:
+    GARDEN_SYSTEM: ubuntu-cloud-24.04
+    SPREAD_ARGS: garden:$GARDEN_SYSTEM:tests/regression/ garden:$GARDEN_SYSTEM:tests/profiles/
+    CACHE_POLICY: pull
+  dependencies: []
+  needs:
+    - job: image-ubuntu-cloud-24.04-x86_64
+      optional: true
+  parallel: 4

.image-garden.mk

@@ -0,0 +1,110 @@
+# This file is read by image-garden when spread is allocating test machines.
+# All the package installation happens through cloud-init profiles defined
+# below.
+
+# This is the cloud-init user-data profile for all Debian systems. Note that it
+# is an extension of the default profile necessary for operation of
+# image-garden.
+define DEBIAN_CLOUD_INIT_USER_DATA_TEMPLATE
+$(CLOUD_INIT_USER_DATA_TEMPLATE)
+packages:
+- apache2-dev
+- attr
+- autoconf
+- autoconf-archive
+- automake
+- bison
+- build-essential
+- dejagnu
+- dosfstools
+- flake8
+- flex
+- fuse-overlayfs
+- gdb
+- gettext
+- libdbus-1-dev
+- libpam0g-dev
+- libtool
+- liburing-dev
+- pkg-config
+- python3-all-dev
+- python3-gi
+- python3-notify2
+- python3-psutil
+- python3-setuptools
+- python3-tk
+- python3-ttkthemes
+- swig
+- toybox
+endef
+
+# Ubuntu shares cloud-init profile with Debian.
+UBUNTU_CLOUD_INIT_USER_DATA_TEMPLATE=$(DEBIAN_CLOUD_INIT_USER_DATA_TEMPLATE)
+
+# This is the cloud-init user-data profile for openSUSE Tumbleweed.
+define OPENSUSE_tumbleweed_CLOUD_INIT_USER_DATA_TEMPLATE
+$(CLOUD_INIT_USER_DATA_TEMPLATE)
+- sed -i -e 's/security=selinux/security=apparmor/g' /etc/default/grub
+- update-bootloader
+packages:
+- apache2-devel
+- attr
+- autoconf
+- autoconf-archive
+- automake
+- bison
+- dbus-1-devel
+- dejagnu
+- dosfstools
+- flex
+- fuse-overlayfs
+- gcc
+- gcc-c++
+- gdb
+- gettext
+- gobject-introspection
+- libtool
+- liburing2-devel
+- make
+- pam-devel
+- pkg-config
+- python3-devel
+- python3-flake8
+- python3-notify2
+- python3-psutil
+- python3-setuptools
+- python3-setuptools
+- python3-tk
+- python311
+- python311-devel
+- swig
+endef
+
+define FEDORA_CLOUD_INIT_USER_DATA_TEMPLATE
+$(CLOUD_INIT_USER_DATA_TEMPLATE)
+packages:
+- attr
+- autoconf
+- autoconf-archive
+- automake
+- bison
+- dbus-devel
+- dejagnu
+- dosfstools
+- flex
+- gdb
+- gettext
+- httpd-devel
+- libstdc++-static
+- libtool
+- liburing-devel
+- pam-devel
+- perl
+- pkg-config
+- python3-devel
+- python3-flake8
+- python3-gobject-base
+- python3-notify2
+- python3-tkinter
+- swig
+endef

Makefile

@@ -59,7 +59,7 @@ coverity: snapshot
 		mv $(COVERITY_DIR)/build-log.txt $(COVERITY_DIR)/build-log-python-$(subst /,.,$(dir)).txt ;)
 	cov-build --dir $(COVERITY_DIR) -- sh -c \
 	"$(foreach dir, $(filter-out utils profiles tests, $(DIRS)), \
-		$(MAKE) -C $(SNAPSHOT_NAME)/$(dir);) "
+		$(MAKE) -j $$(nproc) -C $(SNAPSHOT_NAME)/$(dir);) "
 	tar -cvzf $(SNAPSHOT_NAME)-$(COVERITY_DIR).tar.gz $(COVERITY_DIR)
 
 .PHONY: export_dir

README.md

@@ -197,6 +197,33 @@ usage and how to update and add tests. Below is a quick overview of their
 location and how to run them.
 
 
+Using spread with local virtual machines
+----------------------------------------
+
+It may be convenient to use the spread tool to provision and run the test suite
+in an ephemeral virtual machine. This allows testing in isolation from the
+host, as well as testing across different commonly used distributions and their
+real kernels.
+
+```sh
+sudo apt install git golang whois ovmf genisoimage qemu-utils qemu-system
+go install github.com/snapcore/spread/cmd/spread@latest
+git clone https://gitlab.com/zygoon/image-garden
+make -C image-garden
+sudo make -C image-garden install
+image-garden make ubuntu-cloud-24.10.x86_64.run
+cd $APPARMOR_PATH
+git clean -xdf
+~/go/bin/spread -artifacts ./spread-artifacts -v ubuntu-cloud-24.10
+# or ~/go/bin/spread -v garden:ubuntu-cloud-24.04:tests/regression/apparmor:at_secure
+```
+
+Running the `run_spread.sh` script, with `spread` on `PATH` will run all the
+tests across several supported systems (Debian, Ubuntu and openSUSE).
+
+If you include a `bzImage` file in the root of the repository then that kernel
+will be used in the integration test. Please look at `spread.yaml` for details.
+
 Regression tests
 ----------------
 For details on structure and adding tests, see
@@ -354,6 +381,7 @@ The aa-notify tool's Python dependencies can be satisfied by installing the
 following packages (Debian package names, other distros may vary):
 * python3-notify2
 * python3-psutil
+* python3-sqlite (part of the python3.NN-stdlib package)
 * python3-tk
 * python3-ttkthemes
 * python3-gi

binutils/Makefile

@@ -21,7 +21,7 @@ DESTDIR=/
 BINDIR=${DESTDIR}/usr/bin
 SBINDIR=${DESTDIR}/usr/sbin
 LOCALEDIR=/usr/share/locale
-MANPAGES=aa-enabled.1 aa-exec.1 aa-features-abi.1 aa-status.8
+MANPAGES=aa-enabled.1 aa-exec.1 aa-features-abi.1 aa-load.8 aa-status.8
 
 WARNINGS = -Wall
 CPP_WARNINGS =

binutils/aa-load.pod

@@ -0,0 +1,77 @@
+# This publication is intellectual property of Canonical Ltd. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither Canonical Ltd, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. Canonical Ltd
+# essentially adheres to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa-load - load precompiled AppArmor policy from cache location(s)
+
+=head1 SYNOPSIS
+
+B<aa-load> [options] (cache file|cache dir|cache base dir)+
+
+=head1 DESCRIPTION
+
+B<aa-load> loads precompiled AppArmor policy from the specified locations.
+
+=head1 OPTIONS
+
+B<aa-load> accepts the following arguments:
+
+=over 4
+
+=item -f, --force
+
+Force B<aa-load> to load a policy even if its abi does not match the kernel abi.
+
+=item -d, --debug
+
+Display debug messages.
+
+=item -v, --verbose
+
+Display progress and error messages.
+
+=item -n, --dry-run
+
+Do not actually load the specified policy/policies into the kernel.
+
+=item -h, --help
+
+Display a brief usage guide.
+
+=back
+
+=head1 EXIT STATUS
+
+Upon exiting, B<aa-load> returns 0 upon success and 1 upon an error loading
+the precompiled policy.
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L<https://gitlab.com/apparmor/apparmor/-/issues>.
+
+=head1 SEE ALSO
+
+apparmor(7), apparmor.d(5), apparmor_parser(8), and L<https://wiki.apparmor.net>.
+
+=cut

binutils/aa_load.c

@@ -309,9 +309,8 @@ static int load_arg(char *arg)
 
 static void print_usage(const char *command)
 {
-	printf("Usage: %s [OPTIONS] (cache file|cache dir|cache base dir)]*\n"
-	       "Load Precompiled AppArmor policy from a cache location or \n"
-	       "locations.\n\n"
+	printf("Usage: %s [OPTIONS] (cache file|cache dir|cache base dir)+\n"
+	       "Load precompiled AppArmor policy from cache location(s)\n\n"
 	       "Options:\n"
 	       "  -f, --force     load policy even if abi does not match the kernel\n"
 	       "  -d, --debug     display debug messages\n"

binutils/aa_status.c

@@ -488,7 +488,7 @@ static int filter_processes(struct process *processes,
  *
  * Return: 0 on success, else shell error code
  */
-static int simple_filtered_count(FILE *outf, filters_t *filters,
+static int simple_filtered_count(FILE *outf, filters_t *filters, bool json,
 				 struct profile *profiles, size_t nprofiles)
 {
 	struct profile *filtered = NULL;
@@ -497,7 +497,13 @@ static int simple_filtered_count(FILE *outf, filters_t *filters,
 
 	ret = filter_profiles(profiles, nprofiles, filters,
 			      &filtered, &nfiltered);
-	fprintf(outf, "%zd\n", nfiltered);
+
+	if (!json) {
+		fprintf(outf, "%zd\n", nfiltered);
+	} else {
+		fprintf(outf, "\"profile_count\": %zd", nfiltered);
+	}
+
 	free_profiles(filtered, nfiltered);
 
 	return ret;
@@ -512,7 +518,7 @@ static int simple_filtered_count(FILE *outf, filters_t *filters,
  *
  * Return: 0 on success, else shell error code
  */
-static int simple_filtered_process_count(FILE *outf, filters_t *filters,
+static int simple_filtered_process_count(FILE *outf, filters_t *filters, bool json,
 					 struct process *processes, size_t nprocesses) {
 	struct process *filtered = NULL;
 	size_t nfiltered;
@@ -520,7 +526,12 @@ static int simple_filtered_process_count(FILE *outf, filters_t *filters,
 
 	ret = filter_processes(processes, nprocesses, filters, &filtered,
 			       &nfiltered);
-	fprintf(outf, "%zd\n", nfiltered);
+	if (!json) {
+		fprintf(outf, "%zd\n", nfiltered);
+	} else {
+		fprintf(outf, "\"process_count\": %zd", nfiltered);
+	}
+	
 	free_processes(filtered, nfiltered);
 
 	return ret;
@@ -539,7 +550,12 @@ static int compare_processes_by_executable(const void *a, const void *b) {
 
 static void json_header(FILE *outf)
 {
-	fprintf(outf, "{\"version\": \"%s\", ", aa_status_json_version);
+	fprintf(outf, "{\"version\": \"%s\"", aa_status_json_version);
+}
+
+static void json_seperator(FILE *outf)
+{
+	fprintf(outf, ", ");
 }
 
 static void json_footer(FILE *outf)
@@ -607,7 +623,7 @@ static int detailed_profiles(FILE *outf, filters_t *filters, bool json,
 		free_profiles(filtered, nfiltered);
 	}
 	if (json)
-		fprintf(outf, "}, ");
+		fprintf(outf, "}");
 
 	return AA_EXIT_ENABLED;
 }
@@ -700,7 +716,7 @@ static int detailed_processes(FILE *outf, filters_t *filters, bool json,
 			fprintf(outf, "]");
 		}
 
-		fprintf(outf, "}\n");
+		fprintf(outf, "}");
 	}
 
 exit:
@@ -1028,8 +1044,10 @@ int main(int argc, char **argv)
 	if (opt_json)
 		json_header(outf);
 	if (opt_show & SHOW_PROFILES) {
+		if (opt_json)
+			json_seperator(outf);
 		if (opt_count) {
-			ret = simple_filtered_count(outf, &filters,
+			ret = simple_filtered_count(outf, &filters, opt_json,
 						    profiles, nprofiles);
 		} else {
 			ret = detailed_profiles(outf, &filters, opt_json,
@@ -1040,6 +1058,9 @@ int main(int argc, char **argv)
 	}
 
 	if (opt_show & SHOW_PROCESSES) {
+		if (opt_json)
+			json_seperator(outf);
+
 		struct process *processes = NULL;
 		size_t nprocesses = 0;
 
@@ -1047,7 +1068,7 @@ int main(int argc, char **argv)
 		if (ret != 0) {
 			eprintf("Failed to get processes: %d....\n", ret);
 		} else if (opt_count) {
-			ret = simple_filtered_process_count(outf, &filters,
+			ret = simple_filtered_process_count(outf, &filters, opt_json,
 							processes, nprocesses);
 		} else {
 			ret = detailed_processes(outf, &filters, opt_json,

binutils/po/aa_load.pot

@@ -0,0 +1,34 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR Canonical Ltd
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
+"POT-Creation-Date: 2025-02-18 07:37-0800\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../aa_load.c:40
+msgid "aa-load: WARN: "
+msgstr ""
+
+#: ../aa_load.c:41
+msgid "aa-load: ERROR: "
+msgstr ""
+
+#: ../aa_load.c:51
+msgid "\n"
+msgstr ""
+
+#: ../aa_load.c:52
+msgid "aa-load: DEBUG: "
+msgstr ""

common/Make.rules

@@ -35,10 +35,7 @@ VERSION=$(shell cat $(COMMONDIR)/Version)
 pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH)))))
 map = $(foreach a,$(2),$(call $(1),$(a)))
 
-AWK:=$(shell which awk)
-ifndef AWK
-$(error awk utility required for build but not available)
-endif
+AWK?=$(or $(shell command -v awk),$(error awk utility required for build but not available))
 
 define nl
 

common/Version

@@ -1 +1 @@
-4.1.0~beta1
+4.1.0~beta5

libraries/libapparmor/configure.ac

@@ -92,6 +92,8 @@ if test "$ac_cv_prog_cc_c99" = "no"; then
   AC_MSG_ERROR([C99 mode is required to build libapparmor])
 fi
 
+AC_PROG_CXX
+
 m4_ifndef([AX_CHECK_COMPILE_FLAG], [AC_MSG_ERROR(['autoconf-archive' missing])])
 EXTRA_CFLAGS="-Wall $EXTRA_WARNINGS -fPIC"
 AX_CHECK_COMPILE_FLAG([-flto-partition=none], , , [-Werror])
@@ -99,6 +101,7 @@ AS_VAR_IF([ax_cv_check_cflags__Werror__flto_partition_none], [yes],
 	[EXTRA_CFLAGS="$EXTRA_CFLAGS -flto-partition=none"]
 	,)
 AC_SUBST([AM_CFLAGS], ["$EXTRA_CFLAGS"])
+AC_SUBST([AM_CXXFLAGS], ["$EXTRA_CFLAGS"])
 
 AC_OUTPUT(
 Makefile

libraries/libapparmor/include/aalogparse.h

@@ -19,6 +19,10 @@
 #ifndef __LIBAALOGPARSE_H_
 #define __LIBAALOGPARSE_H_
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 #define AA_RECORD_EXEC_MMAP	1
 #define AA_RECORD_READ		2
 #define AA_RECORD_WRITE		4
@@ -26,10 +30,10 @@
 #define AA_RECORD_LINK		16
 
 /**
- * This is just for convenience now that we have two 
- * wildly different grammars.
+ * Enum representing which syntax version the log entry used.
+ * Support for V1 parsing was completely removed in 2011 and that enum entry
+ * is only still there for API compatibility reasons.
  */
-
 typedef enum
 {
 	AA_RECORD_SYNTAX_V1,
@@ -48,70 +52,23 @@ typedef enum
 	AA_RECORD_STATUS	/* Configuration change */
 } aa_record_event_type;
 
-/**
- * With the sole exception of active_hat, this is a 1:1
- * mapping from the keys that the new syntax uses.
+/*
+ * Use this preprocessor dance to maintain backcompat for field names
+ * This will break C code that used the C++ reserved keywords "namespace"
+ * and "class" as identifiers, but this is bad practice anyways, and we
+ * hope that we are the only ones in a given C file that messed up this way
  *
- * Some examples of the old syntax and how they're mapped with the aa_log_record struct:
- *
- * "PERMITTING r access to /path (program_name(12345) profile /profile active hat)"
- * - operation: access
- * - requested_mask: r
- * - pid: 12345
- * - profile: /profile
- * - name: /path
- * - info: program_name
- * - active_hat: hat
- *
- * "REJECTING mkdir on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out"
- * - operation: mkdir
- * - name: /path/to/something
- * - info: bash
- * - pid: 23415
- * - profile: /bin/freak-aa-out 
- * - active_hat: /bin/freak-aa-out 
- * 
- * "REJECTING xattr set on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
- * - operation: xattr
- * - attribute: set
- * - name: /path/to/something
- * - info: bash
- * - pid: 23415
- * - profile: /bin/freak-aa-out
- * - active_hat: /bin/freak-aa-out
- *
- * "PERMITTING attribute (something) change to /else (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
- * - operation: setattr
- * - attribute: something
- * - name: /else
- * - info: bash
- * - pid: 23415
- * - profile: /bin/freak-aa-out
- * - active_hat: /bin/freak-aa-out
- * 
- * "PERMITTING access to capability 'cap' (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
- * - operation: capability
- * - name: cap
- * - info: bash
- * - pid: 23415
- * - profile: /bin/freak-aa-out
- * - active_hat: /bin/freak-aa-out
- * 
- * "LOGPROF-HINT unknown_hat TESTHAT pid=27764 profile=/change_hat_test/test_hat active=/change_hat_test/test_hat"
- * - operation: change_hat
- * - name: TESTHAT
- * - info: unknown_hat
- * - pid: 27764
- * - profile: /change_hat_test/test_hat
- * - active_hat: /change_hat_test/test_hat
- *
- * "LOGPROF-HINT fork pid=27764 child=38229"
- * - operation: clone
- * - task: 38229
- * - pid: 27764
- **/
+ * TODO: document this in a man page for aalogparse?
+ */
+#if defined(SWIG) && defined(__cplusplus)
+#error "SWIG and __cplusplus are defined together"
+#elif !defined(SWIG) && !defined(__cplusplus)
+/* Use SWIG's %rename feature to preserve backcompat */
+#define class rule_class
+#define namespace aa_namespace
+#endif
 
-typedef struct
+typedef struct aa_log_record
 {
 	aa_record_syntax_version version;
 	aa_record_event_type event;	/* Event type */
@@ -134,7 +91,7 @@ typedef struct
 	char *comm;			/* Command that triggered msg */
 	char *name;
 	char *name2;
-	char *namespace;
+	char *aa_namespace;
 	char *attribute;
 	unsigned long parent;	
 	char *info;
@@ -149,8 +106,6 @@ typedef struct
 	char *net_foreign_addr;
 	unsigned long net_foreign_port;
 
-	char *execpath;
-
 	char *dbus_bus;
 	char *dbus_path;
 	char *dbus_interface;
@@ -163,10 +118,11 @@ typedef struct
 	char *flags;
 	char *src_name;
 
-	char *class;
+	char *rule_class;
 
 	char *net_addr;
 	char *peer_addr;
+	char *execpath;
 } aa_log_record;
 
 /**
@@ -177,7 +133,7 @@ typedef struct
  * @return Parsed data.
  */
 aa_log_record *
-parse_record(char *str);
+parse_record(const char *str);
 
 /**
  * Frees all struct data.
@@ -186,5 +142,9 @@ parse_record(char *str);
 void
 free_record(aa_log_record *record);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif
 

libraries/libapparmor/include/sys/apparmor.h

@@ -105,8 +105,8 @@ extern int aa_getpeercon(int fd, char **label, char **mode);
 #define AA_QUERY_CMD_LABEL		"label"
 #define AA_QUERY_CMD_LABEL_SIZE		sizeof(AA_QUERY_CMD_LABEL)
 
-extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
-			  int *audit);
+extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
+			  int *audited);
 extern int aa_query_file_path_len(uint32_t mask, const char *label,
 				  size_t label_len, const char *path,
 				  size_t path_len, int *allowed, int *audited);

libraries/libapparmor/src/Makefile.am

@@ -32,10 +32,10 @@ INCLUDES = $(all_includes)
 #
 # After changing the AA_LIB_* variables, also update EXPECTED_SO_NAME.
 
-AA_LIB_CURRENT = 20
-AA_LIB_REVISION = 0
-AA_LIB_AGE = 19
-EXPECTED_SO_NAME = libapparmor.so.1.19.0
+AA_LIB_CURRENT = 25
+AA_LIB_REVISION = 1
+AA_LIB_AGE = 24
+EXPECTED_SO_NAME = libapparmor.so.1.24.1
 
 SUFFIXES = .pc.in .pc
 
@@ -44,7 +44,7 @@ include $(COMMONDIR)/Make.rules
 
 BUILT_SOURCES = grammar.h scanner.h af_protos.h
 AM_LFLAGS = -v
-AM_YFLAGS = -d -p aalogparse_
+AM_YFLAGS = -Wno-yacc -d -p aalogparse_
 AM_CPPFLAGS = -D_GNU_SOURCE -I$(top_srcdir)/include/
 scanner.h: scanner.l
 	$(LEX) -v $<
@@ -52,7 +52,7 @@ scanner.h: scanner.l
 scanner.c: scanner.l
 
 af_protos.h:
-	 echo '#include <netinet/in.h>' | $(CC) $(CPPFLAGS) -E -dM - | LC_ALL=C  sed  -n -e "/IPPROTO_MAX/d"  -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@
+	 echo '#include <netinet/in.h>' | $(CC) $(CPPFLAGS) -E -dD - | LC_ALL=C  sed  -n -e "/IPPROTO_MAX/d"  -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@
 
 lib_LTLIBRARIES = libapparmor.la
 noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h private.h PMurHash.h
@@ -73,6 +73,16 @@ CLEANFILES = libapparmor.pc
 tst_aalogmisc_SOURCES = tst_aalogmisc.c
 tst_aalogmisc_LDADD = .libs/libapparmor.a
 
+tst_aalogparse_cpp_SOURCES = tst_aalogparse_cpp.cpp
+tst_aalogparse_cpp_LDADD = .libs/libapparmor.a
+
+tst_aalogparse_oldname_SOURCES = tst_aalogparse_oldname.c
+tst_aalogparse_oldname_LDADD = .libs/libapparmor.a
+
+tst_aalogparse_reentrancy_SOURCES = tst_aalogparse_reentrancy.c
+tst_aalogparse_reentrancy_LDADD = .libs/libapparmor.a
+tst_aalogparse_reentrancy_LDFLAGS = -pthread
+
 tst_features_SOURCES = tst_features.c
 tst_features_LDADD = .libs/libapparmor.a
 
@@ -80,7 +90,7 @@ tst_kernel_SOURCES = tst_kernel.c
 tst_kernel_LDADD = .libs/libapparmor.a
 tst_kernel_LDFLAGS = -pthread
 
-check_PROGRAMS = tst_aalogmisc tst_features tst_kernel
+check_PROGRAMS = tst_aalogmisc tst_aalogparse_cpp tst_aalogparse_reentrancy tst_aalogparse_oldname tst_features tst_kernel
 TESTS = $(check_PROGRAMS)
 
 .PHONY: check-local

libraries/libapparmor/src/grammar.y

@@ -15,17 +15,15 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+/* aalogparse_error now requires visibility of the aa_log_record type
+ * Also include in a %code requires block to add it to the header
+ */
+%code requires{
+	#include <aalogparse.h>
+}
 
 %{
 
-/* set the following to non-zero to get bison to emit debugging
- * information about tokens given and rules matched.
- * Also:
- *   Uncomment the %defines
- *   parse.error
- *   parse.trace
- */
-#define YYDEBUG 0
 #include <string.h>
 #include <aalogparse.h>
 #include "parser.h"
@@ -41,12 +39,10 @@
 #define debug_unused_ unused_
 #endif
 
-aa_log_record *ret_record;
-
 /* Since we're a library, on any errors we don't want to print out any
  * error messages. We should probably add a debug interface that does
  * emit messages when asked for. */
-void aalogparse_error(unused_ void *scanner, debug_unused_ char const *s)
+void aalogparse_error(unused_ void *scanner, aa_log_record *ret_record, debug_unused_ char const *s)
 {
 #if (YYDEBUG != 0)
 	printf("ERROR: %s\n", s);
@@ -89,9 +85,10 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %define parse.trace
 */
 
-%define api.pure
+%define api.pure full
 %lex-param{void *scanner}
 %parse-param{void *scanner}
+%parse-param{aa_log_record *ret_record}
 
 %union
 {
@@ -284,8 +281,9 @@ audit_user_msg: TOK_KEY_MSG TOK_EQUALS audit_id audit_user_msg_tail
 
 audit_id: TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS TOK_COLON TOK_AUDIT_DIGITS TOK_CLOSE_PAREN TOK_COLON
 	{
-		if (!asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7))
-			yyerror(scanner, YY_("Out of memory"));
+		if (!asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7)) {
+			yyerror(scanner, ret_record, YY_("Out of memory"));
+		}
 		ret_record->epoch = atol($3);
 		ret_record->audit_sub_id = atoi($7);
 		free($3);
@@ -308,7 +306,7 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	| TOK_KEY_NAME TOK_EQUALS safe_string
 	{ ret_record->name = $3;}
 	| TOK_KEY_NAMESPACE TOK_EQUALS safe_string
-	{ ret_record->namespace = $3;}
+	{ ret_record->aa_namespace = $3;}
 	| TOK_KEY_NAME2 TOK_EQUALS safe_string
 	{ ret_record->name2 = $3;}
 	| TOK_KEY_MASK TOK_EQUALS TOK_QUOTED_STRING
@@ -440,7 +438,7 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 		ret_record->info = $1;
 	}
 	| TOK_KEY_CLASS TOK_EQUALS TOK_QUOTED_STRING
-	{ ret_record->class = $3; }
+	{ ret_record->rule_class = $3; }
 	;
 
 apparmor_event:
@@ -477,31 +475,3 @@ protocol: TOK_QUOTED_STRING
 	}
 	;
 %%
-
-aa_log_record *
-_parse_yacc(char *str)
-{
-	/* yydebug = 1;  */
-	YY_BUFFER_STATE lex_buf;
-	yyscan_t scanner;
-
-	ret_record = NULL;
-	ret_record = malloc(sizeof(aa_log_record));
-
-	_init_log_record(ret_record);
-
-	if (ret_record == NULL)
-		return NULL;
-
-#if (YYDEBUG != 0)
-	yydebug = 1;
-#endif
-
-	aalogparse_lex_init(&scanner);
-	lex_buf = aalogparse__scan_string(str, scanner);
-	/* Ignore return value to return an AA_RECORD_INVALID event */
-	(void)aalogparse_parse(scanner);
-	aalogparse__delete_buffer(lex_buf, scanner);
-	aalogparse_lex_destroy(scanner);
-	return ret_record;
-}

libraries/libapparmor/src/libaalogparse.c

@@ -34,13 +34,42 @@
 #include <aalogparse.h>
 #include "parser.h"
 
+#include "grammar.h"
+#include "scanner.h"
+
 /* This is mostly just a wrapper around the code in grammar.y */
-aa_log_record *parse_record(char *str)
+aa_log_record *parse_record(const char *str)
 {
+	YY_BUFFER_STATE lex_buf;
+	yyscan_t scanner;
+	aa_log_record *ret_record;
+
 	if (str == NULL)
 		return NULL;
 
-	return _parse_yacc(str);
+	ret_record = malloc(sizeof(aa_log_record));
+
+	_init_log_record(ret_record);
+
+	if (ret_record == NULL)
+		return NULL;
+
+	struct string_buf string_buf = {.buf = NULL, .buf_len = 0, .buf_alloc = 0};
+
+#if (YYDEBUG != 0)
+	/* Warning: this is still a global even in reentrant parsers */
+	aalogparse_debug = 1;
+#endif
+
+	aalogparse_lex_init_extra(&string_buf, &scanner);
+	lex_buf = aalogparse__scan_string(str, scanner);
+	/* Ignore return value to return an AA_RECORD_INVALID event */
+	(void)aalogparse_parse(scanner, ret_record);
+	aalogparse__delete_buffer(lex_buf, scanner);
+	aalogparse_lex_destroy(scanner);
+	/* free(NULL) is a no-op */
+	free(string_buf.buf);
+	return ret_record;
 }
 
 void free_record(aa_log_record *record)
@@ -63,8 +92,8 @@ void free_record(aa_log_record *record)
 			free(record->name);
 		if (record->name2 != NULL)
 			free(record->name2);
-		if (record->namespace != NULL)
-			free(record->namespace);
+		if (record->aa_namespace != NULL)
+			free(record->aa_namespace);
 		if (record->attribute != NULL)
 			free(record->attribute);
 		if (record->info != NULL)
@@ -110,8 +139,8 @@ void free_record(aa_log_record *record)
 		if (record->execpath != NULL)
 			free(record->execpath);
 
-		if (record->class != NULL)
-			free(record->class);
+		if (record->rule_class != NULL)
+			free(record->rule_class);
 
 		free(record);
 	}

libraries/libapparmor/src/parser.h

@@ -19,8 +19,14 @@
 #ifndef __AA_LOG_PARSER_H__
 #define __AA_LOG_PARSER_H__
 
+// Internal-only type
+struct string_buf {
+	char *buf;
+	unsigned int buf_len;
+	unsigned int buf_alloc;
+};
+
 extern void _init_log_record(aa_log_record *record);
-extern aa_log_record *_parse_yacc(char *str);
 extern char *hex_to_string(char *str);
 extern char *ipproto_to_string(unsigned int proto);
 

libraries/libapparmor/src/scanner.l

@@ -19,6 +19,7 @@
 %option nounput
 %option noyy_top_state
 %option reentrant
+%option extra-type="struct string_buf*"
 %option prefix="aalogparse_"
 %option bison-bridge
 %option header-file="scanner.h"
@@ -34,40 +35,37 @@
 
 #define YY_NO_INPUT
 
-unsigned int string_buf_alloc = 0;
-unsigned int string_buf_len = 0;
-char *string_buf = NULL;
-
-void string_buf_reset()
+void string_buf_reset(struct string_buf* char_buf)
 {
 	/* rewind buffer to zero, possibly doing initial allocation too */
-	string_buf_len = 0;
- 	if (string_buf == NULL) {
-		string_buf_alloc = 128;
-		string_buf = malloc(string_buf_alloc);
-		assert(string_buf != NULL);
+	char_buf->buf_len = 0;
+	if (char_buf->buf == NULL) {
+		char_buf->buf_alloc = 128;
+		char_buf->buf = malloc(char_buf->buf_alloc);
+		assert(char_buf->buf != NULL);
 	}
 	/* always start with a valid but empty string */
-	string_buf[0] = '\0';
+	char_buf->buf[0] = '\0';
 }
 
-void string_buf_append(unsigned int length, char *text)
+void string_buf_append(struct string_buf* char_buf, unsigned int length, char *text)
 {
-	unsigned int current_length = string_buf_len;
+	unsigned int current_length = char_buf->buf_len;
 
 	/* handle calling ..._append before ..._reset */
-	if (string_buf == NULL) string_buf_reset();
+	if (char_buf->buf == NULL) string_buf_reset(char_buf);
 
-	string_buf_len += length;
+	char_buf->buf_len += length;
 	/* expand allocation if this append would exceed the allocation */
-	while (string_buf_len >= string_buf_alloc) {
-		string_buf_alloc *= 2;
-		string_buf = realloc(string_buf, string_buf_alloc);
-		assert(string_buf != NULL);
+	while (char_buf->buf_len >= char_buf->buf_alloc) {
+		// TODO: overflow?
+		char_buf->buf_alloc *= 2;
+		char_buf->buf = realloc(char_buf->buf, char_buf->buf_alloc);
+		assert(char_buf->buf != NULL);
 	}
 	/* copy and unconditionally terminate */
-	memcpy(string_buf+current_length, text, length);
-	string_buf[string_buf_len] = '\0';
+	memcpy(char_buf->buf+current_length, text, length);
+	char_buf->buf[char_buf->buf_len] = '\0';
 }
 
 %}
@@ -232,7 +230,7 @@ yy_flex_debug = 0;
 	{open_paren}		{ return(TOK_OPEN_PAREN); }
 	{close_paren}		{ BEGIN(INITIAL); return(TOK_CLOSE_PAREN); }
 	{ws}		{ }
-	\"			{ string_buf_reset(); BEGIN(quoted_string); }
+	\"			{ string_buf_reset(yyextra); BEGIN(quoted_string); }
 	{ID}+	{
 			yylval->t_str = strdup(yytext);
 			BEGIN(INITIAL);
@@ -241,20 +239,20 @@ yy_flex_debug = 0;
 	{equals}		{ return(TOK_EQUALS); }
 	}
 
-\"			{ string_buf_reset(); BEGIN(quoted_string); }
+\"			{ string_buf_reset(yyextra); BEGIN(quoted_string); }
 <quoted_string>\"	{ /* End of the quoted string */
 				BEGIN(INITIAL);
-				yylval->t_str = strdup(string_buf);
+				yylval->t_str = strdup(yyextra->buf);
 				return(TOK_QUOTED_STRING);
 			}
 
 
-<quoted_string>\\(.|\n) { string_buf_append(1, &yytext[1]); }
+<quoted_string>\\(.|\n) { string_buf_append(yyextra, 1, &yytext[1]); }
 
-<quoted_string>[^\\\n\"]+ { string_buf_append(yyleng, yytext); }
+<quoted_string>[^\\\n\"]+ { string_buf_append(yyextra, yyleng, yytext); }
 
 <safe_string>{
-	\"		{ string_buf_reset(); BEGIN(quoted_string); }
+	\"		{ string_buf_reset(yyextra); BEGIN(quoted_string); }
 	{hexstring}	{ yylval->t_str = hex_to_string(yytext); BEGIN(INITIAL); return(TOK_HEXSTRING);}
 	{equals}	{ return(TOK_EQUALS); }
 	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }

libraries/libapparmor/src/tst_aalogparse_cpp.cpp

@@ -0,0 +1,20 @@
+#include <aalogparse.h>
+#include <string.h>
+
+#include "private.h"
+
+const char* log_line = "[23342.075380] audit: type=1400 audit(1725487203.971:1831): apparmor=\"DENIED\" operation=\"open\" class=\"file\" profile=\"snap-update-ns.firmware-updater\" name=\"/proc/202964/maps\" pid=202964 comm=\"5\" requested_mask=\"r\" denied_mask=\"r\" fsuid=1000 ouid=0";
+
+int main(void) {
+    int rc = 0;
+
+    /* Very basic test to ensure we can do aalogparse stuff in C++ */
+    aa_log_record *record = parse_record(log_line);
+    MY_TEST(record != NULL, "Log failed to parse");
+    MY_TEST(record->version == AA_RECORD_SYNTAX_V2, "Log should have parsed as v2 form");
+    MY_TEST(record->aa_namespace == NULL, "Log should have NULL namespace");
+    MY_TEST((record->rule_class != NULL) && (strcmp(record->rule_class, "file") == 0), "Log should have file class");
+    free_record(record);
+
+    return rc;
+}

libraries/libapparmor/src/tst_aalogparse_oldname.c

@@ -0,0 +1,20 @@
+#include <aalogparse.h>
+#include <string.h>
+
+#include "private.h"
+
+const char* log_line = "[23342.075380] audit: type=1400 audit(1725487203.971:1831): apparmor=\"DENIED\" operation=\"open\" class=\"file\" profile=\"snap-update-ns.firmware-updater\" name=\"/proc/202964/maps\" pid=202964 comm=\"5\" requested_mask=\"r\" denied_mask=\"r\" fsuid=1000 ouid=0";
+
+int main(void) {
+    int rc = 0;
+
+    /* Very basic test to ensure we can use the C++-incompatible field names */
+    aa_log_record *record = parse_record(log_line);
+    MY_TEST(record != NULL, "Log failed to parse");
+    MY_TEST(record->version == AA_RECORD_SYNTAX_V2, "Log should have parsed as v2 form");
+    MY_TEST(record->namespace == NULL, "Log should have NULL namespace");
+    MY_TEST((record->class != NULL) && (strcmp(record->class, "file") == 0), "Log should have file class");
+    free_record(record);
+
+    return rc;
+}

libraries/libapparmor/src/tst_aalogparse_reentrancy.c

@@ -0,0 +1,154 @@
+#include <pthread.h>
+#include <string.h>
+
+#include <aalogparse.h>
+
+#include "private.h"
+
+const char* log_line = "[23342.075380] audit: type=1400 audit(1725487203.971:1831): apparmor=\"DENIED\" operation=\"open\" class=\"file\" profile=\"snap-update-ns.firmware-updater\" name=\"/proc/202964/maps\" pid=202964 comm=\"5\" requested_mask=\"r\" denied_mask=\"r\" fsuid=1000 ouid=0";
+const char* log_line_2 = "[ 4074.372559] audit: type=1400 audit(1725553393.143:793): apparmor=\"DENIED\" operation=\"capable\" class=\"cap\" profile=\"/usr/lib/snapd/snap-confine\" pid=19034 comm=\"snap-confine\" capability=12  capname=\"net_admin\"";
+
+static int pthread_barrier_ok(int barrier_result) {
+	return barrier_result == 0 || barrier_result == PTHREAD_BARRIER_SERIAL_THREAD;
+}
+
+static int nullcmp_and_strcmp(const void *s1, const void *s2)
+{
+	/* Return 0 if both pointers are NULL & non-zero if only one is NULL */
+	if (!s1 || !s2)
+		return s1 != s2;
+
+	return strcmp(s1, s2);
+}
+
+int aa_log_record_eq(aa_log_record *record1, aa_log_record *record2) {
+	int are_eq = 1;
+
+	are_eq &= (record1->version == record2->version);
+	are_eq &= (record1->event == record2->event);
+	are_eq &= (record1->pid == record2->pid);
+	are_eq &= (record1->peer_pid == record2->peer_pid);
+	are_eq &= (record1->task == record2->task);
+	are_eq &= (record1->magic_token == record2->magic_token);
+	are_eq &= (record1->epoch == record2->epoch);
+	are_eq &= (record1->audit_sub_id == record2->audit_sub_id);
+
+	are_eq &= (record1->bitmask == record2->bitmask);
+	are_eq &= (nullcmp_and_strcmp(record1->audit_id, record2->audit_id) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->operation, record2->operation) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->denied_mask, record2->denied_mask) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->requested_mask, record2->requested_mask) == 0);
+	are_eq &= (record1->fsuid == record2->fsuid);
+	are_eq &= (record1->ouid == record2->ouid);
+	are_eq &= (nullcmp_and_strcmp(record1->profile, record2->profile) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->peer_profile, record2->peer_profile) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->comm, record2->comm) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->name, record2->name) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->name2, record2->name2) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->namespace, record2->namespace) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->attribute, record2->attribute) == 0);
+	are_eq &= (record1->parent == record2->parent);
+	are_eq &= (nullcmp_and_strcmp(record1->info, record2->info) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->peer_info, record2->peer_info) == 0);
+	are_eq &= (record1->error_code == record2->error_code);
+	are_eq &= (nullcmp_and_strcmp(record1->active_hat, record2->active_hat) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->net_family, record2->net_family) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->net_protocol, record2->net_protocol) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->net_sock_type, record2->net_sock_type) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->net_local_addr, record2->net_local_addr) == 0);
+	are_eq &= (record1->net_local_port == record2->net_local_port);
+	are_eq &= (nullcmp_and_strcmp(record1->net_foreign_addr, record2->net_foreign_addr) == 0);
+	are_eq &= (record1->net_foreign_port == record2->net_foreign_port);
+
+	are_eq &= (nullcmp_and_strcmp(record1->execpath, record2->execpath) == 0);
+
+	are_eq &= (nullcmp_and_strcmp(record1->dbus_bus, record2->dbus_bus) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->dbus_path, record2->dbus_path) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->dbus_interface, record2->dbus_interface) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->dbus_member, record2->dbus_member) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->signal, record2->signal) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->peer, record2->peer) == 0);
+
+	are_eq &= (nullcmp_and_strcmp(record1->fs_type, record2->fs_type) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->flags, record2->flags) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->src_name, record2->src_name) == 0);
+
+	are_eq &= (nullcmp_and_strcmp(record1->class, record2->class) == 0);
+
+	are_eq &= (nullcmp_and_strcmp(record1->net_addr, record2->net_addr) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->peer_addr, record2->peer_addr) == 0);
+	return are_eq;
+}
+
+typedef struct {
+	const char* log;
+	pthread_barrier_t *barrier;
+} pthread_parse_args;
+
+void* pthread_parse_log(void* args) {
+	pthread_parse_args *args_real = (pthread_parse_args *) args;
+	int barrier_wait_result = pthread_barrier_wait(args_real->barrier);
+	/* Return NULL and fail test if barrier wait fails */
+	if (!pthread_barrier_ok(barrier_wait_result)) {
+		return NULL;
+	}
+	aa_log_record *record = parse_record(args_real->log);
+	return (void*) record;
+}
+
+#define NUM_THREADS 16
+
+int main(void) {
+	pthread_t thread_ids[NUM_THREADS];
+	pthread_barrier_t barrier;
+	int barrier_wait_result;
+	aa_log_record* parsed_logs[NUM_THREADS];
+	int rc = 0;
+	/* Set up arguments to be passed to threads */
+	pthread_parse_args args = {.log=log_line, .barrier=&barrier};
+	pthread_parse_args args2 = {.log=log_line_2, .barrier=&barrier};
+
+	MY_TEST(NUM_THREADS > 2, "Test requires more than 2 threads");
+
+	/* Use barrier to synchronize the start of log parsing among all the threads
+	 * This increases the likelihood of tickling race conditions, if there are any
+	 */
+	MY_TEST(pthread_barrier_init(&barrier, NULL, NUM_THREADS+1) == 0,
+		"Could not init pthread barrier");
+	for (int i=0; i<NUM_THREADS; i++) {
+		if (i%2 == 0) {
+			pthread_create(&thread_ids[i], NULL, pthread_parse_log, (void *) &args);
+		} else {
+			pthread_create(&thread_ids[i], NULL, pthread_parse_log, (void *) &args2);
+		}
+	}
+	/* Final barrier_wait to set off the thread race */
+	barrier_wait_result = pthread_barrier_wait(&barrier);
+	MY_TEST(pthread_barrier_ok(barrier_wait_result), "Could not wait on pthread barrier");
+
+	/* Wait for threads to finish parsing the logs */
+	for (int i=0; i<NUM_THREADS; i++) {
+		MY_TEST(pthread_join(thread_ids[i], (void*) &parsed_logs[i]) == 0, "Could not join thread");
+	}
+
+	/* Check that all logs parsed and are equal */
+	for (int i=0; i<NUM_THREADS; i++) {
+		MY_TEST(parsed_logs[i] != NULL, "Log failed to parse");
+		MY_TEST(parsed_logs[i]->version == AA_RECORD_SYNTAX_V2, "Log should have parsed as v2 form");
+		MY_TEST(parsed_logs[i]->event == AA_RECORD_DENIED, "Log should have parsed as denied");
+
+		/* Also check i==0 and i==1 as a sanity check for aa_log_record_eq */
+		if (i%2 == 0) {
+			MY_TEST(aa_log_record_eq(parsed_logs[0], parsed_logs[i]), "Log 0 != Log even");
+		} else {
+			MY_TEST(aa_log_record_eq(parsed_logs[1], parsed_logs[i]), "Log 1 != Log odd");
+		}
+	}
+	MY_TEST(!aa_log_record_eq(parsed_logs[0], parsed_logs[1]), "Log 0 and log 1 shouldn't be equal");
+	/* Clean up */
+	MY_TEST(pthread_barrier_destroy(&barrier) == 0, "Could not destroy pthread barrier");
+	for (int i=0; i<NUM_THREADS; i++) {
+		free_record(parsed_logs[i]);
+	}
+	return rc;
+}

libraries/libapparmor/swig/SWIG/libapparmor.i

@@ -5,9 +5,98 @@
 #include <sys/apparmor.h>
 #include <sys/apparmor_private.h>
 
+// Include static_assert if the C compiler supports it
+// static_assert standardized since C11, assert.h not needed since C23
+#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L && __STDC_VERSION__ < 202311L
+#include <assert.h>
+#endif
 %}
 
 %include "typemaps.i"
+%include <cstring.i>
+%include <stdint.i>
+%include <exception.i>
+
+/*
+ * SWIG 4.3 included https://github.com/swig/swig/pull/2907 to distinguish
+ * between Py_None being returned as a default void and Py_None being returned
+ * as the equivalent of C NULL. Unfortunately, this turns into an API breaking
+ * change with our use of %append_output when we want the Python function to
+ * return something even when the C function has a void return type. Thus, we
+ * need an additional macro to smooth over the differences. Include all affected
+ * languages, even ones we don't build bindings for, for completeness.
+ */
+#if SWIG_VERSION >= 0x040300
+#ifdef SWIGPYTHON
+#define ISVOID_APPEND_OUTPUT(value) {$result = SWIG_Python_AppendOutput($result, value, 1);}
+#elif defined(SWIGRUBY)
+#define ISVOID_APPEND_OUTPUT(value) {$result = SWIG_Ruby_AppendOutput($result, value, 1);}
+#elif defined(SWIGPHP)
+#define ISVOID_APPEND_OUTPUT(value) {$result = SWIG_Php_AppendOutput($result, value, 1);}
+#else
+#define ISVOID_APPEND_OUTPUT(value) %append_output(value)
+#endif
+#else
+#define ISVOID_APPEND_OUTPUT(value) %append_output(value)
+#endif
+
+%newobject parse_record;
+%delobject free_record;
+/*
+ * Despite its name, %delobject does not hook up destructors to language
+ * deletion mechanisms. Instead, it sets flags so that manually calling the
+ * free function and then deleting by language mechanisms doesn't cause a
+ * double-free.
+ *
+ * Additionally, we can manually extend the struct with a C++-like
+ * destructor. This ensures that the record struct is freed 
+ * automatically when the high-level object goes out of scope.
+ */
+%extend aa_log_record {
+	~aa_log_record() {
+		free_record($self);
+	}
+}
+
+/*
+ * Generate a no-op free_record wrapper to avoid making a double-free footgun.
+ * Use rename directive to avoid colliding with the actual free_record, which
+ * we use above to clean up when the higher-level language deletes the object.
+ * 
+ * Ideally we would not expose a free_record at all, but we need to maintain
+ * backwards compatibility with the existing high-level code that uses it.
+ */
+%rename(free_record) noop_free_record;
+#ifdef SWIGPYTHON
+%pythonprepend noop_free_record %{
+import warnings
+warnings.warn("free_record is now a no-op as the record's memory is handled automatically", DeprecationWarning)
+%}
+#endif
+%feature("autodoc",
+  "This function used to free aa_log_record objects. Freeing is now handled "
+  "automatically, so this no-op function remains for backwards compatibility.") noop_free_record;
+%inline %{
+  void noop_free_record(aa_log_record *record) {(void) record;}
+%}
+
+/*
+ * Do not autogenerate a wrapper around free_record. This does not prevent us
+ * from calling it ourselves in %extend C code.
+ */
+%ignore free_record;
+
+
+/*
+ * Map names to preserve backwards compatibility
+ */
+#ifdef SWIGPYTHON
+%rename("_class") aa_log_record::rule_class;
+#else
+%rename("class") aa_log_record::rule_class;
+#endif
+%rename("namespace") aa_log_record::aa_namespace;
+
 %include <aalogparse.h>
 
 /**
@@ -21,18 +110,75 @@
 
 /* apparmor.h */
 
+/*
+ * label is a heap-allocated pointer, but when label and mode occur together,
+ * the freeing of label must be deferred because mode points into label.
+ *
+ * %cstring_output_allocate((char **label, char **mode), free(*$1))
+ * does not handle multi-argument typemaps correctly, so we write our own
+ * typemap based on it instead.
+ */
+%typemap(in,noblock=1,numinputs=0) (char **label, char **mode) ($*1_ltype temp_label = 0, $*2_ltype temp_mode = 0) {
+  $1 = &temp_label;
+  $2 = &temp_mode;
+}
+%typemap(freearg,match="in") (char **label, char **mode) ""
+%typemap(argout,noblock=1,fragment="SWIG_FromCharPtr") (char **label, char **mode) {
+  ISVOID_APPEND_OUTPUT(SWIG_FromCharPtr(*$1));
+  ISVOID_APPEND_OUTPUT(SWIG_FromCharPtr(*$2));
+  free(*$1);
+}
+
+/*
+ * mode also occurs in combination with con in aa_splitcon
+ * typemap based on %cstring_mutable but with substantial modifications
+ */
+%typemap(in,numinputs=1,fragment="SWIG_AsCharPtrAndSize") (char *con, char **mode) ($*2_ltype temp_mode = 0) {
+  int alloc_status = 0;
+  $1_ltype con_ptr = NULL;
+  size_t con_len = 0;
+  int char_ptr_res = SWIG_AsCharPtrAndSize($input, &con_ptr, &con_len, &alloc_status);
+  if (!SWIG_IsOK(char_ptr_res)) {
+    %argument_fail(char_ptr_res, "char *con", $symname, $argnum);
+  }
+  if (alloc_status != SWIG_NEWOBJ) {
+    // Unconditionally copy because the C function modifies the string in place
+    $1 = %new_copy_array(con_ptr, con_len+1, char);
+  } else {
+    $1 = con_ptr;
+  }
+
+  $2 = &temp_mode;
+}
+%typemap(freearg,noblock=1,match="in") (char *con, char **mode) {
+  %delete_array($1);
+}
+%typemap(argout,noblock=1,fragment="SWIG_FromCharPtr") (char *con, char **mode) {
+  /*
+   * aa_splitcon returns either con or NULL so we don't need to explicitly
+   * append it to the output, and we don't need the ISVOID helper here
+   * 
+   * SWIG_FromCharPtr does NULL checks for us
+   */
+  %append_output(SWIG_FromCharPtr(*$2));
+}
+
+%exception aa_splitcon {
+  $action
+  if (result == NULL) {
+    SWIG_exception_fail(SWIG_ValueError, "received invalid confinement context");
+  }
+}
+
 extern char *aa_splitcon(char *con, char **mode);
 
-/* apparmor_private.h */
-
-extern int _aa_is_blacklisted(const char *name);
-
 #ifdef SWIGPYTHON
 %exception {
   $action
   if (result < 0) {
+    // Unfortunately SWIG_exception does not support OSError
     PyErr_SetFromErrno(PyExc_OSError);
-    return NULL;
+    SWIG_fail;
   }
 }
 #endif
@@ -41,33 +187,219 @@ extern int _aa_is_blacklisted(const char *name);
 
 /* apparmor.h */
 
+/*
+ * aa_is_enabled returns a boolean as an int with failure reason in errno 
+ * Therefore, aa_is_enabled either returns True or throws an exception
+ *
+ * Keep that behavior for backwards compatibilty but return a boolean on Python
+ * where it makes more sense, which isn't a breaking change because a boolean is
+ * a subclass of int
+ */
+#ifdef SWIGPYTHON
+%typemap(out) int {
+	$result = PyBool_FromLong($1);
+}
+#endif
 extern int aa_is_enabled(void);
-extern int aa_find_mountpoint(char **mnt);
+
+#ifdef SWIGPYTHON
+// Based on SWIG's argcargv.i but we don't have an argc
+%typemap(in,fragment="SWIG_AsCharPtr") const char *subprofiles[] (Py_ssize_t seq_len=0, int* alloc_tracking = NULL) {
+  void* arg_as_ptr = NULL;
+  int res_convertptr = SWIG_ConvertPtr($input, &arg_as_ptr, $descriptor(char*[]), 0);
+  if (SWIG_IsOK(res_convertptr)) {
+    $1 = %static_cast(arg_as_ptr, $1_ltype);
+  } else {
+    // Clear error that would be set if ptr conversion failed
+    PyErr_Clear();
+
+    int is_list = PyList_Check($input);
+    if (is_list || PyTuple_Check($input)) {
+      seq_len = PySequence_Length($input);
+      /*
+       * %new_array zero-inits for cleaner error handling and memory cleanup
+       * %delete_array(NULL) is no-op (either free or delete), and
+       * alloc_tracking of 0 is uninit
+       * 
+       * Further note: SWIG_exception_fail jumps to the freearg typemap
+       */
+      $1 = %new_array(seq_len+1, char *);
+      if ($1 == NULL) {
+        SWIG_exception_fail(SWIG_MemoryError, "could not allocate C subprofiles");
+      }
+
+      alloc_tracking = %new_array(seq_len, int);
+      if (alloc_tracking == NULL) {
+        SWIG_exception_fail(SWIG_MemoryError, "could not allocate C alloc track arr");
+      }
+      for (Py_ssize_t i=0; i<seq_len; i++) {
+        PyObject *o = is_list ? PyList_GetItem($input, i) : PyTuple_GetItem($input, i);
+        if (o == NULL) {
+          // Failed to get item-Python already set exception info
+          SWIG_fail;
+        } else if (o == Py_None) {
+          // SWIG_AsCharPtr(Py_None, ...) succeeds with ptr output being NULL
+          SWIG_exception_fail(SWIG_ValueError, "sequence contains a None object");
+        }
+        int res = SWIG_AsCharPtr(o, &$1[i], &alloc_tracking[i]);
+        if (!SWIG_IsOK(res)) {
+          // Could emit idx of error here, maybe?
+          SWIG_exception_fail(SWIG_ArgError(res), "sequence does not contain all strings");
+        }
+      }
+    } else {
+      SWIG_exception_fail(SWIG_TypeError, "subprofiles is not a list or tuple");
+    }
+  }
+}
+%typemap(freearg,noblock=1) const char *subprofiles[] {
+/*
+ * If static_assert is present, use it to verify the assumption that
+ * allocation uninitialized (0) != SWIG_NEWOBJ
+ */
+%#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L
+  /* 
+   * Some older versions of SWIG place this right after a goto label
+   * This would then be a label followed by a declaration, a C23 extension (!)
+   * To ensure this works for older SWIG versions and older compilers,
+   * make this a block element with curly braces.
+   */
+  {static_assert(SWIG_NEWOBJ != 0, "SWIG_NEWOBJ is 0");}
+%#endif
+  if ($1 != NULL && alloc_tracking$argnum != NULL) {
+    for (Py_ssize_t i=0; i<seq_len$argnum; i++) {
+      if (alloc_tracking$argnum[i] == SWIG_NEWOBJ) {
+        %delete_array($1[i]);
+      }
+    }
+  }
+  %delete_array(alloc_tracking$argnum);
+  %delete_array($1);
+}
+#endif
+
+/* These should not receive the VOID_Object typemap */
 extern int aa_change_hat(const char *subprofile, unsigned long magic_token);
 extern int aa_change_profile(const char *profile);
 extern int aa_change_onexec(const char *profile);
 extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
-extern int aa_change_hat_vargs(unsigned long token, int count, ...);
 extern int aa_stack_profile(const char *profile);
 extern int aa_stack_onexec(const char *profile);
-extern int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
-			      char **mode);
-extern int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode);
+
+/*
+ * aa_find_mountpoint mnt is an output pointer to a heap-allocated string
+ *
+ * This is a replica of %cstring_output_allocate(char **mnt, free(*$1))
+ * that uses the ISVOID helper to work correctly on SWIG 4.3 or later.
+ */
+%typemap(in,noblock=1,numinputs=0) (char **mnt) ($*1_ltype temp_mnt = 0) {
+  $1 = &temp_mnt;
+}
+%typemap(freearg,match="in") (char **mnt) ""
+%typemap(argout,noblock=1,fragment="SWIG_FromCharPtr") (char **mnt) {
+  ISVOID_APPEND_OUTPUT(SWIG_FromCharPtr(*$1));
+  free(*$1);
+}
+/* The other errno-based functions should not always be returning the int value:
+ * - Python exceptions signal success/failure status instead via the %exception 
+ *   handler above.
+ * - Perl (the other binding) has $! for accessing errno but would check the int
+ *   return status first.
+ *
+ * The generated C code for (out) resets the return value to None
+ * before appending the returned data (argout generated by %cstring stuff)
+ */
+#ifdef SWIGPYTHON
+%typemap(out,noblock=1) int {
+#if defined(VOID_Object)
+	$result = VOID_Object;
+#endif
+}
+#endif
+
+/*
+ * We can't use "typedef int pid_t" because we still support systems
+ * with 16-bit PIDs and SWIG can't find sys/types.h
+ *
+ * Capture the passed-in value as a long because pid_t is guaranteed
+ * to be a signed integer and because the aalogparse struct uses
+ * (unsigned) longs to store pid values. While intmax_t would be more
+ * technically correct, if sizeof(pid_t) > sizeof(long) then aalogparse
+ * itself would also need fixing.
+ */
+%typemap(in,noblock=1,fragment="SWIG_AsVal_long") pid_t (int conv_pid, long pid_large) {
+%#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L
+  static_assert(sizeof(pid_t) <= sizeof(long),
+    "pid_t type is too large to be stored in a long");
+%#endif
+  conv_pid = SWIG_AsVal_long($input, &pid_large);
+  if (!SWIG_IsOK(conv_pid)) {
+    %argument_fail(conv_pid, "pid_t", $symname, $argnum);
+  }
+  /*
+   * Cast the long to a pid_t and then cast back to check for overflow
+   * Technically this is implementation-defined behaviour but we should be fine
+   */
+  $1 = (pid_t) pid_large;
+  if ((long) $1 != pid_large) {
+    SWIG_exception_fail(SWIG_OverflowError, "pid_t is too large");
+  }
+}
+
+extern int aa_find_mountpoint(char **mnt);
+extern int aa_getprocattr(pid_t tid, const char *attr, char **label, char **mode);
 extern int aa_gettaskcon(pid_t target, char **label, char **mode);
 extern int aa_getcon(char **label, char **mode);
-extern int aa_getpeercon_raw(int fd, char *buf, socklen_t *len, char **mode);
 extern int aa_getpeercon(int fd, char **label, char **mode);
-extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
-			  int *audit);
-extern int aa_query_file_path_len(uint32_t mask, const char *label,
-				  size_t label_len, const char *path,
-				  size_t path_len, int *allowed, int *audited);
+
+/*
+ * Typemaps for the boolean outputs of the query functions
+ * Use boolean types for Python and int types elsewhere
+ */
+#ifdef SWIGPYTHON
+// TODO: find a way to deduplicate these
+%typemap(in, numinputs=0) int *allowed (int temp) {
+  $1 = &temp;
+}
+%typemap(argout) int *allowed {
+  ISVOID_APPEND_OUTPUT(PyBool_FromLong(*$1));
+}
+
+%typemap(in, numinputs=0) int *audited (int temp) {
+  $1 = &temp;
+}
+%typemap(argout) int *audited {
+  ISVOID_APPEND_OUTPUT(PyBool_FromLong(*$1));
+}
+#else
+%apply int *OUTPUT { int *allowed };
+%apply int *OUTPUT { int *audited };
+#endif
+
+/* Sync this with the apparmor.h */
+/* Permission flags for the AA_CLASS_FILE mediation class */
+#define AA_MAY_EXEC			(1 << 0)
+#define AA_MAY_WRITE			(1 << 1)
+#define AA_MAY_READ			(1 << 2)
+#define AA_MAY_APPEND			(1 << 3)
+#define AA_MAY_CREATE			(1 << 4)
+#define AA_MAY_DELETE			(1 << 5)
+#define AA_MAY_OPEN			(1 << 6)
+#define AA_MAY_RENAME			(1 << 7)
+#define AA_MAY_SETATTR			(1 << 8)
+#define AA_MAY_GETATTR			(1 << 9)
+#define AA_MAY_SETCRED			(1 << 10)
+#define AA_MAY_GETCRED			(1 << 11)
+#define AA_MAY_CHMOD			(1 << 12)
+#define AA_MAY_CHOWN			(1 << 13)
+#define AA_MAY_LOCK			0x8000
+#define AA_EXEC_MMAP			0x10000
+#define AA_MAY_LINK			0x40000
+#define AA_MAY_ONEXEC			0x20000000
+#define AA_MAY_CHANGE_PROFILE		0x40000000
+
 extern int aa_query_file_path(uint32_t mask, const char *label,
 			      const char *path, int *allowed, int *audited);
-extern int aa_query_link_path_len(const char *label, size_t label_len,
-				  const char *target, size_t target_len,
-				  const char *link, size_t link_len,
-				  int *allowed, int *audited);
 extern int aa_query_link_path(const char *label, const char *target,
 			      const char *link, int *allowed, int *audited);
 

libraries/libapparmor/swig/python/test/buildpath.py

@@ -7,7 +7,7 @@ import sysconfig
 import setuptools
 
 
-if tuple(map(int, setuptools.__version__.split("."))) >= (62, 1):
+if tuple(map(int, setuptools.__version__.split(".")[:2])) >= (62, 1):
     identifier = sys.implementation.cache_tag
 else:
     identifier = "%d.%d" % sys.version_info[:2]

libraries/libapparmor/swig/python/test/test_python.py.in

@@ -55,10 +55,100 @@ NO_VALUE_MAP = {
     'fsuid': int(ctypes.c_ulong(-1).value),
     'ouid':  int(ctypes.c_ulong(-1).value),
 }
-
-
 class AAPythonBindingsTests(unittest.TestCase):
 
+    def setUp(self):
+        # REPORT ALL THE OUTPUT
+        self.maxDiff = None
+
+    def test_aa_splitcon(self):
+        AA_SPLITCON_EXPECT = [
+            ("unconfined", "unconfined", None),
+            ("unconfined\n", "unconfined", None),
+            ("/bin/ping (enforce)", "/bin/ping", "enforce"),
+            ("/bin/ping (enforce)\n", "/bin/ping", "enforce"),
+            ("/usr/sbin/rsyslog (complain)", "/usr/sbin/rsyslog", "complain"),
+        ]
+        for context, expected_label, expected_mode in AA_SPLITCON_EXPECT:
+            actual_label, actual_mode = libapparmor.aa_splitcon(context)
+            if expected_label is None:
+                self.assertIsNone(actual_label)
+            else:
+                self.assertIsInstance(actual_label, str)
+                self.assertEqual(expected_label, actual_label)
+
+            if expected_mode is None:
+                self.assertIsNone(actual_mode)
+            else:
+                self.assertIsInstance(actual_mode, str)
+                self.assertEqual(expected_mode, actual_mode)
+
+        with self.assertRaises(ValueError):
+            libapparmor.aa_splitcon("")
+
+    def test_aa_is_enabled(self):
+        aa_enabled = libapparmor.aa_is_enabled()
+        self.assertIsInstance(aa_enabled, bool)
+
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_aa_find_mountpoint(self):
+        mount_point = libapparmor.aa_find_mountpoint()
+        self.assertIsInstance(mount_point, str)
+        self.assertGreater(len(mount_point), 0, "mount point should not be empty")
+        self.assertTrue(os.path.isdir(mount_point))
+
+    # TODO: test commented out functions (or at least their prototypes)
+    # extern int aa_change_profile(const char *profile);
+    # extern int aa_change_onexec(const char *profile);
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_change_hats(self):
+        # Changing hats will fail because we have no valid hats to change to
+        # However, we still verify that we get an OSError instead of a TypeError
+        with self.assertRaises(OSError):
+            libapparmor.aa_change_hat("nonexistent_profile", 12345678)
+
+        with self.assertRaises(OSError):
+            libapparmor.aa_change_hatv(["nonexistent_1", "nonexistent_2"], 0xabcdef)
+            libapparmor.aa_change_hatv(("nonexistent_1", "nonexistent_2"), 0xabcdef)
+
+    # extern int aa_stack_profile(const char *profile);
+    # extern int aa_stack_onexec(const char *profile);
+    # extern int aa_getprocattr(pid_t tid, const char *attr, char **label, char **mode);
+    # extern int aa_gettaskcon(pid_t target, char **label, char **mode);
+
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_aa_gettaskcon(self):
+        # Our test harness should be running us as unconfined
+        # Get our own pid and this should be equivalent to aa_getcon
+        pid = os.getpid()
+
+        label, mode = libapparmor.aa_gettaskcon(pid)
+        self.assertEqual(label, "unconfined", "aa_gettaskcon label should be unconfined")
+        self.assertIsNone(mode, "aa_gettaskcon mode should be unconfined")
+
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_aa_getcon(self):
+        # Our test harness should be running us as unconfined
+        label, mode = libapparmor.aa_getcon()
+        self.assertEqual(label, "unconfined", "aa_getcon label should be unconfined")
+        self.assertIsNone(mode, "aa_getcon mode should be unconfined")
+
+    # extern int aa_getpeercon(int fd, char **label, char **mode);
+
+    # extern int aa_query_file_path(uint32_t mask, const char *label,
+    #                 const char *path, int *allowed, int *audited);
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_aa_query_file_path(self):
+        aa_query_mask = libapparmor.AA_MAY_EXEC | libapparmor.AA_MAY_READ | libapparmor.AA_MAY_WRITE
+        allowed, audited = libapparmor.aa_query_file_path(aa_query_mask, "unconfined", "/tmp/hello")
+        self.assertTrue(allowed)
+        self.assertFalse(audited)
+    # extern int aa_query_link_path(const char *label, const char *target,
+    #                 const char *link, int *allowed, int *audited);
+
+
+class AALogParsePythonBindingsTests(unittest.TestCase):
+
     def setUp(self):
         # REPORT ALL THE OUTPUT
         self.maxDiff = None
@@ -118,6 +208,9 @@ class AAPythonBindingsTests(unittest.TestCase):
                 # FIXME: out files should report log version?
                 # FIXME: or can we just deprecate v1 logs?
                 continue
+            elif key == "thisown":
+                # SWIG generates this key to track memory allocation
+                continue
             elif key in NO_VALUE_MAP:
                 if NO_VALUE_MAP[key] == value:
                     continue
@@ -142,7 +235,7 @@ def main():
         def stub_test(self, testname=f):
             self._runtest(testname)
         stub_test.__doc__ = "test " + f
-        setattr(AAPythonBindingsTests, 'test_' + f, stub_test)
+        setattr(AALogParsePythonBindingsTests, 'test_' + f, stub_test)
     return unittest.main(verbosity=2)
 
 

libraries/libapparmor/testsuite/test_multi.c

@@ -107,7 +107,7 @@ int print_results(aa_log_record *record)
 		print_string("Name", record->name);
 		print_string("Command", record->comm);
 		print_string("Name2", record->name2);
-		print_string("Namespace", record->namespace);
+		print_string("Namespace", record->aa_namespace);
 		print_string("Attribute", record->attribute);
 		print_long("Task", record->task, 0);
 		print_long("Parent", record->parent, 0);
@@ -142,7 +142,7 @@ int print_results(aa_log_record *record)
 
 		print_string("Execpath", record->execpath);
 
-		print_string("Class", record->class);
+		print_string("Class", record->rule_class);
 
 		print_long("Epoch", record->epoch, 0);
 		print_long("Audit subid", (long) record->audit_sub_id, 0);

libraries/libapparmor/testsuite/test_multi/testcase36.in

@@ -0,0 +1 @@
+2025-01-27T13:01:36.226987+05:30 sec-plucky-amd64 kernel: audit: type=1400 audit(1737963096.225:3240): apparmor="AUDIT" operation="getattr" class="file" profile="/usr/sbin/mosquitto" name="/etc/mosquitto/pwfile" pid=8119 comm="mosquitto" requested_mask="r" fsuid=122 ouid=122

libraries/libapparmor/testsuite/test_multi/testcase36.out

@@ -0,0 +1,15 @@
+START
+File: testcase36.in
+Event type: AA_RECORD_AUDIT
+Audit ID: 1737963096.225:3240
+Operation: getattr
+Mask: r
+fsuid: 122
+ouid: 122
+Profile: /usr/sbin/mosquitto
+Name: /etc/mosquitto/pwfile
+Command: mosquitto
+PID: 8119
+Class: file
+Epoch: 1737963096
+Audit subid: 3240

libraries/libapparmor/testsuite/test_multi/testcase36.profile

@@ -0,0 +1,4 @@
+/usr/sbin/mosquitto {
+  /etc/mosquitto/pwfile r,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_network_12.in

@@ -0,0 +1 @@
+[  310.308737] audit: type=1400 audit(1724847289.985:631): apparmor="ALLOWED" operation="getsockname" class="net" profile="/usr/bin/wg" pid=15374 comm="wg" laddr=::ffff:127.0.0.1 lport=53131 faddr=::ffff:127.0.0.1 fport=51821 saddr=::ffff:127.0.0.1 src=53131 family="inet6" sock_type="dgram" protocol=17 requested="getattr" denied="getattr"

libraries/libapparmor/testsuite/test_multi/testcase_network_12.out

@@ -0,0 +1,20 @@
+START
+File: testcase_network_12.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1724847289.985:631
+Operation: getsockname
+Mask: getattr
+Denied Mask: getattr
+Profile: /usr/bin/wg
+Command: wg
+PID: 15374
+Network family: inet6
+Socket type: dgram
+Protocol: udp
+Local addr: ::ffff:127.0.0.1
+Foreign addr: ::ffff:127.0.0.1
+Local port: 53131
+Foreign port: 51821
+Class: net
+Epoch: 1724847289
+Audit subid: 631

libraries/libapparmor/testsuite/test_multi/testcase_network_12.profile

@@ -0,0 +1,4 @@
+/usr/bin/wg {
+  network (getattr) inet6 dgram ip=::ffff:127.0.0.1 port=53131,
+
+}

parser/Makefile

@@ -38,7 +38,7 @@ MANPAGES=apparmor.d.5 apparmor.7 apparmor_parser.8 aa-teardown.8 apparmor_xattrs
 # parse.error=verbose supported from 3.0 so just test on that
 # TODO move to autoconf
 BISON_MAJOR:=$(shell bison --version |  awk '/^bison/ { print ($$NF) }'  | awk -F. '{print $$1 }')
-USE_PARSE_ERROR:=$(shell test ${BISON_MAJOR} -ge 3 && echo true)
+USE_PARSE_ERROR:=$(shell test "${BISON_MAJOR}" -ge 3 && echo true)
 
 YACC	:= bison
 YFLAGS	:= -d
@@ -365,6 +365,9 @@ cap_names.h: generated_cap_names.h base_cap_names.h
 		exit 1; \
 	fi
 
+.PHONY: tst_binaries
+tst_binaries: $(TESTS)
+
 tst_lib: lib.c parser.h $(filter-out lib.o, ${TEST_OBJECTS})
 	$(CXX) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS) $(TEST_LDLIBS)
 tst_%: parser_%.c parser.h $(filter-out parser_%.o, ${TEST_OBJECTS})

parser/apparmor.d.pod

@@ -175,7 +175,7 @@ B<NETWORK PEER EXPR> = 'peer' '=' '(' ( I<NETWORK IP COND> | I<NETWORK PORT COND
 
 B<NETWORK IP COND> = 'ip' '=' ( 'none' | I<NETWORK IPV4> | I<NETWORK IPV6> )
 
-B<NETWORK PORT COND> = 'port' '=' ( I<NETWORK PORT> )
+B<NETWORK PORT COND> = 'port' '=' ( I<NETWORK PORT> | I<NETWORK PORT> '-' I<NETWORK PORT> )
 
 B<NETWORK IPV4> = IPv4, represented by four 8-bit decimal numbers separated by '.'
 
@@ -996,13 +996,14 @@ can be represented by:
  network ip=0.0.0.0;	#allow INADDR_ANY
 
 The network rules support the specification of local and remote IP
-addresses and ports.
+addresses, ports, and port ranges.
 
  network ip=127.0.0.1 port=8080,
  network peer=(ip=10.139.15.23 port=8081),
  network ip=fd74:1820:b03a:b361::cf32 peer=(ip=fd74:1820:b03a:b361::a0f9),
  network port=8080 peer=(port=8081),
  network ip=127.0.0.1 port=8080 peer=(ip=10.139.15.23 port=8081),
+ network ip=127.0.0.1 port=8080-8084,
 
 =head2 Mount Rules
 
@@ -1023,7 +1024,7 @@ If a conditional is specified using '=', then the rule only grants permission
 for mounts matching the exactly specified options. For example, an AppArmor
 policy with the following rule:
 
-    mount options=ro /dev/foo -E<gt> /mnt/,
+    mount options=ro /dev/foo -> /mnt/,
 
 Would match:
 
@@ -1070,7 +1071,7 @@ grants permission for each set of options. This provides a shorthand when
 writing mount rules which might help to logically break up a conditional. For
 example, if an AppArmor policy has the following rule:
 
-    mount options=ro options=atime
+    mount options=ro options=atime,
 
 both of these mount commands will match:
 
@@ -1318,7 +1319,7 @@ Example IO_URING rules:
 =over 4
 
   # Allow io_uring operations
-  io_ring,
+  io_uring,
 
   # Allow creation of a polling thread
   io_uring sqpoll,
@@ -1338,8 +1339,9 @@ pivot_root(2) is optionally specified in the 'pivot_root' rule using the
 'oldroot=' prefix.
 
 AppArmor 'pivot_root' rules can specify a profile transition to occur during
-the pivot_root(2) system call. Note that AppArmor will only transition the
-process calling pivot_root(2) to the new profile.
+the pivot_root(2) system call. Note that currently, this feature is not
+supported by any kernel. When this feature will be supported, AppArmor will
+only transition the process calling pivot_root(2) to the new profile.
 
 The paths specified in 'pivot_root' rules must end with '/' since they are
 directories.
@@ -1794,6 +1796,61 @@ F</etc/apparmor.d/tunables/xdg-user-dirs.d> for B<@{XDG_*}>.
 The special B<@{profile_name}> variable is set to the profile name and may be
 used in all policy.
 
+=head3 Notes on variable expansion and the / character
+
+It is important to note that how AppArmor performs variable expansion
+depends on the context where a variable is used. When a variable is
+expanded it can result in a string with multiple path characters
+next to each other, in a way that is not evident when looking at
+policy.
+
+Eg.
+
+=over 4
+
+Given the following variable definition and rule
+
+@{HOME}=/home/*/
+file rw @{HOME}/*,
+
+The variable expansion results in a rule of
+
+file rw /home/*//*.
+
+=back
+
+When this occurs in a context where a path is expected, AppArmor will
+canonicalize the path by collapsing consecutive / characters into
+a single character. For the above example, this would be
+
+  file rw /home/*/*,
+
+There is one exception to this rule, when the consecutive / characters
+are at the beginning of a path, this indicates a posix namespace
+and the characters will not be collapsed.
+
+Eg.
+
+=over 4
+
+@{HOME}=/home/*/
+file rw /@{HOME}/*,
+
+will result in an expansion of
+
+file rw //home/*//*,
+
+which is collapsed to
+
+file rw //home/*/*,
+
+Note: that the leading // in the above example is not collapsed to a
+single /. However the second // (that was also seen in the first
+example) is collapsed.
+
+=back
+
+
 =head2 Alias rules
 
 AppArmor also provides alias rules for remapping paths for site-specific
@@ -2095,7 +2152,7 @@ An example AppArmor profile:
   	  /usr/lib/**         r,
   	  /tmp/foo.pid        wr,
   	  /tmp/foo.*          lrw,
-	  /@{HOME}/.foo_file  rw,
+	  @{HOME}/.foo_file  rw,
 	  /usr/bin/baz        Cx -> baz,
 
 	  # a comment about foo's hat (subprofile), bar.

parser/common_optarg.c

@@ -43,7 +43,13 @@ optflag_table_t dumpflag_table[] = {
 	{ 1, "dfa-progress", "Dump dfa creation as in progress",
 	  DUMP_DFA_PROGRESS | DUMP_DFA_STATS },
 	{ 1, "dfa-stats", "Dump dfa creation stats", DUMP_DFA_STATS },
-	{ 1, "dfa-states", "Dump dfa state diagram", DUMP_DFA_STATES },
+	{ 1, "dfa-states", "Dump final dfa state information", DUMP_DFA_STATES },
+	{ 1, "dfa-compressed-states", "Dump compressed dfa state information", DUMP_DFA_COMPTRESSED_STATES },
+	{ 1, "dfa-states-initial", "Dump dfa state immediately after initial build", DUMP_DFA_STATES_INIT },
+	{ 1, "dfa-states-post-filter", "Dump dfa state immediately after filtering deny", DUMP_DFA_STATES_POST_FILTER },
+	{ 1, "dfa-states-post-minimize", "Dump dfa state immediately after initial build", DUMP_DFA_STATES_POST_MINIMIZE },
+	{ 1, "dfa-states-post-unreachable", "Dump dfa state immediately after filtering deny", DUMP_DFA_STATES_POST_UNREACHABLE },
+	{ 1, "dfa-perms-build", "Dump permission being built from accept node", DUMP_DFA_PERMS },
 	{ 1, "dfa-graph", "Dump dfa dot (graphviz) graph", DUMP_DFA_GRAPH },
 	{ 1, "dfa-minimize", "Dump dfa minimization", DUMP_DFA_MINIMIZE },
 	{ 1, "dfa-unreachable", "Dump dfa unreachable states",

parser/immunix.h

@@ -95,6 +95,12 @@
 #define ALL_USER_EXEC			(AA_USER_EXEC | AA_USER_EXEC_TYPE)
 #define ALL_OTHER_EXEC			(AA_OTHER_EXEC | AA_OTHER_EXEC_TYPE)
 
+#define AA_USER_EXEC_INHERIT		(AA_EXEC_INHERIT << AA_USER_SHIFT)
+#define AA_OTHER_EXEC_INHERIT		(AA_EXEC_INHERIT << AA_OTHER_SHIFT)
+
+#define AA_USER_EXEC_MMAP		(AA_OLD_EXEC_MMAP << AA_USER_SHIFT)
+#define AA_OTHER_EXEC_MMAP		(AA_OLD_EXEC_MMAP << AA_OTHER_SHIFT)
+
 #define AA_LINK_BITS			((AA_OLD_MAY_LINK << AA_USER_SHIFT) | \
 					 (AA_OLD_MAY_LINK << AA_OTHER_SHIFT))
 
@@ -175,6 +181,28 @@ static inline int is_merged_x_consistent(int a, int b)
 	return 1;
 }
 
+/* Arbitrary max and minimum priority that userspace can specify,
+ * internally we handle up to MAX_INTERNAL_PRIORITY and
+ * MIN_INTERNAL_PRIORITY. Do not ever allow INT_MAX, or INT_MIN
+ * because cmp uses subtraction and it can cause overflow.  Ensure we
+ * don't over/underflow make internal max/min one more than allowed on
+ * rules.
+ *
+ * see
+ * note on mediates_priority
+ */
+#define MIN_POLICY_PRIORITY (-1000)
+#define MAX_POLICY_PRIORITY (1000)
+
+/* internally we need a priority that any policy based rule can override
+ * and a priority that no policy based rule can override. These are
+ * used on rules encoding what abi/classes are supported by the
+ * compiled policy.
+ */
+#define MIN_INTERNAL_PRIORITY (MIN_POLICY_PRIORITY - 1)
+#define MAX_INTERNAL_PRIORITY (MAX_POLICY_PRIORITY + 1)
+
+
 #endif				/* ! _IMMUNIX_H */
 
 /*  LocalWords:  MMAP

parser/io_uring.cc

@@ -127,6 +127,13 @@ int io_uring_rule::gen_policy_re(Profile &prof)
 					audit == AUDIT_FORCE ? perms : 0,
 					parseopts))
 			goto fail;
+		/* add a mediates_io_uring rule for every rule added. It
+		 * needs to be the same priority
+		 */
+		if (!prof.policy.rules->add_rule(buf.c_str(), priority,
+					RULE_ALLOW, AA_MAY_READ, 0,
+					parseopts))
+			goto fail;
 
 		if (perms & AA_IO_URING_OVERRIDE_CREDS) {
 			buf = buffer.str(); /* update buf to have label */

parser/libapparmor_re/Makefile

@@ -14,6 +14,14 @@ AR ?= ar
 CFLAGS ?= -g -Wall -O2 ${EXTRA_CFLAGS} -std=gnu++0x
 CXXFLAGS := ${CFLAGS} ${INCLUDE_APPARMOR}
 
+LIB_HDRS = aare_rules.h flex-tables.h apparmor_re.h hfa.h chfa.h parse.h \
+	expr-tree.h policy_compat.h
+
+OTHER_HDRS =  ../common_optarg.h ../common_flags.h ../immunix.h \
+	../policydb.h ../perms.h ../rule.h
+
+HDRS = ${LIB_HDRS} ${OTHER_HDRS}
+
 ARFLAGS=-rcs
 
 BISON := bison
@@ -27,17 +35,17 @@ libapparmor_re.a: parse.o expr-tree.o hfa.o chfa.o aare_rules.o policy_compat.o
 
 expr-tree.o: expr-tree.cc expr-tree.h
 
-hfa.o: hfa.cc apparmor_re.h hfa.h ../immunix.h  policy_compat.h
+hfa.o: hfa.cc ${HDRS}
 
-aare_rules.o: aare_rules.cc aare_rules.h apparmor_re.h expr-tree.h hfa.h chfa.h parse.h ../immunix.h
+aare_rules.o: aare_rules.cc ${HDRS}
 
-chfa.o: chfa.cc chfa.h ../immunix.h
+chfa.o: chfa.cc ${HDRS}
 
-policy_compat.o: policy_compat.cc policy_compat.h ../perms.h ../immunix.h
+policy_compat.o: policy_compat.cc ${HDRS}
 
-parse.o : parse.cc apparmor_re.h expr-tree.h
+parse.o : parse.cc ${HDRS}
 
-parse.cc : parse.y parse.h flex-tables.h ../immunix.h
+parse.cc : parse.y ${HDRS}
 	${BISON} -o $@ $<
 
 clean:

parser/libapparmor_re/aare_rules.cc

@@ -258,6 +258,9 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
 		if (opts.dump & DUMP_DFA_UNIQ_PERMS)
 			dfa.dump_uniq_perms("dfa");
 
+		if (opts.dump & DUMP_DFA_STATES_INIT)
+			dfa.dump(cerr, NULL);
+
 		/* since we are building a chfa, use the info about
 		 * whether the chfa supports extended perms to help
 		 * determine whether we clear the deny info.
@@ -265,25 +268,26 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
 		 * information supported by the backed
 		 */
 		if (!extended_perms ||
-		    // TODO: we should drop DFA_MINIMIZE check here but doing
-		    // so changes behavior. Do as a separate patch and fixup
-		    // tests, etc.
-		    ((opts.control & CONTROL_DFA_FILTER_DENY) &&
-		     (opts.control & CONTROL_DFA_MINIMIZE)))
+		    ((opts.control & CONTROL_DFA_FILTER_DENY))) {
 			dfa.apply_and_clear_deny();
-
+			if (opts.dump & DUMP_DFA_STATES_POST_FILTER)
+				dfa.dump(cerr, NULL);
+		}
 		if (opts.control & CONTROL_DFA_MINIMIZE) {
 			dfa.minimize(opts);
-
 			if (opts.dump & DUMP_DFA_MIN_UNIQ_PERMS)
 				dfa.dump_uniq_perms("minimized dfa");
+			if (opts.dump & DUMP_DFA_STATES_POST_MINIMIZE)
+				dfa.dump(cerr, NULL);
 		}
 
-		if (opts.control & CONTROL_DFA_REMOVE_UNREACHABLE)
+		if (opts.control & CONTROL_DFA_REMOVE_UNREACHABLE) {
 			dfa.remove_unreachable(opts);
-
+			if (opts.dump & DUMP_DFA_STATES_POST_UNREACHABLE)
+				dfa.dump(cerr, NULL);
+		}
 		if (opts.dump & DUMP_DFA_STATES)
-			dfa.dump(cerr);
+			dfa.dump(cerr, NULL);
 
 		if (opts.dump & DUMP_DFA_GRAPH)
 			dfa.dump_dot_graph(cerr);
@@ -310,11 +314,25 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
 		//cerr << "Checking extended perms " << extended_perms << "\n";
 		if (extended_perms) {
 			//cerr << "creating permstable\n";
-		  dfa.compute_perms_table(perms_table, prompt);
+			dfa.compute_perms_table(perms_table, prompt);
+			// TODO: move perms table to a class
+			if (opts.dump & DUMP_DFA_TRANS_TABLE && perms_table.size()) {
+				cerr << "Perms Table size: " << perms_table.size() << "\n";
+				perms_table[0].dump_header(cerr);
+				for (size_t i = 0; i < perms_table.size(); i++) {
+					perms_table[i].dump(cerr);
+					cerr << "accept1: 0x";
+					cerr << ", accept2: 0x";
+					cerr << "\n";
+				}
+				cerr << "\n";
+			}
 		}
 		chfa = new CHFA(dfa, eq, opts, extended_perms, prompt);
 		if (opts.dump & DUMP_DFA_TRANS_TABLE)
 			chfa->dump(cerr);
+		if (opts.dump & DUMP_DFA_COMPTRESSED_STATES)
+			dfa.dump(cerr, &chfa->num);
 	}
 	catch(int error) {
 		return NULL;

parser/libapparmor_re/aare_rules.h

@@ -90,8 +90,10 @@ public:
 			else
 				node = new MatchFlag(priority, perms, audit);
 			pair<iterator, bool> val = nodes.insert(make_pair(tmp, node));
-			if (val.second == false)
+			if (val.second == false) {
+				delete node;
 				return val.first->second;
+			}
 			return node;
 		}
 		return res->second;

parser/libapparmor_re/apparmor_re.h

@@ -60,5 +60,11 @@
 #define DUMP_RULE_MERGE			(1 << 22)
 #define DUMP_DFA_STATE32		(1 << 23)
 #define DUMP_DFA_FLAGS_TABLE		(1 << 24)
+#define DUMP_DFA_STATES_INIT 		(1 << 25)
+#define DUMP_DFA_STATES_POST_FILTER 	(1 << 26)
+#define DUMP_DFA_STATES_POST_MINIMIZE	(1 << 27)
+#define DUMP_DFA_STATES_POST_UNREACHABLE (1 << 28)
+#define DUMP_DFA_COMPTRESSED_STATES	(1 << 29)
+#define DUMP_DFA_PERMS			(1 << 30)
 
 #endif /* APPARMOR_RE_H */

parser/libapparmor_re/chfa.cc

@@ -307,11 +307,16 @@ void CHFA::dump(ostream &os)
 		st.insert(make_pair(i->second, i->first));
 	}
 
-	os << "size=" << default_base.size() << " (accept, default, base):  {state} -> {default state}" << "\n";
+	os << "size=" << default_base.size() << " (accept, accept2, default, base):  {state} -> {default state}" << "\n";
 	for (size_t i = 0; i < default_base.size(); i++) {
 		os << i << ": ";
-		os << "(" << accept[i] << ", " << num[default_base[i].first]
-		   << ", " << default_base[i].second << ")";
+		os << "(" << accept[i] << ", ";
+		if (accept2.size() > 0)
+			os << accept2[i];
+		else
+			os << "---, ";
+		os << num[default_base[i].first] << ", " <<
+			default_base[i].second << ")";
 		if (st[i])
 			os << " " << *st[i];
 		if (default_base[i].first)

parser/libapparmor_re/chfa.h

@@ -63,7 +63,7 @@ class CHFA {
 	DefaultBase default_base;
 	NextCheck next_check;
 	const State *start;
-	map<const State *, size_t> num;
+	Renumber_Map num;
 	map<transchar, transchar> eq;
 	unsigned int chfaflags;
       private:

parser/libapparmor_re/expr-tree.h

@@ -245,6 +245,7 @@ ostream &operator<<(ostream &os, Node &node);
 #define NODE_TYPE_MATCHFLAG		(1 << 18)
 #define NODE_TYPE_EXACTMATCHFLAG	(1 << 19)
 #define NODE_TYPE_DENYMATCHFLAG		(1 << 20)
+#define NODE_TYPE_PROMPTMATCHFLAG	(1 << 21)
 
 /* An abstract node in the syntax tree. */
 class Node {
@@ -890,7 +891,7 @@ public:
 	{
 		type_flags |= NODE_TYPE_MATCHFLAG;
 	}
-	ostream &dump(ostream &os) { return os << "< 0x" << hex << perms << '>'; }
+	ostream &dump(ostream &os) { return os << "< 0x" << hex << perms << std::dec << '>'; }
 
 	int priority;
 	perm32_t perms;
@@ -915,7 +916,10 @@ public:
 
 class PromptMatchFlag: public MatchFlag {
 public:
-	PromptMatchFlag(int priority, perm32_t prompt, perm32_t audit): MatchFlag(priority, prompt, audit) {}
+	PromptMatchFlag(int priority, perm32_t prompt, perm32_t audit): MatchFlag(priority, prompt, audit)
+	{
+		type_flags |= NODE_TYPE_PROMPTMATCHFLAG;
+	}
 };
 
 

parser/libapparmor_re/hfa.cc

@@ -83,6 +83,21 @@ ostream &operator<<(ostream &os, State &state)
 	return os;
 }
 
+ostream &operator<<(ostream &os,
+		    const std::pair<State * const, Renumber_Map *> &p)
+{
+	/* dump the state label */
+	if (p.second && (*p.second)[p.first] != (size_t) p.first->label) {
+		os << '{';
+		os << (*p.second)[p.first];
+		os << " == " << *(p.first);
+		os << '}';
+	} else {
+		os << *(p.first);
+	}
+	return os;
+}
+
 /**
  * diff_weight - Find differential compression distance between @rel and @this
  * @rel: State to compare too
@@ -302,7 +317,8 @@ static void split_node_types(NodeSet *nodes, NodeSet **anodes, NodeSet **nnodes
 	*nnodes = nodes;
 }
 
-State *DFA::add_new_state(NodeSet *anodes, NodeSet *nnodes, State *other)
+State *DFA::add_new_state(optflags const &opts, NodeSet *anodes,
+			  NodeSet *nnodes, State *other)
 {
 	NodeVec *nnodev, *anodev;
 	nnodev = nnodes_cache.insert(nnodes);
@@ -310,7 +326,7 @@ State *DFA::add_new_state(NodeSet *anodes, NodeSet *nnodes, State *other)
 
 	ProtoState proto;
 	proto.init(nnodev, anodev);
-	State *state = new State(node_map.size(), proto, other, filedfa);
+	State *state = new State(opts, node_map.size(), proto, other, filedfa);
 	pair<NodeMap::iterator,bool> x = node_map.insert(proto, state);
 	if (x.second == false) {
 		delete state;
@@ -322,7 +338,7 @@ State *DFA::add_new_state(NodeSet *anodes, NodeSet *nnodes, State *other)
 	return x.first->second;
 }
 
-State *DFA::add_new_state(NodeSet *nodes, State *other)
+State *DFA::add_new_state(optflags const &opts, NodeSet *nodes, State *other)
 {
 	/* The splitting of nodes should probably get pushed down into
 	 * follow(), ie. put in separate lists from the start
@@ -330,12 +346,12 @@ State *DFA::add_new_state(NodeSet *nodes, State *other)
 	NodeSet *anodes, *nnodes;
 	split_node_types(nodes, &anodes, &nnodes);
 
-	State *state = add_new_state(anodes, nnodes, other);
+	State *state = add_new_state(opts, anodes, nnodes, other);
 
 	return state;
 }
 
-void DFA::update_state_transitions(State *state)
+void DFA::update_state_transitions(optflags const &opts, State *state)
 {
 	/* Compute possible transitions for state->nodes.  This is done by
 	 * iterating over all the nodes in state->nodes and combining the
@@ -358,7 +374,8 @@ void DFA::update_state_transitions(State *state)
 
 	/* check the default transition first */
 	if (cases.otherwise)
-		state->otherwise = add_new_state(cases.otherwise, nonmatching);
+		state->otherwise = add_new_state(opts, cases.otherwise,
+						 nonmatching);
 	else
 		state->otherwise = nonmatching;
 
@@ -367,7 +384,7 @@ void DFA::update_state_transitions(State *state)
 	 */
 	for (Cases::iterator j = cases.begin(); j != cases.end(); j++) {
 		State *target;
-		target = add_new_state(j->second, nonmatching);
+		target = add_new_state(opts, j->second, nonmatching);
 
 		/* Don't insert transition that the otherwise transition
 		 * already covers
@@ -414,7 +431,7 @@ void DFA::process_work_queue(const char *header, optflags const &opts)
 		/* Update 'from's transitions, and if it transitions to any
 		 * unknown State create it and add it to the work_queue
 		 */
-		update_state_transitions(from);
+		update_state_transitions(opts, from);
 	}  /* while (!work_queue.empty()) */
 }
 
@@ -444,8 +461,8 @@ DFA::DFA(Node *root, optflags const &opts, bool buildfiledfa): root(root), filed
 		(*i)->compute_followpos();
 	}
 
-	nonmatching = add_new_state(new NodeSet, NULL);
-	start = add_new_state(new NodeSet(root->firstpos), nonmatching);
+	nonmatching = add_new_state(opts, new NodeSet, NULL);
+	start = add_new_state(opts, new NodeSet(root->firstpos), nonmatching);
 
 	/* the work_queue contains the states that need to have their
 	 * transitions computed.  This could be done with a recursive
@@ -493,11 +510,6 @@ DFA::DFA(Node *root, optflags const &opts, bool buildfiledfa): root(root), filed
 	 */
 	nnodes_cache.clear();
 	node_map.clear();
-	/* once created the priority information is no longer needed and
-	 * can prevent sets with the same perms and different priorities
-	 * from being merged during minimization
-	 */
-	clear_priorities();
 }
 
 DFA::~DFA()
@@ -651,13 +663,6 @@ int DFA::apply_and_clear_deny(void)
 	return c;
 }
 
-void DFA::clear_priorities(void)
-{
-	for (Partition::iterator i = states.begin(); i != states.end(); i++)
-		(*i)->perms.priority = 0;
-}
-
-
 
 /* minimize the number of dfa states */
 void DFA::minimize(optflags const &opts)
@@ -1075,11 +1080,11 @@ void DFA::dump_diff_encode(ostream &os)
 /**
  * text-dump the DFA (for debugging).
  */
-void DFA::dump(ostream & os)
+void DFA::dump(ostream &os, Renumber_Map *renum)
 {
 	for (Partition::iterator i = states.begin(); i != states.end(); i++) {
 		if (*i == start || (*i)->perms.is_accept()) {
-			os << **i;
+			os << make_pair(*i, renum);
 			if (*i == start) {
 				os << " <== ";
 				(*i)->perms.dump_header(os);
@@ -1102,7 +1107,7 @@ void DFA::dump(ostream & os)
 			} else {
 				if (first) {
 					first = false;
-					os << **i << " perms: ";
+					os << make_pair(*i, renum) << " perms: ";
 					if ((*i)->perms.is_accept())
 						(*i)->perms.dump(os);
 					else
@@ -1110,7 +1115,7 @@ void DFA::dump(ostream & os)
 					os << "\n";
 				}
 				os << "    "; j->first.dump(os) << " -> " <<
-					*(j)->second;
+					make_pair(j->second, renum);
 				if ((j)->second->perms.is_accept())
 					os << " ", (j->second)->perms.dump(os);
 				os << "\n";
@@ -1120,7 +1125,7 @@ void DFA::dump(ostream & os)
 		if ((*i)->otherwise != nonmatching) {
 			if (first) {
 				first = false;
-				os << **i << " perms: ";
+				os << make_pair(*i, renum) << " perms: ";
 				if ((*i)->perms.is_accept())
 					(*i)->perms.dump(os);
 				else
@@ -1135,7 +1140,7 @@ void DFA::dump(ostream & os)
 					os << *k;
 				}
 			}
-			os << "] -> " << *(*i)->otherwise;
+			os << "] -> " << make_pair((*i)->otherwise, renum);
 			if ((*i)->otherwise->perms.is_accept())
 				os << " ", (*i)->otherwise->perms.dump(os);
 			os << "\n";
@@ -1334,8 +1339,7 @@ void DFA::compute_perms_table(vector <aa_perms> &perms_table, bool prompt)
 	perms_table.resize(states.size() * mult);
 
 	// nonmatching and start need to be 0 and 1 so handle outside of loop
-	if (filedfa)
-	  compute_perms_table_ent(nonmatching, 0, perms_table, prompt);
+	compute_perms_table_ent(nonmatching, 0, perms_table, prompt);
 	compute_perms_table_ent(start, 1, perms_table, prompt);
 
 	for (Partition::iterator i = states.begin(); i != states.end(); i++) {
@@ -1382,84 +1386,184 @@ static inline int diff_qualifiers(perm32_t perm1, perm32_t perm2)
 		(perm1 & AA_EXEC_TYPE) != (perm2 & AA_EXEC_TYPE));
 }
 
+/* update a single permission based on priority - only called if match->perm | match-> audit bit set */
+static int pri_update_perm(optflags const &opts, vector<int> &priority, int i,
+			   MatchFlag *match, perms_t &perms, perms_t &exact,
+			   bool filedfa)
+{
+	if (priority[i] > match->priority) {
+		if (opts.dump & DUMP_DFA_PERMS)
+			cerr << "    " << match << "[" << i << "]=" << priority[i] << " > " << match->priority << " SKIPPING " << hex << (match->perms) << "/" << (match->audit) << dec << "\n";
+		return 0;
+	}
+
+	perm32_t xmask = 0;
+	perm32_t mask = 1 << i;
+	perm32_t amask = mask;
+
+	// drop once we move the xindex out of the perms in the front end
+	if (filedfa) {
+		if (mask & AA_USER_EXEC) {
+			xmask = AA_USER_EXEC_TYPE;
+			// ix implies EXEC_MMAP
+			if (match->perms & AA_EXEC_INHERIT) {
+				xmask |= AA_USER_EXEC_MMAP;
+				//USER_EXEC_MAP = 6
+				if (priority[6] < match->priority)
+					priority[6] = match->priority;
+			}
+			amask = mask | xmask;
+		} else if (mask & AA_OTHER_EXEC) {
+			xmask = AA_OTHER_EXEC_TYPE;
+			// ix implies EXEC_MMAP
+			if (match->perms & AA_OTHER_EXEC_INHERIT) {
+				xmask |= AA_OTHER_EXEC_MMAP;
+				//OTHER_EXEC_MAP = 20
+				if (priority[20] < match->priority)
+					priority[20] = match->priority;
+			}
+			amask = mask | xmask;
+		} else if (((mask & AA_USER_EXEC_MMAP) &&
+			   (match->perms & AA_USER_EXEC_INHERIT)) ||
+			   ((mask & AA_OTHER_EXEC_MMAP) &&
+			    (match->perms & AA_OTHER_EXEC_INHERIT))) {
+			// if exec && ix we handled mmp above
+			if (opts.dump & DUMP_DFA_PERMS)
+				cerr << "    " << match << "[" << i << "]=" << priority[i] << " <= " << match->priority << " SKIPPING mmap unmasked " << hex << match->perms << "/" << match->audit << " masked " << (match->perms & amask) << "/" << (match->audit & amask) << " data " << (perms.allow & mask) << "/" << (perms.audit & mask) << " exact " << (exact.allow & mask) << "/" << (exact.audit & mask) << dec << "\n";
+			return 0;
+		}
+	}
+
+	if (opts.dump & DUMP_DFA_PERMS)
+		cerr << "  " << match << "[" << i << "]=" << priority[i] <<  " vs. " << match->priority << " mask: " << hex << mask << " xmask: " << xmask << " amask: " << amask << dec << "\n";
+	if (priority[i] < match->priority) {
+		if (opts.dump & DUMP_DFA_PERMS)
+			cerr << "    " << match << "[" << i << "]=" << priority[i] <<  " < " << match->priority << " clearing " << hex << (perms.allow & amask) << "/" << (perms.audit & amask) << " -> " << dec;
+		priority[i] = match->priority;
+		perms.clear_bits(amask);
+		exact.clear_bits(amask);
+		if (opts.dump & DUMP_DFA_PERMS)
+			cerr << hex << (perms.allow & amask) << "/" << (perms.audit & amask) << dec << "\n";
+	}
+
+	// the if conditions in order of permission priority
+	if (match->is_type(NODE_TYPE_DENYMATCHFLAG)) {
+		if (opts.dump & DUMP_DFA_PERMS)
+			cerr << "    " << match << "[" << i << "]=" << priority[i] << " <= " << match->priority << " deny " << hex << (match->perms & amask) << "/" << (match->audit & amask) << dec << "\n";
+		perms.deny |= match->perms & amask;
+		perms.quiet |= match->audit & amask;
+
+		perms.allow &= ~amask;
+		perms.audit &= ~amask;
+		perms.prompt &= ~amask;
+	} else if (match->is_type(NODE_TYPE_EXACTMATCHFLAG)) {
+		/* exact match only asserts dominance on the XTYPE */
+		if (opts.dump & DUMP_DFA_PERMS)
+			cerr << "    " << match << "[" << i << "]=" << priority[i] <<  " <= " << match->priority << " exact " << hex << (match->perms & amask) << "/" << (match->audit & amask) << dec << "\n";
+		if (filedfa &&
+		    !is_merged_x_consistent(exact.allow, match->perms & amask)) {
+			if (opts.dump & DUMP_DFA_PERMS)
+				cerr << "    " << match << "[" << i << "]=" << priority[i] <<  " <= " << match->priority << " exact match conflict" << "\n";
+			return 1;
+		}
+		exact.allow |= match->perms & amask;
+		exact.audit |= match->audit & amask;
+
+		// dominance is only done for XTYPE so only clear that
+		// note xmask only set if setting x perm bit, so this
+		// won't clear for other bit types
+		perms.allow &= ~xmask;
+		perms.audit &= ~xmask;
+		perms.prompt &= ~xmask;
+
+		perms.allow |= match->perms & amask;
+		perms.audit |= match->audit & amask;
+		// can't specify exact prompt atm
+
+	} else if (!match->is_type(NODE_TYPE_PROMPTMATCHFLAG)) {
+		// allow perms, if exact has been encountered will already be set
+		// if overlaps x here, don't conflict, because exact will override
+		if (opts.dump & DUMP_DFA_PERMS)
+			cerr << "    " << match << "[" << i << "]=" << priority[i] <<  " <= " << match->priority << " allow " << hex << (match->perms & amask) << "/" << (match->audit & amask) << dec << "\n";
+		if (filedfa && !(exact.allow & mask) &&
+		    !is_merged_x_consistent(perms.allow, match->perms & amask)) {
+			if (opts.dump & DUMP_DFA_PERMS)
+				cerr << "    " << match << "[" << i << "]=" << priority[i] <<  " <= " << match->priority << " allow match conflict" << "\n";
+			return 1;
+		}
+		// mask off if XTYPE in xmatch
+		if ((exact.allow | exact.audit) & mask) {
+			// mask == amask & ~xmask
+			perms.allow |= match->perms & mask;
+			perms.audit |= match->audit & mask;
+		} else {
+			perms.allow |= match->perms & amask;
+			perms.audit |= match->audit & amask;
+		}
+	} else { // if (match->is_type(NODE_TYPE_PROMPTMATCHFLAG)) {
+		if (opts.dump & DUMP_DFA_PERMS)
+			cerr << "    " << match << "[" << i << "]=" << priority[i] <<  " <= " << match->priority << " promt " << hex << (match->perms & amask) << "/" << (match->audit & amask) << dec << "\n";
+		if (filedfa && !((exact.allow | perms.allow) & mask) &&
+		    !is_merged_x_consistent(perms.allow, match->perms & amask)) {
+			if (opts.dump & DUMP_DFA_PERMS)
+				cerr << "    " << match << "[" << i << "]=" << priority[i] <<  " <= " << match->priority << " prompt match conflict" << "\n";
+			return 1;
+		}
+		if ((exact.allow | exact.audit | perms.allow | perms.audit) & mask) {
+			// mask == amask & ~xmask
+			perms.prompt |= match->perms & mask;
+			perms.audit |= match->audit & mask;
+		} else {
+			perms.prompt |= match->perms & amask;
+			perms.audit |= match->audit & amask;
+		}
+	}
+
+	return 0;
+}
+
 /**
  * Compute the permission flags that this state corresponds to. If we
  * have any exact matches, then they override the execute and safe
  * execute flags.
  */
-int accept_perms(NodeVec *state, perms_t &perms, bool filedfa)
+int accept_perms(optflags const &opts, NodeVec *state, perms_t &perms,
+		 bool filedfa)
 {
 	int error = 0;
 	perms_t exact;
-
+	std::vector<int>  priority(sizeof(perm32_t)*8,  MIN_INTERNAL_PRIORITY);	// 32 but wan't tied to perm32_t
 	perms.clear();
 
 	if (!state)
 		return error;
-
+	if (opts.dump & DUMP_DFA_PERMS)
+		cerr << "Building\n";
 	for (NodeVec::iterator i = state->begin(); i != state->end(); i++) {
 		if (!(*i)->is_type(NODE_TYPE_MATCHFLAG))
 			continue;
 
 		MatchFlag *match = static_cast<MatchFlag *>(*i);
-		if (perms.priority > match->priority)
-			continue;
 
-		if (perms.priority < match->priority) {
-			perms.clear(match->priority);
-			exact.clear(match->priority);
-		}
-		if (match->is_type(NODE_TYPE_EXACTMATCHFLAG)) {
-			/* exact match only ever happens with x */
-			if (filedfa &&
-			    !is_merged_x_consistent(exact.allow, match->perms))
-				error = 1;
-			exact.allow |= match->perms;
-			exact.audit |= match->audit;
-		} else if (match->is_type(NODE_TYPE_DENYMATCHFLAG)) {
-			perms.deny |= match->perms;
-			perms.quiet |= match->audit;
-		} else if (dynamic_cast<PromptMatchFlag *>(match)) {
-			perms.prompt |= match->perms;
-			perms.audit |= match->audit;
-		} else {
-			if (filedfa &&
-			    !is_merged_x_consistent(perms.allow, match->perms))
-				error = 1;
-			perms.allow |= match->perms;
-			perms.audit |= match->audit;
+		perm32_t bit = 1;
+		perm32_t check = match->perms | match->audit;
+		if (filedfa)
+			check &= ~ALL_AA_EXEC_TYPE;
+
+		for (int i = 0;  check; i++) {
+			if (check & bit) {
+				error = pri_update_perm(opts, priority, i, match, perms, exact, filedfa);
+				if (error)
+					goto out;
+			}
+			check &= ~bit;
+			bit <<= 1;
 		}
 	}
-
-	if (filedfa) {
-		perms.allow |= exact.allow & ~(ALL_AA_EXEC_TYPE);
-		perms.prompt |= exact.prompt & ~(ALL_AA_EXEC_TYPE);
-		perms.audit |= exact.audit & ~(ALL_AA_EXEC_TYPE);
-	} else {
-		perms.allow |= exact.allow;
-		perms.prompt |= exact.prompt;
-		perms.audit |= exact.audit;
+	if (opts.dump & DUMP_DFA_PERMS) {
+		cerr << "  computed: ";  perms.dump(cerr); cerr << "\n";
 	}
-	if (exact.allow & AA_USER_EXEC) {
-		perms.allow = (exact.allow & AA_USER_EXEC_TYPE) |
-			(perms.allow & ~AA_USER_EXEC_TYPE);
-		perms.exact = AA_USER_EXEC_TYPE;
-	}
-	if (exact.allow & AA_OTHER_EXEC) {
-		perms.allow = (exact.allow & AA_OTHER_EXEC_TYPE) |
-			(perms.allow & ~AA_OTHER_EXEC_TYPE);
-		perms.exact |= AA_OTHER_EXEC_TYPE;
-	}
-	if (filedfa && (AA_USER_EXEC & perms.deny))
-		perms.deny |= AA_USER_EXEC_TYPE;
-
-	if (filedfa && (AA_OTHER_EXEC & perms.deny))
-		perms.deny |= AA_OTHER_EXEC_TYPE;
-
-	perms.allow &= ~perms.deny;
-	perms.quiet &= perms.deny;
-	perms.prompt &= ~perms.deny;
-	perms.prompt &= ~perms.allow;
+out:
 	if (error)
 		fprintf(stderr, "profile has merged rule with conflicting x modifiers\n");
 

parser/libapparmor_re/hfa.h

@@ -52,37 +52,37 @@ ostream &operator<<(ostream &os, State &state);
 
 class perms_t {
 public:
-	perms_t(void): priority(INT_MIN), allow(0), deny(0), prompt(0), audit(0), quiet(0), exact(0) { };
+	perms_t(void): allow(0), deny(0), prompt(0), audit(0), quiet(0), exact(0) { };
 
 	bool is_accept(void) { return (allow | deny | prompt | audit | quiet); }
 
 	void dump_header(ostream &os)
 	{
-		os << "priority (allow/deny/prompt/audit/quiet)";
+		os << "(allow/deny/prompt/audit/quiet)";
 	}
 	void dump(ostream &os)
 	{
-		os << " " << priority << " (0x " << hex
+		os << "(0x " << hex
 		   << allow << "/" << deny << "/" << "/" << prompt << "/" << audit << "/" << quiet
 		   << ')' << dec;
 	}
 
 	void clear(void) {
-		priority = INT_MIN;
 		allow = deny = prompt = audit = quiet = exact = 0;
 	}
-	void clear(int p) {
-		priority = p;
-		allow = deny = prompt = audit = quiet = exact = 0;
+
+	void clear_bits(perm32_t bits)
+	{
+		allow &= ~bits;
+		deny &= ~bits;
+		prompt &= ~bits;
+		audit &= ~bits;
+		quiet &= ~bits;
+		exact &= ~bits;
 	}
+
 	void add(perms_t &rhs, bool filedfa)
 	{
-		if (priority > rhs.priority)
-			return;
-		if (priority < rhs.priority) {
-			*this = rhs;
-			return;
-		} //else if (rhs.priority == priority) {
 		deny |= rhs.deny;
 
 		if (filedfa && !is_merged_x_consistent(allow & ALL_USER_EXEC,
@@ -131,12 +131,23 @@ public:
 		*/
 	}
 
+
+	/* returns true if perm is no longer accept */
 	int apply_and_clear_deny(void)
 	{
 		if (deny) {
 			allow &= ~deny;
+			exact &= ~deny;
 			prompt &= ~deny;
-			quiet &= deny;
+			/* don't change audit or quiet based on clearing
+			 * deny at this stage. This was made unique in
+			 * accept_perms, and the info about whether
+			 * we are auditing or quieting based on the explicit
+			 * deny has been discarded and can only be inferred.
+			 * But we know it is correct from accept_perms()
+			 * audit &= deny;
+			 * quiet &= deny;
+			 */
 			deny = 0;
 			return !is_accept();
 		}
@@ -145,8 +156,6 @@ public:
 
 	bool operator<(perms_t const &rhs)const
 	{
-		if (priority < rhs.priority)
-			return priority < rhs.priority;
 		if (allow < rhs.allow)
 			return allow < rhs.allow;
 		if (deny < rhs.deny)
@@ -158,11 +167,11 @@ public:
 		return quiet < rhs.quiet;
 	}
 
-	int priority;
 	perm32_t allow, deny, prompt, audit, quiet, exact;
 };
 
-int accept_perms(NodeVec *state, perms_t &perms, bool filedfa);
+int accept_perms(optflags const &opts, NodeVec *state, perms_t &perms,
+		 bool filedfa);
 
 /*
  * ProtoState - NodeSet and ancillery information used to create a state
@@ -226,7 +235,8 @@ struct DiffDag {
  */
 class State {
 public:
-	State(int l, ProtoState &n, State *other, bool filedfa):
+	State(optflags const &opts, int l, ProtoState &n, State *other,
+	      bool filedfa):
 		label(l), flags(0), idx(0), perms(), trans()
 	{
 		int error;
@@ -239,7 +249,7 @@ public:
 		proto = n;
 
 		/* Compute permissions associated with the State. */
-		error = accept_perms(n.anodes, perms, filedfa);
+		error = accept_perms(opts, n.anodes, perms, filedfa);
 		if (error) {
 			//cerr << "Failing on accept perms " << error << "\n";
 			throw error;
@@ -282,9 +292,9 @@ public:
 	{
 		accept1 = perms.allow;
 		if (prompt && prompt_compat_mode == PROMPT_COMPAT_DEV)
-		  accept2 = PACK_AUDIT_CTL(perms.prompt, perms.quiet & perms.deny);
+			accept2 = PACK_AUDIT_CTL(perms.prompt, perms.quiet);
 		else
-		accept2 = PACK_AUDIT_CTL(perms.audit, perms.quiet & perms.deny);
+			accept2 = PACK_AUDIT_CTL(perms.audit, perms.quiet);
 		accept3 = perms.prompt;
 	}
 
@@ -338,12 +348,16 @@ public:
 	}
 };
 
+typedef map<const State *, size_t> Renumber_Map;
+
 /* Transitions in the DFA. */
 class DFA {
 	void dump_node_to_dfa(void);
-	State *add_new_state(NodeSet *nodes, State *other);
-	State *add_new_state(NodeSet *anodes, NodeSet *nnodes, State *other);
-	void update_state_transitions(State *state);
+	State *add_new_state(optflags const &opts, NodeSet *nodes,
+			     State *other);
+	State *add_new_state(optflags const &opts,NodeSet *anodes,
+			     NodeSet *nnodes, State *other);
+	void update_state_transitions(optflags const &opts, State *state);
 	void process_work_queue(const char *header, optflags const &);
 	void dump_diff_chain(ostream &os, map<State *, Partition> &relmap,
 			     Partition &chain, State *state,
@@ -374,7 +388,7 @@ public:
 	void undiff_encode(void);
 	void dump_diff_encode(ostream &os);
 
-	void dump(ostream &os);
+	void dump(ostream &os, Renumber_Map *renum);
 	void dump_dot_graph(ostream &os);
 	void dump_uniq_perms(const char *s);
 

parser/libapparmor_re/policy_compat.cc

@@ -182,6 +182,8 @@ struct aa_perms compute_perms_entry(uint32_t accept1, uint32_t accept2,
 	perms.prompt = dfa_user_allow(accept3);
 	perms.audit = dfa_user_audit(accept1, accept2);
 	perms.quiet = dfa_user_quiet(accept1, accept2);
+	if (accept1 & AA_COMPAT_CONT_MATCH)
+		perms.allow |= AA_CONT_MATCH;
 
 	/*
 	 * This mapping is convulated due to history.

parser/mount.cc

@@ -247,8 +247,8 @@ static struct mnt_keyword_table mnt_opts_table[] = {
 	{"nodev",		MS_NODEV, 0},
 	{"exec",		0, MS_NOEXEC},
 	{"noexec",		MS_NOEXEC, 0},
-	{"sync",		MS_SYNC, 0},
-	{"async",		0, MS_SYNC},
+	{"sync",		MS_SYNCHRONOUS, 0},
+	{"async",		0, MS_SYNCHRONOUS},
 	{"remount",		MS_REMOUNT, 0},
 	{"mand",		MS_MAND, 0},
 	{"nomand",		0, MS_MAND},
@@ -313,10 +313,16 @@ static struct mnt_keyword_table mnt_conds_table[] = {
 static ostream &dump_flags(ostream &os,
 			    pair <unsigned int, unsigned int> flags)
 {
+	bool is_first = true;
 	for (int i = 0; mnt_opts_table[i].keyword; i++) {
 		if ((flags.first & mnt_opts_table[i].set) ||
-		    (flags.second & mnt_opts_table[i].clear))
+		    (flags.second & mnt_opts_table[i].clear)) {
+			if (!is_first) {
+				os << ", ";
+			}
+			is_first = false;
 			os << mnt_opts_table[i].keyword;
+		}
 	}
 	return os;
 }

parser/mount.h

@@ -35,7 +35,7 @@
 #define MS_DEV		0
 #define MS_NOEXEC	(1 << 3)
 #define MS_EXEC		0
-#define MS_SYNC		(1 << 4)
+#define MS_SYNCHRONOUS		(1 << 4)
 #define MS_ASYNC	0
 #define MS_REMOUNT	(1 << 5)
 #define MS_MAND		(1 << 6)
@@ -78,7 +78,7 @@
 #define MS_RSHARED	(MS_SHARED | MS_REC)
 
 #define MS_ALL_FLAGS	(MS_RDONLY | MS_NOSUID | MS_NODEV | MS_NOEXEC | \
-			 MS_SYNC | MS_REMOUNT | MS_MAND | MS_DIRSYNC | \
+			 MS_SYNCHRONOUS | MS_REMOUNT | MS_MAND | MS_DIRSYNC | \
 			 MS_NOSYMFOLLOW | \
 			 MS_NOATIME | MS_NODIRATIME | MS_BIND | MS_RBIND | \
 			 MS_MOVE | MS_VERBOSE | MS_ACL | \
@@ -108,7 +108,13 @@
 #define MS_MOVE_FLAGS (MS_MOVE)
 
 #define MS_CMDS (MS_MOVE | MS_REMOUNT | MS_BIND | MS_RBIND | MS_MAKE_CMDS)
-#define MS_REMOUNT_FLAGS (MS_ALL_FLAGS & ~(MS_CMDS & ~MS_REMOUNT & ~MS_BIND & ~MS_RBIND))
+/*
+ * This allows MS_MAKE_CMDS, by design: while remount and make-* shouldn't be
+ * used together, real-world applications do use them together, and the Linux
+ * kernel ignores the make-* flags when doing a remount instead of returning
+ * EINVAL. See https://bugs.launchpad.net/apparmor/+bug/2091424 for an example.
+ */
+#define MS_REMOUNT_FLAGS (MS_ALL_FLAGS & ~MS_MOVE_FLAGS)
 #define MS_NEW_FLAGS (MS_ALL_FLAGS & ~MS_CMDS)
 
 #define MNT_SRC_OPT 1

parser/network.cc

@@ -352,10 +352,41 @@ bool parse_port_number(const char *port_entry, uint16_t *port) {
 	return false;
 }
 
+bool parse_range(const char *range, uint16_t *from, uint16_t *to)
+{
+	char *range_tmp = strdup(range);
+	char *dash = strchr(range_tmp, '-');
+	bool ret = false;
+	if (dash == NULL)
+		goto out;
+	*dash = '\0';
+
+	if (parse_port_number(range_tmp, from)) {
+		if (parse_port_number(dash + 1, to)) {
+			if (*from > *to) {
+				goto out;
+			}
+			ret = true;
+			goto out;
+		}
+	}
+
+out:
+	free(range_tmp);
+	return ret;
+}
+
 bool network_rule::parse_port(ip_conds &entry)
 {
 	entry.is_port = true;
-	return parse_port_number(entry.sport, &entry.port);
+	if (parse_range(entry.sport, &entry.from_port, &entry.to_port))
+		return true;
+	if (parse_port_number(entry.sport, &entry.from_port)) {
+		/* if range is not used, from and to have the same value */
+		entry.to_port = entry.from_port;
+		return true;
+	}
+	return false;
 }
 
 bool network_rule::parse_address(ip_conds &entry)
@@ -650,23 +681,23 @@ std::list<std::ostringstream> copy_streams_list(std::list<std::ostringstream> &s
 	return streams_copy;
 }
 
-bool network_rule::gen_ip_conds(Profile &prof, std::list<std::ostringstream> &streams, ip_conds &entry, bool is_peer, bool is_cmd)
+bool network_rule::gen_ip_conds(Profile &prof, std::list<std::ostringstream> &streams, ip_conds &entry, bool is_peer, uint16_t port, bool is_port, bool is_cmd)
 {
 	std::string buf;
 	perm32_t cond_perms;
 	std::list<std::ostringstream> ip_streams;
 
 	for (auto &oss : streams) {
-		if (entry.is_port && !(entry.is_ip && entry.is_none)) {
+		if (is_port && !(entry.is_ip && entry.is_none)) {
 			/* encode port type (privileged - 1, remote - 2, unprivileged - 0) */
-			if (!is_peer && perms & AA_NET_BIND && entry.port < IPPORT_RESERVED)
+			if (!is_peer && perms & AA_NET_BIND && port < IPPORT_RESERVED)
 				oss << "\\x01";
 			else if (is_peer)
 				oss << "\\x02";
 			else
 				oss << "\\x00";
 
-			oss << gen_port_cond(entry.port);
+			oss << gen_port_cond(port);
 		} else {
 			/* port type + port number */
 			oss << "...";
@@ -690,7 +721,7 @@ bool network_rule::gen_ip_conds(Profile &prof, std::list<std::ostringstream> &st
 
 	cond_perms = map_perms(perms);
 	if (!is_cmd && (label || is_peer))
-		cond_perms = (AA_CONT_MATCH << 1);
+		cond_perms = AA_COMPAT_CONT_MATCH;
 
 	for (auto &oss : streams) {
 		oss << "\\x00"; /* null transition */
@@ -764,68 +795,83 @@ bool network_rule::gen_net_rule(Profile &prof, u16 family, unsigned int type_mas
 	}
 
 	if (perms & AA_PEER_NET_PERMS) {
+		for (int peer_port = peer.from_port; peer_port <= peer.to_port; peer_port++) {
+			std::list<std::ostringstream> streams;
+			std::ostringstream cmd_buffer;
+
+			cmd_buffer << buffer.str();
+			streams.push_back(std::move(cmd_buffer));
+
+			if (!gen_ip_conds(prof, streams, peer, true, peer_port, peer.is_port, false))
+				return false;
+
+			for (auto &oss : streams) {
+				oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_ADDR;
+			}
+
+			for (int local_port = local.from_port; local_port <= local.to_port; local_port++) {
+				std::list<std::ostringstream> localstreams;
+
+				for (auto &oss : streams) {
+					/* we need to copy streams because each local_port should be an unique entry */
+					std::ostringstream local_buffer;
+					local_buffer << oss.str();
+					localstreams.push_back(std::move(local_buffer));
+				}
+
+				if (!gen_ip_conds(prof, localstreams, local, false, local_port, local.is_port, true))
+					return false;
+			}
+		}
+	}
+
+
+	for (int local_port = local.from_port; local_port <= local.to_port; local_port++) {
 		std::list<std::ostringstream> streams;
-		std::ostringstream cmd_buffer;
+		std::ostringstream common_buffer;
 
-		cmd_buffer << buffer.str();
-		streams.push_back(std::move(cmd_buffer));
-
-		if (!gen_ip_conds(prof, streams, peer, true, false))
+		common_buffer << buffer.str();
+		streams.push_back(std::move(common_buffer));
+		if (!gen_ip_conds(prof, streams, local, false, local_port, local.is_port, false))
 			return false;
 
-		for (auto &oss : streams) {
-			oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_ADDR;
+		if (perms & AA_NET_LISTEN) {
+			std::list<std::ostringstream> cmd_streams;
+			cmd_streams = copy_streams_list(streams);
+
+			for (auto &cmd_buffer : streams) {
+				std::ostringstream listen_buffer;
+				listen_buffer << cmd_buffer.str();
+				listen_buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_LISTEN;
+				/* length of queue allowed - not used for now */
+				listen_buffer << "..";
+				buf = listen_buffer.str();
+				if (!prof.policy.rules->add_rule(buf.c_str(), priority,
+								 rule_mode, map_perms(perms),
+								 dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
+								 parseopts))
+					return false;
+			}
 		}
+		if (perms & AA_NET_OPT) {
+			std::list<std::ostringstream> cmd_streams;
+			cmd_streams = copy_streams_list(streams);
 
-		if (!gen_ip_conds(prof, streams, local, false, true))
-			return false;
-	}
-
-	std::list<std::ostringstream> streams;
-	std::ostringstream common_buffer;
-
-	common_buffer << buffer.str();
-	streams.push_back(std::move(common_buffer));
-
-	if (!gen_ip_conds(prof, streams, local, false, false))
-		return false;
-
-	if (perms & AA_NET_LISTEN) {
-		std::list<std::ostringstream> cmd_streams;
-		cmd_streams = copy_streams_list(streams);
-
-		for (auto &cmd_buffer : streams) {
-			std::ostringstream listen_buffer;
-			listen_buffer << cmd_buffer.str();
-			listen_buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_LISTEN;
-			/* length of queue allowed - not used for now */
-			listen_buffer << "..";
-			buf = listen_buffer.str();
-			if (!prof.policy.rules->add_rule(buf.c_str(), priority,
-						rule_mode, map_perms(perms),
-						dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
-						 parseopts))
-				return false;
-		}
-	}
-	if (perms & AA_NET_OPT) {
-		std::list<std::ostringstream> cmd_streams;
-		cmd_streams = copy_streams_list(streams);
-
-		for (auto &cmd_buffer : streams) {
-			std::ostringstream opt_buffer;
-			opt_buffer << cmd_buffer.str();
-			opt_buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_OPT;
-			/* level - not used for now */
-			opt_buffer << "..";
-			/* socket mapping - not used for now */
-			opt_buffer << "..";
-			buf = opt_buffer.str();
-			if (!prof.policy.rules->add_rule(buf.c_str(), priority,
-						rule_mode, map_perms(perms),
-						dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
-						parseopts))
-				return false;
+			for (auto &cmd_buffer : streams) {
+				std::ostringstream opt_buffer;
+				opt_buffer << cmd_buffer.str();
+				opt_buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_OPT;
+				/* level - not used for now */
+				opt_buffer << "..";
+				/* socket mapping - not used for now */
+				opt_buffer << "..";
+				buf = opt_buffer.str();
+				if (!prof.policy.rules->add_rule(buf.c_str(), priority,
+								 rule_mode, map_perms(perms),
+								 dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
+								 parseopts))
+					return false;
+			}
 		}
 	}
 

parser/network.h

@@ -130,7 +130,9 @@ public:
 	bool is_ip = false;
 	bool is_port = false;
 
-	uint16_t port;
+	uint16_t from_port = 0;
+	uint16_t to_port = 0;
+
 	struct ip_address ip;
 
 	bool is_none = false;
@@ -187,7 +189,7 @@ public:
 		}
 	};
 
-	bool gen_ip_conds(Profile &prof, std::list<std::ostringstream> &streams, ip_conds &entry, bool is_peer, bool is_cmd);
+	bool gen_ip_conds(Profile &prof, std::list<std::ostringstream> &streams, ip_conds &entry, bool is_peer, uint16_t port, bool is_port, bool is_cmd);
 	bool gen_net_rule(Profile &prof, u16 family, unsigned int type_mask, unsigned int protocol);
 	void set_netperm(unsigned int family, unsigned int type, unsigned int protocol);
 	void update_compat_net(void);

parser/parser.h

@@ -53,12 +53,6 @@ using namespace std;
  */
 extern int parser_token;
 
-/* Arbitrary max and minimum priority that userspace can specify, internally
- * we handle up to INT_MAX and INT_MIN. Do not ever allow INT_MAX, see
- * note on mediates_priority
- */
-#define MAX_PRIORITY 1000
-#define MIN_PRIORITY -1000
 
 #define WARN_RULE_NOT_ENFORCED	0x1
 #define WARN_RULE_DOWNGRADED	0x2

parser/parser_common.c

@@ -110,7 +110,12 @@ FILE *ofile = NULL;
 IncludeCache_t *g_includecache;
 
 optflags parseopts = {
-	.control = (optflags_t)(CONTROL_DFA_TREE_NORMAL | CONTROL_DFA_TREE_SIMPLE | CONTROL_DFA_MINIMIZE | CONTROL_DFA_DIFF_ENCODE | CONTROL_RULE_MERGE),
+	.control = (optflags_t)(CONTROL_DFA_TREE_NORMAL | CONTROL_DFA_TREE_SIMPLE | CONTROL_DFA_MINIMIZE | CONTROL_DFA_DIFF_ENCODE | CONTROL_RULE_MERGE |
+				/* TODO: remove when we have better auto
+				 * selection on when/which explicit denies
+				 * to remove
+				 */
+				CONTROL_DFA_FILTER_DENY),
 	.dump = 0,
 	.warn = DEFAULT_WARNINGS,
 	.Werror = 0

parser/parser_merge.c

@@ -54,6 +54,9 @@ static int file_comp(const void *c1, const void *c2)
 	if ((*e1)->audit != (*e2)->audit)
 		return (*e1)->audit < (*e2)->audit ? -1 : 1;
 
+	if ((*e1)->priority != (*e2)->priority)
+		return (*e2)->priority - (*e1)->priority;
+
 	return strcmp((*e1)->name, (*e2)->name);
 }
 

parser/parser_misc.c

@@ -1079,6 +1079,8 @@ void debug_cod_entries(struct cod_entry *list)
 		debug_base_perm_mask(SHIFT_TO_BASE(item->perms, AA_USER_SHIFT));
 		printf(":");
 		debug_base_perm_mask(SHIFT_TO_BASE(item->perms, AA_OTHER_SHIFT));
+
+		printf(" priority=%d ", item->priority);
 		if (item->name)
 			printf("\tName:\t(%s)\n", item->name);
 		else
@@ -1122,6 +1124,8 @@ bool entry_add_prefix(struct cod_entry *entry, const prefixes &p, const char *&e
 	else if (p.owner == 2)
 		entry->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS);
 
+	entry->priority = p.priority;
+
 	/* implied audit modifier */
 	if (p.audit == AUDIT_FORCE && (entry->rule_mode != RULE_DENY))
 		entry->audit = AUDIT_FORCE;

parser/parser_regex.c

@@ -1093,9 +1093,21 @@ static const char *deny_file = ".*";
  *
  * Note: it turns out the above bug does exist for dbus rules in parsers
  * that do not support priority, and we don't have a way to fix it.
- * We fix it here by capping user specified priority to be < INT_MAX.
+ * We fix it here by capping user specified priority to be less than
+ * MAX_INTERNAL_PRIORITY.
  */
-static int mediates_priority = INT_MAX;
+static int mediates_priority = MAX_INTERNAL_PRIORITY;
+
+/* some rule types unfortunately encoded permissions on the class byte
+ * to fix the above bug, they need a different solution. The generic
+ * mediates rule will get encoded at the minimum priority, and then
+ * for every rule of those classes a mediates rule of the same priority
+ * will be added. This way the mediates rule never has higher priority,
+ * which would wipe out the rule permissions encoded on the class state,
+ * and it is guaranteed to have the same priority as the highest priority
+ * rule.
+ */
+static int perms_onclass_mediates_priority = MIN_INTERNAL_PRIORITY;
 
 int process_profile_policydb(Profile *prof)
 {
@@ -1112,7 +1124,7 @@ int process_profile_policydb(Profile *prof)
 	 * to be supported
 	 */
 	if (features_supports_userns &&
-	    !prof->policy.rules->add_rule(mediates_ns, mediates_priority, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+	    !prof->policy.rules->add_rule(mediates_ns, perms_onclass_mediates_priority, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
 		goto out;
 
 	/* don't add mediated classes to unconfined profiles */
@@ -1148,7 +1160,7 @@ int process_profile_policydb(Profile *prof)
 		    !prof->policy.rules->add_rule(mediates_sysv_mqueue, mediates_priority, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
 			goto out;
 		if (features_supports_io_uring &&
-		    !prof->policy.rules->add_rule(mediates_io_uring, mediates_priority, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+		    !prof->policy.rules->add_rule(mediates_io_uring, perms_onclass_mediates_priority, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
 			goto out;
 	}
 

parser/parser_yacc.y

@@ -640,10 +640,10 @@ opt_priority: { $$ = 0; }
 			yyerror("invalid priority %s", $3);
 		free($3);
 		/* see note on mediates_priority */
-		if (tmp > MAX_PRIORITY)
-			yyerror("invalid priority %l > %d", tmp, MAX_PRIORITY);
-		if (tmp < MIN_PRIORITY)
-			yyerror("invalid priority %l > %d", tmp, MIN_PRIORITY);
+		if (tmp > MAX_POLICY_PRIORITY)
+			yyerror("invalid priority %l > %d", tmp, MAX_POLICY_PRIORITY);
+		if (tmp < MIN_POLICY_PRIORITY)
+			yyerror("invalid priority %l > %d", tmp, MIN_POLICY_PRIORITY);
 		$$ = tmp;
 	}
 

parser/perms.h

@@ -24,6 +24,11 @@
  * older versions
  */
 
+#include <ostream>
+#include <iostream>
+using std::ostream;
+using std::cerr;
+
 #include <stdint.h>
 #include <sys/apparmor.h>
 
@@ -65,6 +70,9 @@
 #define AA_MAY_DELEGATE
 #define AA_CONT_MATCH		0x08000000
 
+// TODO: move into a reworked immunix.h that is dependent on perms.h
+#define AA_COMPAT_CONT_MATCH	(AA_CONT_MATCH << 1)
+
 #define AA_MAY_STACK		0x10000000
 #define AA_MAY_ONEXEC		0x20000000 /* either stack or change_profile */
 #define AA_MAY_CHANGE_PROFILE	0x40000000
@@ -79,7 +87,7 @@
  * - exec type - which determines how the executable name and index are used
  * - flags - which modify how the destination name is applied
  */
-#define AA_X_INDEX_MASK		AA_INDEX_MASK
+#define AA_X_INDEX_MASK		0xffffff
 
 #define AA_X_TYPE_MASK		0x0c000000
 #define AA_X_NONE		AA_INDEX_NONE
@@ -93,7 +101,8 @@
 
 typedef uint32_t perm32_t;
 
-struct aa_perms {
+class aa_perms {
+public:
 	perm32_t allow;
 	perm32_t deny;	/* explicit deny, or conflict if allow also set */
 
@@ -112,6 +121,33 @@ struct aa_perms {
 	uint32_t xindex;
 	uint32_t tag;	/* tag string index, if present */
 	uint32_t label;	/* label string index, if present */
+
+	void dump_header(ostream &os)
+	{
+		os << "(allow/deny/prompt//audit/quiet//xindex)\n";
+	}
+
+	void dump(ostream &os)
+	{
+		os << std::hex << "(0x" << allow << "/0x" << deny << "/0x"
+		   << prompt << "//0x" << audit << "/0x" << quiet
+		   << std::dec << "//";
+		if (xindex & AA_X_UNSAFE)
+			os << "unsafe ";
+		if (xindex & AA_X_TYPE_MASK) {
+			if (xindex & AA_X_CHILD)
+				os << "c";
+			else
+				os << "p";
+		}
+		if (xindex & AA_X_INHERIT)
+			os << "i";
+		if (xindex & AA_X_UNCONFINED)
+			os << "u";
+		os << (xindex & AA_X_INDEX_MASK);
+		os << ")";
+	}
+
 };
 
 #endif /* __AA_PERM_H */

parser/po/apparmor-parser.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
-"POT-Creation-Date: 2020-10-14 03:51-0700\n"
+"POT-Creation-Date: 2025-02-18 07:32-0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -86,37 +86,41 @@ msgid "Permission denied; attempted to load a profile while confined?\n"
 msgstr ""
 
 #: ../parser_interface.c:99 ../parser_interface.c:102 ../parser_interface.c:79
-#: ../parser_interface.c:82
+#: ../parser_interface.c:82 ../parser_interface.c:84
 #, c-format
 msgid "Unknown error (%d): %s\n"
 msgstr ""
 
 #: ../parser_interface.c:116 ../parser_interface.c:119 ../parser_interface.c:96
-#: ../parser_interface.c:100
+#: ../parser_interface.c:100 ../parser_interface.c:102
 #, c-format
 msgid "%s: Unable to add \"%s\".  "
 msgstr ""
 
 #: ../parser_interface.c:121 ../parser_interface.c:124
 #: ../parser_interface.c:101 ../parser_interface.c:105
+#: ../parser_interface.c:107
 #, c-format
 msgid "%s: Unable to replace \"%s\".  "
 msgstr ""
 
 #: ../parser_interface.c:126 ../parser_interface.c:129
 #: ../parser_interface.c:106 ../parser_interface.c:110
+#: ../parser_interface.c:112
 #, c-format
 msgid "%s: Unable to remove \"%s\".  "
 msgstr ""
 
 #: ../parser_interface.c:131 ../parser_interface.c:134
 #: ../parser_interface.c:111 ../parser_interface.c:115
+#: ../parser_interface.c:117
 #, c-format
 msgid "%s: Unable to write to stdout\n"
 msgstr ""
 
 #: ../parser_interface.c:135 ../parser_interface.c:138
 #: ../parser_interface.c:115 ../parser_interface.c:119
+#: ../parser_interface.c:121
 #, c-format
 msgid "%s: Unable to write to output file\n"
 msgstr ""
@@ -125,24 +129,28 @@ msgstr ""
 #: ../parser_interface.c:141 ../parser_interface.c:165
 #: ../parser_interface.c:118 ../parser_interface.c:142
 #: ../parser_interface.c:123 ../parser_interface.c:147
+#: ../parser_interface.c:125 ../parser_interface.c:149
 #, c-format
 msgid "%s: ASSERT: Invalid option: %d\n"
 msgstr ""
 
 #: ../parser_interface.c:147 ../parser_interface.c:150
 #: ../parser_interface.c:127 ../parser_interface.c:132
+#: ../parser_interface.c:134
 #, c-format
 msgid "Addition succeeded for \"%s\".\n"
 msgstr ""
 
 #: ../parser_interface.c:151 ../parser_interface.c:154
 #: ../parser_interface.c:131 ../parser_interface.c:136
+#: ../parser_interface.c:138
 #, c-format
 msgid "Replacement succeeded for \"%s\".\n"
 msgstr ""
 
 #: ../parser_interface.c:155 ../parser_interface.c:158
 #: ../parser_interface.c:135 ../parser_interface.c:140
+#: ../parser_interface.c:142
 #, c-format
 msgid "Removal succeeded for \"%s\".\n"
 msgstr ""
@@ -154,6 +162,7 @@ msgstr ""
 
 #: ../parser_interface.c:656 ../parser_interface.c:658
 #: ../parser_interface.c:446 ../parser_interface.c:476
+#: ../parser_interface.c:542
 #, c-format
 msgid "profile %s network rules not enforced\n"
 msgstr ""
@@ -199,16 +208,18 @@ msgstr ""
 
 #: ../parser_interface.c:839 ../parser_interface.c:831
 #: ../parser_interface.c:593 ../parser_interface.c:579
+#: ../parser_interface.c:673
 #, c-format
 msgid "%s: Unable to write entire profile entry to cache\n"
 msgstr ""
 
-#: parser_lex.l:100 parser_lex.l:163 parser_lex.l:169
+#: parser_lex.l:100 parser_lex.l:163 parser_lex.l:169 parser_lex.l:192
 #, c-format
 msgid "Could not open '%s'"
 msgstr ""
 
 #: parser_lex.l:104 parser_lex.l:167 parser_lex.l:173 parser_lex.l:174
+#: parser_lex.l:197
 #, c-format
 msgid "fstat failed for '%s'"
 msgstr ""
@@ -223,7 +234,7 @@ msgstr ""
 msgid "stat failed for '%s'"
 msgstr ""
 
-#: parser_lex.l:155 parser_lex.l:133 parser_lex.l:139
+#: parser_lex.l:155 parser_lex.l:133 parser_lex.l:139 parser_lex.l:148
 #, c-format
 msgid "Could not open '%s' in '%s'"
 msgstr ""
@@ -235,6 +246,7 @@ msgid "Found unexpected character: '%s'"
 msgstr ""
 
 #: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428 parser_lex.l:474
+#: parser_lex.l:516
 msgid "Variable declarations do not accept trailing commas"
 msgstr ""
 
@@ -254,7 +266,7 @@ msgid "%s: Could not allocate memory for subdomainbase mount point\n"
 msgstr ""
 
 #: ../parser_main.c:577 ../parser_main.c:616 ../parser_main.c:479
-#: ../parser_main.c:1444
+#: ../parser_main.c:1444 ../parser_main.c:1654
 #, c-format
 msgid ""
 "Warning: unable to find a suitable fs in %s, is it mounted?\n"
@@ -270,7 +282,7 @@ msgid ""
 msgstr ""
 
 #: ../parser_main.c:604 ../parser_main.c:642 ../parser_main.c:505
-#: ../parser_main.c:828
+#: ../parser_main.c:828 ../parser_main.c:891
 #, c-format
 msgid ""
 "%s: Warning! You've set this program setuid root.\n"
@@ -280,6 +292,7 @@ msgstr ""
 
 #: ../parser_main.c:704 ../parser_main.c:813 ../parser_main.c:836
 #: ../parser_main.c:946 ../parser_main.c:860 ../parser_main.c:1038
+#: ../parser_main.c:1127
 #, c-format
 msgid "Error: Could not read profile %s: %s.\n"
 msgstr ""
@@ -308,29 +321,36 @@ msgstr ""
 #: parser_yacc.y:1278 parser_yacc.y:1288 parser_yacc.y:1382 parser_yacc.y:1460
 #: parser_yacc.y:1592 parser_yacc.y:1597 parser_yacc.y:1674 parser_yacc.y:1692
 #: parser_yacc.y:1699 parser_yacc.y:1748 ../network.c:315 ../af_unix.cc:194
+#: ../parser_misc.c:226 ../parser_misc.c:970 parser_yacc.y:379
+#: parser_yacc.y:403 parser_yacc.y:571 parser_yacc.y:581 parser_yacc.y:673
+#: parser_yacc.y:744 parser_yacc.y:1073 parser_yacc.y:1160 parser_yacc.y:1169
+#: parser_yacc.y:1173 parser_yacc.y:1183 parser_yacc.y:1193 parser_yacc.y:1287
+#: parser_yacc.y:1365 parser_yacc.y:1561 parser_yacc.y:1569 parser_yacc.y:1619
+#: parser_yacc.y:1624 parser_yacc.y:1701 parser_yacc.y:1750 ../network.cc:945
+#: ../af_unix.cc:197 ../all_rule.cc:102 ../all_rule.cc:131
 msgid "Memory allocation error."
 msgstr ""
 
 #: ../parser_main.c:740 ../parser_main.c:872 ../parser_main.c:757
-#: ../parser_main.c:975
+#: ../parser_main.c:975 ../parser_main.c:1062
 #, c-format
 msgid "Cached load succeeded for \"%s\".\n"
 msgstr ""
 
 #: ../parser_main.c:744 ../parser_main.c:876 ../parser_main.c:761
-#: ../parser_main.c:979
+#: ../parser_main.c:979 ../parser_main.c:1066
 #, c-format
 msgid "Cached reload succeeded for \"%s\".\n"
 msgstr ""
 
 #: ../parser_main.c:910 ../parser_main.c:1058 ../parser_main.c:967
-#: ../parser_main.c:1132
+#: ../parser_main.c:1132 ../parser_main.c:1221
 #, c-format
 msgid "%s: Errors found in file. Aborting.\n"
 msgstr ""
 
 #: ../parser_misc.c:426 ../parser_misc.c:597 ../parser_misc.c:339
-#: ../parser_misc.c:532
+#: ../parser_misc.c:532 ../parser_misc.c:563
 msgid ""
 "Uppercase qualifiers \"RWLIMX\" are deprecated, please convert to lowercase\n"
 "See the apparmor.d(5) manpage for details.\n"
@@ -338,17 +358,18 @@ msgstr ""
 
 #: ../parser_misc.c:467 ../parser_misc.c:474 ../parser_misc.c:638
 #: ../parser_misc.c:645 ../parser_misc.c:380 ../parser_misc.c:387
-#: ../parser_misc.c:573 ../parser_misc.c:580
+#: ../parser_misc.c:573 ../parser_misc.c:580 ../parser_misc.c:604
+#: ../parser_misc.c:611
 msgid "Conflict 'a' and 'w' perms are mutually exclusive."
 msgstr ""
 
 #: ../parser_misc.c:491 ../parser_misc.c:662 ../parser_misc.c:404
-#: ../parser_misc.c:597
+#: ../parser_misc.c:597 ../parser_misc.c:628
 msgid "Exec qualifier 'i' invalid, conflicting qualifier already specified"
 msgstr ""
 
 #: ../parser_misc.c:502 ../parser_misc.c:673 ../parser_misc.c:415
-#: ../parser_misc.c:608
+#: ../parser_misc.c:608 ../parser_misc.c:639
 #, c-format
 msgid ""
 "Unconfined exec qualifier (%c%c) allows some dangerous environment variables "
@@ -357,14 +378,16 @@ msgstr ""
 
 #: ../parser_misc.c:510 ../parser_misc.c:551 ../parser_misc.c:681
 #: ../parser_misc.c:722 ../parser_misc.c:423 ../parser_misc.c:464
-#: ../parser_misc.c:616 ../parser_misc.c:657
+#: ../parser_misc.c:616 ../parser_misc.c:657 ../parser_misc.c:647
+#: ../parser_misc.c:688
 #, c-format
 msgid "Exec qualifier '%c' invalid, conflicting qualifier already specified"
 msgstr ""
 
 #: ../parser_misc.c:537 ../parser_misc.c:545 ../parser_misc.c:708
 #: ../parser_misc.c:716 ../parser_misc.c:450 ../parser_misc.c:458
-#: ../parser_misc.c:643 ../parser_misc.c:651
+#: ../parser_misc.c:643 ../parser_misc.c:651 ../parser_misc.c:674
+#: ../parser_misc.c:682
 #, c-format
 msgid "Exec qualifier '%c%c' invalid, conflicting qualifier already specified"
 msgstr ""
@@ -376,7 +399,7 @@ msgid "Internal: unexpected mode character '%c' in input"
 msgstr ""
 
 #: ../parser_misc.c:615 ../parser_misc.c:786 ../parser_misc.c:528
-#: ../parser_misc.c:721
+#: ../parser_misc.c:721 ../parser_misc.c:752
 #, c-format
 msgid "Internal error generated invalid perm 0x%llx\n"
 msgstr ""
@@ -388,12 +411,12 @@ msgid "AppArmor parser error: %s\n"
 msgstr ""
 
 #: ../parser_merge.c:92 ../parser_merge.c:91 ../parser_merge.c:83
-#: ../parser_merge.c:71
+#: ../parser_merge.c:71 ../parser_merge.c:77
 msgid "Couldn't merge entries. Out of Memory\n"
 msgstr ""
 
 #: ../parser_merge.c:111 ../parser_merge.c:113 ../parser_merge.c:105
-#: ../parser_merge.c:93
+#: ../parser_merge.c:93 ../parser_merge.c:100
 #, c-format
 msgid "profile %s: has merged rule %s with conflicting x modifiers\n"
 msgstr ""
@@ -403,28 +426,34 @@ msgid "Profile attachment must begin with a '/'."
 msgstr ""
 
 #: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348 parser_yacc.y:407
+#: parser_yacc.y:446
 msgid ""
 "Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."
 msgstr ""
 
 #: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384 parser_yacc.y:449
+#: parser_yacc.y:487
 #, c-format
 msgid "Failed to create alias %s -> %s\n"
 msgstr ""
 
 #: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506 parser_yacc.y:581
+#: ../profile.h:272
 msgid "Profile flag chroot_relative conflicts with namespace_relative"
 msgstr ""
 
 #: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510 parser_yacc.y:585
+#: ../profile.h:276
 msgid "Profile flag mediate_deleted conflicts with delegate_deleted"
 msgstr ""
 
 #: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513 parser_yacc.y:588
+#: ../profile.h:279
 msgid "Profile flag attach_disconnected conflicts with no_attach_disconnected"
 msgstr ""
 
 #: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516 parser_yacc.y:591
+#: ../profile.h:282
 msgid "Profile flag chroot_attach conflicts with chroot_no_attach"
 msgstr ""
 
@@ -433,12 +462,13 @@ msgid "Profile flag 'debug' is no longer valid."
 msgstr ""
 
 #: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552 parser_yacc.y:629
+#: ../profile.h:220
 #, c-format
 msgid "Invalid profile flag: %s."
 msgstr ""
 
 #: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548 parser_yacc.y:594
-#: parser_yacc.y:673
+#: parser_yacc.y:673 parser_yacc.y:687
 msgid "Assert: `rule' returned NULL."
 msgstr ""
 
@@ -464,55 +494,66 @@ msgid "Assert: `network_rule' return invalid protocol."
 msgstr ""
 
 #: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786 parser_yacc.y:867
+#: parser_yacc.y:776
 msgid "Assert: `change_profile' returned NULL."
 msgstr ""
 
 #: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810 parser_yacc.y:905
+#: parser_yacc.y:814
 msgid "Assert: 'hat rule' returned NULL."
 msgstr ""
 
 #: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819 parser_yacc.y:914
+#: parser_yacc.y:823
 msgid "Assert: 'local_profile rule' returned NULL."
 msgstr ""
 
 #: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992 parser_yacc.y:1077
+#: ../cond_expr.cc:36
 #, c-format
 msgid "Unset boolean variable %s used in if-expression"
 msgstr ""
 
 #: parser_yacc.y:882 parser_yacc.y:986 parser_yacc.y:1092 parser_yacc.y:1181
+#: parser_yacc.y:1083
 msgid "unsafe rule missing exec permissions"
 msgstr ""
 
 #: parser_yacc.y:901 parser_yacc.y:954 parser_yacc.y:1060 parser_yacc.y:1148
+#: parser_yacc.y:1050
 msgid "subset can only be used with link rules."
 msgstr ""
 
 #: parser_yacc.y:903 parser_yacc.y:956 parser_yacc.y:1062 parser_yacc.y:1150
+#: parser_yacc.y:1052
 msgid "link and exec perms conflict on a file rule using ->"
 msgstr ""
 
 #: parser_yacc.y:905 parser_yacc.y:958 parser_yacc.y:1064 parser_yacc.y:1152
+#: parser_yacc.y:1054
 msgid "link perms are not allowed on a named profile transition.\n"
 msgstr ""
 
 #: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109 parser_yacc.y:1198
+#: parser_yacc.y:1100
 #, c-format
 msgid "missing an end of line character? (entry: %s)"
 msgstr ""
 
 #: parser_yacc.y:975 parser_yacc.y:985 parser_yacc.y:1057 parser_yacc.y:1067
 #: parser_yacc.y:1145 parser_yacc.y:1155 parser_yacc.y:1234 parser_yacc.y:1244
+#: ../network.cc:515
 msgid "Invalid network entry."
 msgstr ""
 
 #: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254 parser_yacc.y:1510
-#: parser_yacc.y:1617
+#: parser_yacc.y:1617 parser_yacc.y:1644
 #, c-format
 msgid "Invalid capability %s."
 msgstr ""
 
 #: parser_yacc.y:1066 parser_yacc.y:1269 parser_yacc.y:1525 parser_yacc.y:1637
+#: parser_yacc.y:1664
 #, c-format
 msgid "AppArmor parser error for %s%s%s at line %d: %s\n"
 msgstr ""
@@ -560,13 +601,13 @@ msgid "%s: Unable to parse input line '%s'\n"
 msgstr ""
 
 #: ../parser_regex.c:397 ../parser_regex.c:405 ../parser_regex.c:421
-#: ../parser_regex.c:487
+#: ../parser_regex.c:487 ../parser_regex.c:491
 #, c-format
 msgid "%s: Invalid profile name '%s' - bad regular expression\n"
 msgstr ""
 
 #: ../parser_policy.c:202 ../parser_policy.c:402 ../parser_policy.c:375
-#: ../parser_policy.c:383
+#: ../parser_policy.c:383 ../parser_policy.c:231
 #, c-format
 msgid "ERROR merging rules for profile %s, failed to load\n"
 msgstr ""
@@ -580,19 +621,19 @@ msgid ""
 msgstr ""
 
 #: ../parser_policy.c:279 ../parser_policy.c:359 ../parser_policy.c:332
-#: ../parser_policy.c:340
+#: ../parser_policy.c:340 ../parser_policy.c:193
 #, c-format
 msgid "ERROR processing regexs for profile %s, failed to load\n"
 msgstr ""
 
 #: ../parser_policy.c:306 ../parser_policy.c:389 ../parser_policy.c:362
-#: ../parser_policy.c:370
+#: ../parser_policy.c:370 ../parser_policy.c:218
 #, c-format
 msgid "ERROR expanding variables for profile %s, failed to load\n"
 msgstr ""
 
 #: ../parser_policy.c:390 ../parser_policy.c:382 ../parser_policy.c:355
-#: ../parser_policy.c:363
+#: ../parser_policy.c:363 ../profile.cc:366
 #, c-format
 msgid "ERROR adding hat access rule for profile %s\n"
 msgstr ""
@@ -622,7 +663,7 @@ msgstr ""
 msgid "%s: Errors found in combining rules postprocessing. Aborting.\n"
 msgstr ""
 
-#: parser_lex.l:180 parser_lex.l:186 parser_lex.l:187
+#: parser_lex.l:180 parser_lex.l:186 parser_lex.l:187 parser_lex.l:211
 #, c-format
 msgid "Could not process include directory '%s' in '%s'"
 msgstr ""
@@ -634,6 +675,8 @@ msgstr ""
 #: ../parser_main.c:1115 ../parser_main.c:1132 ../parser_main.c:1024
 #: ../parser_main.c:1041 ../parser_main.c:1332 ../parser_main.c:1354
 #: ../parser_misc.c:280 ../parser_misc.c:299 ../parser_misc.c:308
+#: ../parser_main.c:1511 ../parser_main.c:1535 ../parser_misc.c:310
+#: ../parser_misc.c:329 ../parser_misc.c:338
 msgid "Out of memory"
 msgstr ""
 
@@ -682,20 +725,20 @@ msgstr ""
 msgid "owner prefix not allow on capability rules"
 msgstr ""
 
-#: parser_yacc.y:1357 parser_yacc.y:1613 parser_yacc.y:1722
+#: parser_yacc.y:1357 parser_yacc.y:1613 parser_yacc.y:1722 parser_yacc.y:1724
 #, c-format
 msgid "invalid mount conditional %s%s"
 msgstr ""
 
-#: parser_yacc.y:1374 parser_yacc.y:1628 parser_yacc.y:1737
+#: parser_yacc.y:1374 parser_yacc.y:1628 parser_yacc.y:1737 parser_yacc.y:1739
 msgid "bad mount rule"
 msgstr ""
 
-#: parser_yacc.y:1381 parser_yacc.y:1635 parser_yacc.y:1744
+#: parser_yacc.y:1381 parser_yacc.y:1635 parser_yacc.y:1744 parser_yacc.y:1746
 msgid "mount point conditions not currently supported"
 msgstr ""
 
-#: parser_yacc.y:1398 parser_yacc.y:1650 parser_yacc.y:1759
+#: parser_yacc.y:1398 parser_yacc.y:1650 parser_yacc.y:1759 parser_yacc.y:1761
 #, c-format
 msgid "invalid pivotroot conditional '%s'"
 msgstr ""
@@ -712,11 +755,13 @@ msgid "%s: Regex grouping error: Exceeded maximum nesting of {}\n"
 msgstr ""
 
 #: ../parser_policy.c:366 ../parser_policy.c:339 ../parser_policy.c:347
+#: ../parser_policy.c:200
 #, c-format
 msgid "ERROR processing policydb rules for profile %s, failed to load\n"
 msgstr ""
 
 #: ../parser_policy.c:396 ../parser_policy.c:369 ../parser_policy.c:377
+#: ../parser_policy.c:225
 #, c-format
 msgid "ERROR replacing aliases for profile %s, failed to load\n"
 msgstr ""
@@ -741,7 +786,7 @@ msgstr ""
 msgid "Internal: unexpected %s mode character '%c' in input"
 msgstr ""
 
-#: ../parser_misc.c:599 ../parser_misc.c:792
+#: ../parser_misc.c:599 ../parser_misc.c:792 ../parser_misc.c:823
 #, c-format
 msgid "Internal error generated invalid %s perm 0x%x\n"
 msgstr ""
@@ -766,16 +811,16 @@ msgstr ""
 msgid "owner prefix not allowed on unix rules"
 msgstr ""
 
-#: parser_yacc.y:794 parser_yacc.y:885
+#: parser_yacc.y:794 parser_yacc.y:885 ../all_rule.cc:141
 msgid "owner prefix not allowed on capability rules"
 msgstr ""
 
-#: parser_yacc.y:1293 parser_yacc.y:1377
+#: parser_yacc.y:1293 parser_yacc.y:1377 parser_yacc.y:1282
 #, c-format
 msgid "dbus rule: invalid conditional group %s=()"
 msgstr ""
 
-#: parser_yacc.y:1371 parser_yacc.y:1455
+#: parser_yacc.y:1371 parser_yacc.y:1455 parser_yacc.y:1360
 #, c-format
 msgid "unix rule: invalid conditional group %s=()"
 msgstr ""
@@ -785,183 +830,183 @@ msgstr ""
 msgid "%s: Regex error: trailing '\\' escape character\n"
 msgstr ""
 
-#: ../parser_common.c:112
+#: ../parser_common.c:112 ../parser_common.c:139
 #, c-format
 msgid "%s from %s (%s%sline %d): %s"
 msgstr ""
 
-#: ../parser_common.c:113
+#: ../parser_common.c:113 ../parser_common.c:140
 msgid "Warning converted to Error"
 msgstr ""
 
-#: ../parser_common.c:113
+#: ../parser_common.c:113 ../parser_common.c:140
 msgid "Warning"
 msgstr ""
 
-#: ../parser_interface.c:524
+#: ../parser_interface.c:524 ../parser_interface.c:618
 #, c-format
 msgid "Unable to open stdout - %s\n"
 msgstr ""
 
-#: ../parser_interface.c:533
+#: ../parser_interface.c:533 ../parser_interface.c:627
 #, c-format
 msgid "Unable to open output file - %s\n"
 msgstr ""
 
-#: parser_lex.l:326
+#: parser_lex.l:326 parser_lex.l:363
 msgid "Failed to process filename\n"
 msgstr ""
 
-#: parser_lex.l:720
+#: parser_lex.l:720 parser_lex.l:799
 #, c-format
 msgid "Lexer found unexpected character: '%s' (0x%x) in state: %s"
 msgstr ""
 
-#: ../parser_main.c:915
+#: ../parser_main.c:915 ../parser_main.c:1002
 #, c-format
 msgid "Unable to print the cache directory: %m\n"
 msgstr ""
 
-#: ../parser_main.c:951
+#: ../parser_main.c:951 ../parser_main.c:1038
 #, c-format
 msgid "Error: Could not load profile %s: %s\n"
 msgstr ""
 
-#: ../parser_main.c:961
+#: ../parser_main.c:961 ../parser_main.c:1048
 #, c-format
 msgid "Error: Could not replace profile %s: %s\n"
 msgstr ""
 
-#: ../parser_main.c:966
+#: ../parser_main.c:966 ../parser_main.c:1053
 #, c-format
 msgid "Error: Invalid load option specified: %d\n"
 msgstr ""
 
-#: ../parser_main.c:1077
+#: ../parser_main.c:1077 ../parser_main.c:1166
 #, c-format
 msgid "Could not get cachename for '%s'\n"
 msgstr ""
 
-#: ../parser_main.c:1434
+#: ../parser_main.c:1434 ../parser_main.c:1644
 msgid "Kernel features abi not found"
 msgstr ""
 
-#: ../parser_main.c:1438
+#: ../parser_main.c:1438 ../parser_main.c:1648
 msgid "Failed to add kernel capabilities to known capabilities set"
 msgstr ""
 
-#: ../parser_main.c:1465
+#: ../parser_main.c:1465 ../parser_main.c:1675
 #, c-format
 msgid "Failed to clear cache files (%s): %s\n"
 msgstr ""
 
-#: ../parser_main.c:1474
+#: ../parser_main.c:1474 ../parser_main.c:1684
 msgid ""
 "The --create-cache-dir option is deprecated. Please use --write-cache.\n"
 msgstr ""
 
-#: ../parser_main.c:1479
+#: ../parser_main.c:1479 ../parser_main.c:1689
 #, c-format
 msgid "Failed setting up policy cache (%s): %s\n"
 msgstr ""
 
-#: ../parser_misc.c:904
+#: ../parser_misc.c:904 ../parser_misc.c:935
 #, c-format
 msgid "Namespace not terminated: %s\n"
 msgstr ""
 
-#: ../parser_misc.c:906
+#: ../parser_misc.c:906 ../parser_misc.c:937
 #, c-format
 msgid "Empty namespace: %s\n"
 msgstr ""
 
-#: ../parser_misc.c:908
+#: ../parser_misc.c:908 ../parser_misc.c:939
 #, c-format
 msgid "Empty named transition profile name: %s\n"
 msgstr ""
 
-#: ../parser_misc.c:910
+#: ../parser_misc.c:910 ../parser_misc.c:941
 #, c-format
 msgid "Unknown error while parsing label: %s\n"
 msgstr ""
 
-#: parser_yacc.y:306
+#: parser_yacc.y:306 parser_yacc.y:334
 msgid "Failed to setup default policy feature abi"
 msgstr ""
 
-#: parser_yacc.y:308
+#: parser_yacc.y:308 parser_yacc.y:336
 #, c-format
 msgid ""
 "%s: File '%s' missing feature abi, falling back to default policy feature "
 "abi\n"
 msgstr ""
 
-#: parser_yacc.y:313
+#: parser_yacc.y:313 parser_yacc.y:341
 msgid "Failed to add policy capabilities to known capabilities set"
 msgstr ""
 
-#: parser_yacc.y:350
+#: parser_yacc.y:350 parser_yacc.y:386
 msgid "Profile names must begin with a '/' or a namespace"
 msgstr ""
 
-#: parser_yacc.y:372
+#: parser_yacc.y:372 parser_yacc.y:408
 msgid "Profile attachment must begin with a '/' or variable."
 msgstr ""
 
-#: parser_yacc.y:375
+#: parser_yacc.y:375 parser_yacc.y:411
 #, c-format
 msgid "profile id: invalid conditional group %s=()"
 msgstr ""
 
-#: parser_yacc.y:404
+#: parser_yacc.y:404 parser_yacc.y:443
 msgid ""
 "The use of file paths as profile names is deprecated. See man apparmor.d for "
 "more information\n"
 msgstr ""
 
-#: parser_yacc.y:573
+#: parser_yacc.y:573 ../profile.h:264
 #, c-format
 msgid "Profile flag '%s' conflicts with '%s'"
 msgstr ""
 
-#: parser_yacc.y:954
+#: parser_yacc.y:954 parser_yacc.y:862
 msgid "RLIMIT 'cpu' no units specified using default units of seconds\n"
 msgstr ""
 
-#: parser_yacc.y:966
+#: parser_yacc.y:966 parser_yacc.y:874
 msgid ""
 "RLIMIT 'rttime' no units specified using default units of microseconds\n"
 msgstr ""
 
-#: parser_yacc.y:1582
+#: parser_yacc.y:1582 parser_yacc.y:1609
 msgid "Exec condition is required when unsafe or safe keywords are present"
 msgstr ""
 
-#: parser_yacc.y:1584
+#: parser_yacc.y:1584 parser_yacc.y:1611
 msgid "Exec condition must begin with '/'."
 msgstr ""
 
-#: parser_yacc.y:1643
+#: parser_yacc.y:1643 parser_yacc.y:1670
 #, c-format
 msgid "AppArmor parser error at line %d: %s\n"
 msgstr ""
 
-#: parser_yacc.y:1790
+#: parser_yacc.y:1790 parser_yacc.y:1797
 #, c-format
 msgid "Could not open '%s': %m"
 msgstr ""
 
-#: parser_yacc.y:1795
+#: parser_yacc.y:1795 parser_yacc.y:1802
 #, c-format
 msgid "fstat failed for '%s': %m"
 msgstr ""
 
-#: parser_yacc.y:1809
+#: parser_yacc.y:1809 parser_yacc.y:1816
 #, c-format
 msgid "failed to find features abi '%s': %m"
 msgstr ""
 
-#: parser_yacc.y:1813
+#: parser_yacc.y:1813 parser_yacc.y:1821
 #, c-format
 msgid ""
 "%s: %s features abi '%s' differs from policy declared feature abi, using the "
@@ -973,7 +1018,124 @@ msgstr ""
 msgid "%s: Invalid glob type %d\n"
 msgstr ""
 
-#: ../parser_regex.c:693
+#: ../parser_regex.c:693 ../parser_regex.c:721
 #, c-format
 msgid "The current kernel does not support stacking of named transitions: %s\n"
 msgstr ""
+
+#: ../parser_interface.c:76
+#, c-format
+msgid ""
+"%s: Permission denied. You need policy admin privileges to manage profiles.\n"
+"\n"
+msgstr ""
+
+#: ../parser_interface.c:80
+#, c-format
+msgid ""
+"%s: Access denied. You need policy admin privileges to manage profiles.\n"
+"\n"
+msgstr ""
+
+#: parser_lex.l:653 parser_lex.l:668
+msgid "deprecated use of '#include'\n"
+msgstr ""
+
+#: ../parser_misc.c:730
+#, c-format
+msgid "Internal: unexpected perms character '%c' in input"
+msgstr ""
+
+#: ../parser_misc.c:799
+#, c-format
+msgid "Internal: unexpected %s perms character '%c' in input"
+msgstr ""
+
+#: ../parser_misc.c:1100
+msgid ""
+"Invalid perms, in deny rules 'x' must not be preceded by exec qualifier 'i', "
+"'p', or 'u'"
+msgstr ""
+
+#: ../parser_misc.c:1104
+msgid "Invalid perms, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"
+msgstr ""
+
+#: parser_yacc.y:689 parser_yacc.y:716 ../all_rule.cc:105 ../all_rule.cc:134
+#, c-format
+msgid "%s"
+msgstr ""
+
+#: parser_yacc.y:705
+msgid "priority is not allowed on rule blocks"
+msgstr ""
+
+#: parser_yacc.y:778
+msgid "owner conditional not allowed on unix rules"
+msgstr ""
+
+#: parser_yacc.y:794
+msgid "owner conditional not allowed on capability rules"
+msgstr ""
+
+#: parser_yacc.y:1119 parser_yacc.y:1132 parser_yacc.y:1146
+#, c-format
+msgid "network rule: invalid conditional group %s=()"
+msgstr ""
+
+#: parser_yacc.y:1827
+msgid "failed features abi not set but include cache skipped\n"
+msgstr ""
+
+#: ../parser_variable.c:295
+msgid "attach_disconnected_path value must begin with a /"
+msgstr ""
+
+#: ../mount.cc:903
+msgid ""
+"The use of source as mount point for propagation type flags is deprecated.\n"
+msgstr ""
+
+#: ../network.h:202
+msgid "priority prefix not allowed on network rules"
+msgstr ""
+
+#: ../network.h:206
+msgid "owner prefix not allowed on network rules"
+msgstr ""
+
+#: ../profile.h:287
+#, c-format
+msgid ""
+"Profile flag attach_disconnected set to conflicting values: '%s' and '%s'"
+msgstr ""
+
+#: ../profile.h:297
+#, c-format
+msgid "Profile flag kill.signal set to conflicting values: '%d' and '%d'"
+msgstr ""
+
+#: ../profile.h:307
+#, c-format
+msgid "Profile flag error set to conflicting values: '%s' and '%s'"
+msgstr ""
+
+#: ../userns.h:36
+msgid "owner prefix not allowed on userns rules"
+msgstr ""
+
+#: ../mqueue.h:106
+msgid "owner prefix not allowed on mqueue rules"
+msgstr ""
+
+#: ../io_uring.h:42
+msgid "owner prefix not allowed on io_uring rules"
+msgstr ""
+
+#: ../all_rule.h:36
+msgid "priority prefix not allowed on all rules"
+msgstr ""
+
+#: ../all_rule.h:40
+msgid "owner prefix not allowed on all rules"
+msgstr ""

parser/rc.apparmor.functions

@@ -253,7 +253,7 @@ remove_profiles() {
 	retval=0
 	# We filter child profiles as removing the parent will remove
 	# the children
-	sed -e "s/ (\(enforce\|complain\|unconfined\))$//" "$SFS_MOUNTPOINT/profiles" | \
+	sed -e "s/ (\(enforce\|complain\|prompt\|kill\|unconfined\))$//" "$SFS_MOUNTPOINT/profiles" | \
 	LC_COLLATE=C sort | grep -v // | {
 		while read -r profile ; do
 			printf "%s" "$profile" > "$SFS_MOUNTPOINT/.remove"

parser/rule.h

@@ -182,6 +182,8 @@ public:
 	{
 		bool output = true;
 
+		if (priority != 0)
+			os << "priority=" << priority << " ";
 		switch (audit) {
 		case AUDIT_FORCE:
 			os << "audit";
@@ -252,9 +254,9 @@ public:
 		tmp = (int) rule_mode - (int) rhs.rule_mode;
 		if (tmp != 0)
 			return tmp;
-		if ((uint) owner < (uint) rhs.owner)
+		if ((unsigned int) owner < (unsigned int) rhs.owner)
 			return -1;
-		if ((uint) owner > (uint) rhs.owner)
+		if ((unsigned int) owner > (unsigned int) rhs.owner)
 			return 1;
 		return 0;
 	}

parser/tst/equality.sh

@@ -28,11 +28,104 @@ APPARMOR_PARSER="${APPARMOR_PARSER:-${_SCRIPTDIR}/../apparmor_parser}"
 fails=0
 errors=0
 verbose="${VERBOSE:-}"
+default_features_file="features.all"
+features_file=$default_features_file
+retain=0
+dumpdfa=0
+testtype=""
+description="Manually run test"
+tmpdir=$(mktemp -d /tmp/eq.$$-XXXXXX)
+chmod 755 ${tmpdir}
+export tmpdir
+
+map_priority()
+{
+    if [ -z "$1" -o "$1" == "priority=0" ] ; then
+	echo "0";
+    elif [ "$1" == "priority=-1" ] ; then
+	echo "-1"
+    elif [ "$1" == "priority=1" ] ;then
+	echo "1"
+    else
+	echo "unknown priority '$1'"
+	exit 1
+    fi
+}
+
+priority_eq()
+{
+	local p1=$(map_priority "$1")
+	local p2=$(map_priority "$2")
+
+	if [ $p1 -eq $p2 ] ; then
+		return 0
+	fi
+
+	return 1
+}
+
+priority_lt()
+{
+	local p1=$(map_priority "$1")
+	local p2=$(map_priority "$2")
+
+	if [ $p1 -lt $p2 ] ; then
+		return 0
+	fi
+
+	return 1
+}
+
+priority_gt()
+{
+	local p1=$(map_priority "$1")
+	local p2=$(map_priority "$2")
+
+	if [ $p1 -gt $p2 ] ; then
+		return 0
+	fi
+
+	return 1
+}
 
 hash_binary_policy()
 {
-	printf %s "$1" | ${APPARMOR_PARSER} --features-file "${_SCRIPTDIR}/features_files/features.all" -qS 2>/dev/null| md5sum | cut -d ' ' -f 1
-	return $?
+	local hash="parser_failure"
+	local dump="/dev/null"
+	local flags="-QKSq"
+	local rc=0
+
+	if [ $dumpdfa -ne 0 ] ; then
+		flags="$flags -D rule-exprs -D dfa-states"
+		dump="${tmpdir}/$1.state"
+	fi
+
+	printf %s "$2" | ${APPARMOR_PARSER} --features-file "${_SCRIPTDIR}/features_files/$features_file" ${flags} > "$tmpdir/$1.bin" 2>"$dump"
+	rc=$?
+	if [ $rc -eq 0 ] ; then
+		hash=$(sha256sum "${tmpdir}/$1.bin" | cut -d ' ' -f 1)
+		rc=$?
+	fi
+
+	printf %s $hash
+	if [ $retain -eq 0 -a $rc -ne 0 ] ; then
+		rm ${tmpdir}/*
+	else
+		mv "${tmpdir}/$1.bin" "${tmpdir}/$1.bin.$hash"
+		if [ $dumpdfa -ne 0 ] ; then
+			mv "${tmpdir}/$1.state" "$tmpdir/$1.state.$hash"
+		fi
+	fi
+
+	return $rc
+}
+
+check_retain()
+{
+	if [ ${retain} -ne 0 ] ; then
+		printf "  files retained in \"%s/\"\n" ${tmpdir} 1>&2
+		exit $ret
+	fi
 }
 
 # verify_binary - compares the binary policy of multiple profiles
@@ -55,26 +148,28 @@ verify_binary()
 	shift
 	shift
 
-	if [ "$t" != "equality" ] && [ "$t" != "inequality" ]
+	if [ "$t" != "equality" ] && [ "$t" != "inequality" ] && \
+	       [ "$t" != "xequality" ] && [ "$t" != "xinequality" ]
 	then
 		printf "\nERROR: Unknown test mode:\n%s\n\n" "$t" 1>&2
 		((errors++))
 		return $((ret + 1))
 	fi
+	rm -f $tmpdir/*
 
 	if [ -n "$verbose" ] ; then printf "Binary %s %s" "$t" "$desc" ; fi
-	if ! good_hash=$(hash_binary_policy "$good_profile")
-	then
+	if ! good_hash=$(hash_binary_policy "known" "$good_profile") ; then
 		if [ -z "$verbose" ] ; then printf "Binary %s %s" "$t" "$desc" ; fi
 		printf "\nERROR: Error hashing the following \"known-good\" profile:\n%s\n\n" \
 		       "$good_profile" 1>&2
 		((errors++))
+		rm -f ${tmpdir}/*
 		return $((ret + 1))
 	fi
 
 	for profile in "$@"
 	do
-		if ! hash=$(hash_binary_policy "$profile")
+		if ! hash=$(hash_binary_policy "test" "$profile")
 		then
 			if [ -z "$verbose" ] ; then printf "Binary %s %s" "$t" "$desc" ; fi
 			printf "\nERROR: Error hashing the following profile:\n%s\n\n" \
@@ -84,20 +179,52 @@ verify_binary()
 		elif [ "$t" == "equality" ] && [ "$hash" != "$good_hash" ]
 		then
 			if [ -z "$verbose" ] ; then printf "Binary %s %s" "$t" "$desc" ; fi
-			printf "\nFAIL: Hash values do not match\n" 2>&1
-			printf "known-good (%s) != profile-under-test (%s) for the following profile:\n%s\n\n" \
-				"$good_hash" "$hash" "$profile" 1>&2
+			printf "\nFAIL: Hash values do not match\n" 1>&2
+			printf "parser: %s -QKSq --features-file=%s\n" "${APPARMOR_PARSER}" "${_SCRIPTDIR}/features_files/$features_file" 1>&2
+			printf "known-good (%s) != profile-under-test (%s) for the following profiles:\nknown-good         %s\nprofile-under-test %s\n\n" \
+				"$good_hash" "$hash" "$good_profile" "$profile" 1>&2
 			((fails++))
 			((ret++))
+			check_retain
+		elif [ "$t" == "xequality" ] && [ "$hash" == "$good_hash" ]
+		then
+			if [ -z "$verbose" ] ; then printf "Binary %s %s" "$t" "$desc" ; fi
+			printf "\nunexpected PASS: equality test with known problem, Hash values match\n" 1>&2
+			printf "parser: %s -QKSq --features-file=%s\n" "${APPARMOR_PARSER}" "${_SCRIPTDIR}/features_files/$features_file" 1>&2
+			printf "known-good (%s) == profile-under-test (%s) for the following profile:\nknown-good         %s\nprofile-under-test %s\n\n" \
+				"$good_hash" "$hash" "$good_profile" "$profile" 1>&2
+			((fails++))
+			((ret++))
+			check_retain
+		elif [ "$t" == "xequality" ] && [ "$hash" != "$good_hash" ]
+		then
+		    printf "\nknown problem %s %s: unchanged" "$t" "$desc" 1>&2
 		elif [ "$t" == "inequality" ] && [ "$hash" == "$good_hash" ]
 		then
 			if [ -z "$verbose" ] ; then printf "Binary %s %s" "$t" "$desc" ; fi
-			printf "\nFAIL: Hash values match\n" 2>&1
-			printf "known-good (%s) == profile-under-test (%s) for the following profile:\n%s\n\n" \
-				"$good_hash" "$hash" "$profile" 1>&2
+			printf "\nFAIL: Hash values match\n" 1>&2
+			printf "parser: %s -QKSq --features-file=%s\n" "${APPARMOR_PARSER}" "${_SCRIPTDIR}/features_files/$features_file" 1>&2
+			printf "known-good (%s) == profile-under-test (%s) for the following profiles:\nknown-good         %s\nprofile-under-test %s\n\n" \
+				"$good_hash" "$hash" "$good_profile" "$profile" 1>&2
 			((fails++))
 			((ret++))
+			check_retain
+		elif [ "$t" == "xinequality" ] && [ "$hash" != "$good_hash" ]
+		then
+			if [ -z "$verbose" ] ; then printf "Binary %s %s" "$t" "$desc" ; fi
+			printf "\nunexpected PASS: inequality test with known problem, Hash values do not match\n" 1>&2
+			printf "parser: %s -QKSq --features-file %s\n" "${APPARMOR_PARSER}" "${_SCRIPTDIR}/features_files/$features_file" 1>&2
+			printf "known-good (%s) != profile-under-test (%s) for the following profile:\nknown-good         %s\nprofile-under-test %s\n\n" \
+				"$good_hash" "$hash" "$good_profile" "$profile" 1>&2
+			((fails++))
+			((ret++))
+			check_retain
+		elif [ "$t" == "xinequality" ] && [ "$hash" == "$good_hash" ]
+		then
+			printf "\nknown problem %s %s: unchanged" "$t" "$desc" 1>&2
+			printf "parser: %s -QKSq --features-file=%s\n" "${APPARMOR_PARSER}" "${_SCRIPTDIR}/features_files/$features_file"  1>&2
 		fi
+		rm -f ${tmpdir}/test*
 	done
 
 	if [ $ret -eq 0 ]
@@ -117,11 +244,56 @@ verify_binary_equality()
 	verify_binary "equality" "$@"
 }
 
+# test we want to be equal but is currently a known problem
+verify_binary_xequality()
+{
+	verify_binary "xequality" "$@"
+}
+
 verify_binary_inequality()
 {
 	verify_binary "inequality" "$@"
 }
 
+# test we want to be not equal but is currently a know problem
+verify_binary_xinequality()
+{
+	verify_binary "xinequality" "$@"
+}
+
+# kernel_features - test whether path(s) are present
+# $@: feature path(s) to test
+# Returns: 0 and outputs "true" if all paths exist
+#          1 and error message if features dir is not available
+#          2 and error message if path does not exist
+kernel_features()
+{
+	features_dir="/sys/kernel/security/apparmor/features/"
+	if [ ! -e "$features_dir" ] ; then
+		echo "Kernel feature masks not supported."
+		return 1;
+	fi
+
+	for f in $@ ; do
+		if [ ! -e "$features_dir/$f" ] ; then
+			# check if feature is in file
+			feature=$(basename "$features_dir/$f")
+			file=$(dirname "$features_dir/$f")
+			if [ -f $file ]; then
+				if ! grep -q $feature $file; then
+					echo "Required feature '$f' not available."
+					return 2;
+				fi
+			else
+				echo "Required feature '$f' not available."
+				return 3;
+			fi
+		fi
+	done
+
+	echo "true"
+	return 0;
+}
 
 ##########################################################################
 ### wrapper fn, should be indented but isn't to reduce wrap
@@ -129,7 +301,7 @@ verify_set()
 {
     local p1="$1"
     local p2="$2"
-    echo -e "\n   equality $e of '$p1' vs '$p2'\n"
+    [ -n "${verbose}" ] && echo -e "\n   equality $e of '$p1' vs '$p2'\n"
 
 verify_binary_equality "'$p1'x'$p2' dbus send" \
 	"/t { $p1 dbus send, }" \
@@ -477,37 +649,86 @@ do
 	             "pix -> b" "Pix -> b" "cux -> b" "Cux -> b" \
 	             "cix -> b" "Cix -> b"
 	do
-		if [ "$perm1" == "$perm2" ] ; then
+		# Fixme: have to do special handling for -> b, as this
+		# creates an entry in the transition table. However
+		# priority rules can make it so the reference to the
+		# transition table is removed, but the parser still keeps
+		# the tranition. This can lead to a situation where the
+		# test dfa with a "-> b" transition is functionally equivalent
+		# but will fail equality comparison.
+		# fix this by adding two none overlapping x rules to add
+		# xtable entries
+		# /c -> /t//b, for cx rules being converted to px -> /t//b
+		# /a -> b, for px rules
+		# the rules must come last guarantee xtable order
+		if [ "$perm1" == "$perm2" ] || priority_gt "$p1" "" ; then
 			verify_binary_equality "'$p1'x'$p2' Exec perm \"${perm1}\" - most specific match: same as glob" \
-				"/t { $p1 /* ${perm1}, /f ${perm2}, }" \
-				"/t { $p2 /* ${perm1}, }"
+				"/t { $p1 /f* ${perm1}, /f ${perm2}, /a px -> b, /c px -> /t//b, }" \
+				"/t { $p2 /f* ${perm1}, /a px -> b, /c px -> /t//b, }"
 		else
 			verify_binary_inequality "'$p1'x'$p2' Exec \"${perm1}\" vs \"${perm2}\" - most specific match: different from glob" \
-				"/t { $p1 /* ${perm1}, /f ${perm2}, }" \
-				"/t { $p2 /* ${perm1}, }"
+				"/t { $p1 /f* ${perm1}, /f ${perm2}, /a px -> b, /c px -> /t//b, }" \
+				"/t { $p2 /f* ${perm1}, /a px -> b, /c px -> /t//b, }"
 		fi
 	done
-	verify_binary_inequality "'$p1'x'$p2' Exec \"${perm1}\" vs deny x - most specific match: different from glob" \
-		"/t { $p1 /* ${perm1}, audit deny /f x, }" \
-		"/t { $p2 /* ${perm1}, }"
+	if priority_gt "$p1" "" ; then
+		# priority stops permission carve out
+		verify_binary_equality "'$p1'x'$p2' Exec \"${perm1}\" vs deny x - most specific match: different from glob" \
+			"/t { $p1 /* ${perm1}, audit deny /f x, }" \
+			"/t { $p2 /* ${perm1}, }"
+	else
+		# deny rule carves out some of the match
+		verify_binary_inequality "'$p1'x'$p2' Exec \"${perm1}\" vs deny x - most specific match: different from glob" \
+			"/t { $p1 /* ${perm1}, audit deny /f x, }" \
+			"/t { $p2 /* ${perm1}, }"
+	fi
 
 done
 
 #Test deny carves out permission
-verify_binary_inequality "'$p1'x'$p2' Deny removes r perm" \
+if priority_gt "$p1" "" ; then
+	verify_binary_equality "'$p1'x'$p2' Deny removes r perm" \
 		       "/t { $p1 /foo/[abc] r, audit deny /foo/b r, }" \
 		       "/t { $p2 /foo/[abc] r, }"
 
-verify_binary_equality "'$p1'x'$p2' Deny removes r perm" \
+	verify_binary_inequality "'$p1'x'$p2' Deny removes r perm" \
 		       "/t { $p1 /foo/[abc] r, audit deny /foo/b r, }" \
 		       "/t { $p2 /foo/[ac] r, }"
 
 #this one may not be true in the future depending on if the compiled profile
 #is explicitly including deny permissions for dynamic composition
-verify_binary_equality "'$p1'x'$p2' Deny of ungranted perm" \
+	verify_binary_equality "'$p1'x'$p2' Deny of ungranted perm" \
 		       "/t { $p1 /foo/[abc] r, audit deny /foo/b w, }" \
 		       "/t { $p2 /foo/[abc] r, }"
+elif priority_eq "$p1" "" ; then
+	verify_binary_inequality "'$p1'x'$p2' Deny removes r perm" \
+		       "/t { $p1 /foo/[abc] r, audit deny /foo/b r, }" \
+		       "/t { $p2 /foo/[abc] r, }"
 
+	verify_binary_equality "'$p1'x'$p2' Deny removes r perm" \
+		       "/t { $p1 /foo/[abc] r, audit deny /foo/b r, }" \
+		       "/t { $p2 /foo/[ac] r, }"
+
+#this one may not be true in the future depending on if the compiled profile
+#is explicitly including deny permissions for dynamic composition
+	verify_binary_equality "'$p1'x'$p2' Deny of ungranted perm" \
+		       "/t { $p1 /foo/[abc] r, audit deny /foo/b w, }" \
+		       "/t { $p2 /foo/[abc] r, }"
+else
+	verify_binary_inequality "'$p1'x'$p2' Deny removes r perm" \
+		       "/t { $p1 /foo/[abc] r, audit deny /foo/b r, }" \
+		       "/t { $p2 /foo/[abc] r, }"
+
+	verify_binary_equality "'$p1'x'$p2' Deny removes r perm" \
+		       "/t { $p1 /foo/[abc] r, audit deny /foo/b r, }" \
+		       "/t { $p2 /foo/[ac] r, }"
+
+#this one may not be true in the future depending on if the compiled profile
+#is explicitly including deny permissions for dynamic composition
+	verify_binary_equality "'$p1'x'$p2' Deny of ungranted perm" \
+		       "/t { $p1 /foo/[abc] r, audit deny /foo/b w, }" \
+		       "/t { $p2 /foo/[abc] r, }"
+fi
 
 verify_binary_equality "'$p1'x'$p2' change_profile == change_profile -> **" \
 		       "/t { $p1 change_profile, }" \
@@ -587,9 +808,25 @@ verify_binary_equality "'$p1'x'$p2' @{profile_name} is literal in peer with esc
 # the "write" permission in the second profile and the test will fail.
 # If the parser is adding the change_hat proc attr rules then the
 # rules should merge and be equivalent.
-verify_binary_equality "'$p1'x'$p2' change_hat rules automatically inserted"\
-		       "/t { $p1 owner /proc/[0-9]*/attr/{apparmor/,}current a, ^test { $p2 owner /proc/[0-9]*/attr/{apparmor/,}current a, /f r, }}" \
+#
+# if priorities are different then the implied rule priority then the
+# implied rule will completely override or completely be overriden.
+# (the change_hat implied rule has a priority of 0)
+# because of the difference in 'a' vs 'w' permission the two rules should
+# only be equal when the append rule has the same priority as the implied
+# rule (allowing them to combine) AND the other rule is not overridden by
+# the implied rule, or both being overridden by the implied rule
+# the implied rule
+if { priority_lt "$p1" "" && priority_lt "$p2" "" ; } ||
+   { priority_eq "$p1" "" && ! priority_lt "$p2" "" ; }; then
+    verify_binary_equality "'$p1'x'$p2' change_hat rules automatically inserted"\
+		       "/t { $p1 owner /proc/[0-9]*/attr/{apparmor/,}current a, ^test { $p1 owner /proc/[0-9]*/attr/{apparmor/,}current a, /f r, }}" \
 		       "/t { $p2 owner /proc/[0-9]*/attr/{apparmor/,}current w, ^test { $p2 owner /proc/[0-9]*/attr/{apparmor/,}current w, /f r, }}"
+else
+    verify_binary_equality "'$p1'x'$p2' change_hat rules automatically inserted"\
+		       "/t { $p1 owner /proc/[0-9]*/attr/{apparmor/,}current a, ^test { $p1 owner /proc/[0-9]*/attr/{apparmor/,}current a, /f r, }}" \
+		       "/t { $p2 owner /proc/[0-9]*/attr/{apparmor/,}current w, ^test { $p2 owner /proc/[0-9]*/attr/{apparmor/,}current w, /f r, }}"
+fi
 
 # verify slash filtering for unix socket address paths.
 # see https://bugs.launchpad.net/apparmor/+bug/1856738
@@ -677,7 +914,7 @@ verify_binary_equality "'$p1'x'$p2' mount specific deny doesn't affect non-overl
 
 if [ $fails -ne 0 ] || [ $errors -ne 0 ]
 then
-	printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1
+	printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 1>&2
 	exit $((fails + errors))
 fi
 
@@ -758,12 +995,14 @@ verify_binary_equality "'$p1'x'$p2' dbus slash filtering for paths" \
 }
 
 
-printf "Equality Tests:\n"
+run_tests()
+{
+	printf "Equality Tests:\n"
 
-#rules that don't support priority
+	#rules that don't support priority
 
-# verify rlimit data conversions
-verify_binary_equality "set rlimit rttime <= 12 weeks" \
+	# verify rlimit data conversions
+	verify_binary_equality "set rlimit rttime <= 12 weeks" \
                        "/t { set rlimit rttime <= 12 weeks, }" \
                        "/t { set rlimit rttime <= $((12 * 7)) days, }" \
                        "/t { set rlimit rttime <= $((12 * 7 * 24)) hours, }" \
@@ -773,7 +1012,7 @@ verify_binary_equality "set rlimit rttime <= 12 weeks" \
                        "/t { set rlimit rttime <= $((12 * 7 * 24 * 60 * 60 * 1000 * 1000)) us, }" \
                        "/t { set rlimit rttime <= $((12 * 7 * 24 * 60 * 60 * 1000 * 1000)), }"
 
-verify_binary_equality "set rlimit cpu <= 42 weeks" \
+	verify_binary_equality "set rlimit cpu <= 42 weeks" \
                        "/t { set rlimit cpu <= 42 weeks, }" \
                        "/t { set rlimit cpu <= $((42 * 7)) days, }" \
                        "/t { set rlimit cpu <= $((42 * 7 * 24)) hours, }" \
@@ -781,39 +1020,209 @@ verify_binary_equality "set rlimit cpu <= 42 weeks" \
                        "/t { set rlimit cpu <= $((42 * 7 * 24 * 60 * 60)) seconds, }" \
                        "/t { set rlimit cpu <= $((42 * 7 * 24 * 60 * 60)), }"
 
-verify_binary_equality "set rlimit memlock <= 2GB" \
+	verify_binary_equality "set rlimit memlock <= 2GB" \
                        "/t { set rlimit memlock <= 2GB, }" \
                        "/t { set rlimit memlock <= $((2 * 1024)) MB, }" \
                        "/t { set rlimit memlock <= $((2 * 1024 * 1024)) KB, }" \
                        "/t { set rlimit memlock <= $((2 * 1024 * 1024 * 1024)) , }"
 
-
-# verify combinations of different priority levels
-# for single rule comparisons, rules should keep same expected result
-# even when the priorities are different.
-# different priorities within a profile comparison resulting in
-# different permission could affected expected results
-
-
-priorities="none 0 1 -1"
-
-for pri1 in $priorities ; do
-    if [ "$pri1" = "none" ] ; then
-	priority1=""
-    else
-	priority1="priority=$pri1"
-    fi
-    for pri2 in $priorities  ; do
-	if [ "$pri2" = "none" ] ; then
-	    priority2=""
+	run_port_range=$(kernel_features network_v8/af_inet)
+	if [ "$run_port_range" != "true" ]; then
+	    echo -e "\nSkipping network af_inet tests. $run_port_range\n"
 	else
-	    priority2="priority=$pri2"
+	    # network port range
+	    # select features file that contains netv8 af_inet
+	    features_file="features.af_inet"
+	    verify_binary_equality "network port range" \
+			   "/t { network port=3456-3460, }" \
+			   "/t { network port=3456, \
+				 network port=3457, \
+				 network port=3458, \
+				 network port=3459, \
+				 network port=3460, }"
+
+	    verify_binary_equality "network peer port range" \
+			   "/t { network peer=(port=3456-3460), }" \
+			   "/t { network peer=(port=3456), \
+				 network peer=(port=3457), \
+				 network peer=(port=3458), \
+				 network peer=(port=3459), \
+				 network peer=(port=3460), }"
+
+	    verify_binary_inequality "network port range allows more than single port" \
+			     "/t { network port=3456-3460, }" \
+			     "/t { network port=3456, }"
+
+	    verify_binary_inequality "network peer port range allows more than single port" \
+			     "/t { network peer=(port=3456-3460), }" \
+			     "/t { network peer=(port=3456), }"
+	    # return to default
+	    features_file=$default_features_file
 	fi
 
-	verify_set "$priority1" "$priority2"
-    done
+	# Equality tests that set explicit priority level
+	# TODO: priority handling for file paths is currently broken
+
+	# This test is not actually correct due to two subtle
+	# interactions: - /* is special-cased to expand to /[^/\x00]+
+	# with at least one character - Quieting of [^a] in the DFA is
+	# different and cannot be manually fixed
+
+	#verify_binary_xequality "file rule carveout regex vs priority" \
+	#	"/t { deny /[^a]* rwxlk, /a r, }" \
+	#	"/t { priority=-1 deny /* rwxlk, /a r, }" \
+
+	# Not grouping all three together because parser correctly handles
+	# the equivalence of carveout regex and default audit deny
+	verify_binary_equality "file rule carveout regex vs priority (audit)" \
+			"/t { audit deny /[^a]* rwxlk, /a r, }" \
+			"/t { priority=-1 audit deny /* rwxlk, /a r, }"
+
+	verify_binary_equality "file rule default audit deny vs audit priority carveout" \
+			"/t { /a r, }" \
+			"/t { priority=-1 audit deny /* rwxlk, /a r, }"
+
+	# verify combinations of different priority levels
+	# for single rule comparisons, rules should keep same expected result
+	# even when the priorities are different.
+	# different priorities within a profile comparison resulting in
+	# different permission could affected expected results
+
+
+	priorities="none 0 1 -1"
+
+	for pri1 in $priorities ; do
+	    if [ "$pri1" = "none" ] ; then
+		priority1=""
+	    else
+		priority1="priority=$pri1"
+	    fi
+	    for pri2 in $priorities  ; do
+		if [ "$pri2" = "none" ] ; then
+		    priority2=""
+		else
+		    priority2="priority=$pri2"
+		fi
+
+		verify_set "$priority1" "$priority2"
+	    done
+	done
+
+	[ -z "${verbose}" ] && printf "\n"
+	printf "PASS\n"
+	exit 0
+}
+
+
+usage()
+{
+	local progname="$0"
+	local rc="$1"
+	local msg="usage: ${progname} [Options]
+
+Run the equality tests if no options given, otherwise run as directed
+by the options.
+
+Options:
+  -h, --help	display this help
+  -e base args	run an equality test on the following args
+  -n base args	run an inequality test on the following args
+  -xequality	run a known proble equality test
+  -xinequality	run a known proble inequality test
+  -r		on failure retain failed test output and abort
+  -d		include dfa dumps with failed test output
+  -f arg	features file to use
+  -p arg	parser to invoke
+  --description	description to print with test
+  -v		verbose
+examples:
+$ equality.sh
+...
+$ equality.sh -r
+....
+inary equality 'priority=1'x'' Exec perm \"ux\" - most specific match: same as glob
+FAIL: Hash values do not match
+parser: ../apparmor_parser --config-file=./parser.conf --features-file=./features_files/features.all
+known-good (0344cd377ccb239aba4cce768b818010961d68091d8c7fae72c755cfcb48d4a2) != profile-under-test (33fdf4575322a036c2acb75f93a7154179036f1189ef68ab9f1ae98e7f865780) for the following profiles:
+known-good         /t { priority=1 /* ux, /f px -> b, }
+profile-under-test /t {  /* ux, }
+
+$ equality.sh -e \"/t { priority=1 /* Px -> b, /f Px, }\" \"/t {  /* Px, }\"
+$ equality.sh -e \"/t { priority=1 /* Px -> b, /f Px, }\" \"/t {  /* Px, }\""
+
+	echo "$msg"
+}
+
+
+POSITIONAL_ARGS=()
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+	-h|--help)
+	  usage
+	  exit 0
+	  ;;
+	-e|--equality)
+	    testtype="equality"
+	    shift # past argument
+	    ;;
+	--xequality)
+	    testtype="xequality"
+	    shift # past argument
+	    ;;
+	-n|--inequality)
+	    testtype="inequality"
+	    shift # past argument
+	    ;;
+	--xinequality)
+	    testtype="xinequality"
+	    shift # past argument
+	    ;;
+	-d|--dfa)
+	    dumpdfa=1
+	    shift # past argument
+	    ;;
+	-r|--retain)
+	    retain=1
+	    shift # past argument
+	    ;;
+	-v|--verbose)
+	    verbos=1
+	    shift # past argument
+	    ;;
+	-f|--feature-file)
+	    features_file="$2"
+	    shift # past argument
+	    shift # past option
+	    ;;
+	--description)
+	    description="$2"
+	    shift # past argument
+	    shift # past option
+	    ;;
+	-p|--parser)
+	    APPARMOR_PARSER="$2"
+	    shift # past argument
+	    shift # past option
+	    ;;
+	-*|--*)
+	    echo "Unknown option $1"
+	    exit 1
+	    ;;
+	*)
+	    POSITIONAL_ARGS+=("$1") # save positional arg
+	    shift # past argument
+	    ;;
+    esac
 done
 
-[ -z "${verbose}" ] && printf "\n"
-printf "PASS\n"
-exit 0
+set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
+
+if [ $# -eq 0 -o -z $testtype] ; then
+	run_tests "$@"
+	exit $?
+fi
+
+for profile in "$@" ; do
+	verify_binary "$testtype" "$description" "$known" "$profile"
+done

parser/tst/features_files/features.af_inet

@@ -0,0 +1,117 @@
+capability {0xffffff
+}
+caps {extended {yes
+}
+mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore
+}
+}
+dbus {mask {acquire send receive
+}
+}
+domain {attach_conditions {xattr {yes
+}
+}
+change_hat {yes
+}
+change_hatv {yes
+}
+change_onexec {yes
+}
+change_profile {yes
+}
+computed_longest_left {yes
+}
+disconnected.path {yes
+}
+fix_binfmt_elf_mmap {yes
+}
+interruptible {yes
+}
+kill.signal {yes
+}
+post_nnp_subset {yes
+}
+stack {yes
+}
+unconfined_allowed_children {yes
+}
+version {1.2
+}
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+io_uring {mask {sqpoll override_creds
+}
+}
+ipc {posix_mqueue {create read write open delete setattr getattr
+}
+}
+mount {mask {mount umount pivot_root
+}
+move_mount {detached
+}
+}
+namespaces {mask {userns_create
+}
+pivot_root {no
+}
+profile {yes
+}
+userns_create {pciu&
+}
+}
+network {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
+}
+af_unix {yes
+}
+}
+network_v8 {af_inet {yes
+}
+af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
+}
+}
+policy {outofband {0x000001
+}
+permstable32 {allow deny subtree cond kill complain prompt audit quiet hide xindex tag label
+}
+permstable32_version {0x000003
+}
+set_load {yes
+}
+unconfined_restrictions {change_profile {yes
+}
+io_uring {0
+}
+userns {1
+}
+}
+versions {v5 {yes
+}
+v6 {yes
+}
+v7 {yes
+}
+v8 {yes
+}
+v9 {yes
+}
+}
+}
+ptrace {mask {read trace
+}
+}
+query {label {data {yes
+}
+multi_transaction {yes
+}
+perms {allow deny audit quiet
+}
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
+}
+}

parser/tst/minimize.sh

@@ -78,7 +78,7 @@ APPARMOR_PARSER="${APPARMOR_PARSER:-../apparmor_parser}"
 # {a} (0x 40030/0/0/0)
 
 echo -n "Minimize profiles basic perms "
-if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 6 ] ; then
+if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
     echo "failed"
     exit 1;
 fi
@@ -93,7 +93,7 @@ echo "ok"
 # {9} (0x 12804a/0/2800a/0)
 # {c} (0x 40030/0/0/0)
 echo -n "Minimize profiles audit perms "
-if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 6 ] ; then
+if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
     echo "failed"
     exit 1;
 fi
@@ -112,7 +112,7 @@ echo "ok"
 # {c} (0x 40030/0/0/0)
 
 echo -n "Minimize profiles deny perms "
-if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 6 ] ; then
+if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
     echo "failed"
     exit 1;
 fi
@@ -130,7 +130,7 @@ echo "ok"
 # {c} (0x 40030/0/0/0)
 
 echo -n "Minimize profiles audit deny perms "
-if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 5 ] ; then
+if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 5 ] ; then
     echo "failed"
     exit 1;
 fi
@@ -155,7 +155,7 @@ echo "ok"
 ## NOTE: change count from 6 to 7 when extend perms is not dependent on
 ## prompt rules being present
 echo -n "Minimize profiles extended no-filter audit deny perms "
-if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 7 ] ; then
+if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 7 ] ; then
     echo "failed"
     exit 1;
 fi
@@ -173,7 +173,7 @@ echo "ok"
 # {2} (0x 4/0//0/0/0)   <- from policydb still showing up bug
 
 echo -n "Minimize profiles extended filter audit deny perms "
-if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 6 ] ; then
+if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
     echo "failed"
     exit 1;
 fi
@@ -208,7 +208,7 @@ echo "ok"
 #
 
 echo -n "Minimize profiles xtrans "
-if [ "$(echo "/t { /b px, /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 3 ] ; then
+if [ "$(echo "/t { /b px, /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
     echo "failed"
     exit 1;
 fi
@@ -216,7 +216,7 @@ echo "ok"
 
 # same test as above + audit
 echo -n "Minimize profiles audit xtrans "
-if [ "$(echo "/t { /b px, audit /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 3 ] ; then
+if [ "$(echo "/t { /b px, audit /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
     echo "failed"
     exit 1;
 fi
@@ -229,7 +229,7 @@ echo "ok"
 # {3} (0x 0/fe17f85/0/14005)
 
 echo -n "Minimize profiles deny xtrans "
-if [ "$(echo "/t { /b px, deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 1 ] ; then
+if [ "$(echo "/t { /b px, deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 1 ] ; then
     echo "failed"
     exit 1;
 fi
@@ -241,7 +241,7 @@ echo "ok"
 # {3} (0x 0/fe17f85/0/0)
 
 echo -n "Minimize profiles audit deny xtrans "
-if [ "$(echo "/t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 0 ] ; then
+if [ "$(echo "/t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 0 ] ; then
     echo "failed"
     exit 1;
 fi

parser/tst/simple_tests/file/priority/bad_1.sd

@@ -0,0 +1,7 @@
+#
+#=Description to rule priority out of low end of range
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  priority=-1001 /usr/bin/foo r,
+}

parser/tst/simple_tests/file/priority/bad_2.sd

@@ -0,0 +1,7 @@
+#
+#=Description basic file rule priority outside high end of range.
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  priority=1001 /usr/bin/foo r,
+}

parser/tst/simple_tests/network/network_ok_17.sd

@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION network port range conditional test
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+  network peer=(port=22-443),
+  network port=22-443,
+  network port=22-443 peer=(port=1-100),
+  network ip=127.0.0.1 port=3456-3457,
+  network ip=127.0.0.1 port=3456-3457 peer=(ip=127.0.0.2 port=8765-8770),
+
+}

parser/userns.cc

@@ -99,6 +99,14 @@ int userns_rule::gen_policy_re(Profile &prof)
 					rule_mode, perms,
 					audit == AUDIT_FORCE ? perms : 0,
 					parseopts))
+
+			goto fail;
+		/* add a mediates_userns rule for every rule added. It
+		 * needs to be the same priority
+		 */
+		if (!prof.policy.rules->add_rule(buf.c_str(), priority,
+					RULE_ALLOW, AA_MAY_READ, 0,
+					parseopts))
 			goto fail;
 	}
 

profiles/apparmor.d/abstractions/dconf

@@ -5,8 +5,9 @@
 # permissions for querying dconf settings; granting write access should
 # be specified in a specific application's profile.
 
-  /etc/dconf/** r,
-  owner @{run}/user/*/dconf/user r,
+  @{etc_ro}/dconf/** r,
+  # TODO: make w conditional when an override is available, so it can be moved to a portal.
+  owner @{run}/user/*/dconf/user rw,
   owner @{HOME}/.config/dconf/user r,
 
   # Include additions to the abstraction

profiles/apparmor.d/abstractions/devices-usb

@@ -0,0 +1,22 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2021 Mikhail Morfikov
+#    Copyright (C) 2021-2025 Alexandre Pujol <alexandre@pujol.io>
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  abi <abi/4.0>,
+
+  include <abstractions/devices-usb-read>
+
+  /dev/bus/usb/@{int}/@{int} wk,
+
+  @{sys}/devices/**/usb@{int}/{,**} w,
+
+  include if exists <abstractions/devices-usb.d>
+
+# vim:syntax=apparmor

profiles/apparmor.d/abstractions/devices-usb-read

@@ -0,0 +1,35 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2021 Mikhail Morfikov
+#    Copyright (C) 2021-2025 Alexandre Pujol <alexandre@pujol.io>
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  abi <abi/4.0>,
+
+  /dev/ r,
+  /dev/bus/usb/ r,
+  /dev/bus/usb/@{int}/ r,
+  /dev/bus/usb/@{int}/@{int} r,
+
+  @{sys}/class/ r,
+  @{sys}/class/usbmisc/ r,
+
+  @{sys}/bus/ r,
+  @{sys}/bus/usb/ r,
+  @{sys}/bus/usb/devices/{,**} r,
+
+  @{sys}/devices/**/usb@{int}/{,**} r,
+
+  # Udev data about usb devices (~equal to content of lsusb -v)
+  @{run}/udev/data/+usb:* r,
+  @{run}/udev/data/c16[6,7]:@{int} r,   # USB modems
+  @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
+
+  include if exists <abstractions/devices-usb-read.d>
+
+# vim:syntax=apparmor

profiles/apparmor.d/abstractions/mesa

@@ -20,6 +20,12 @@
   owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
   owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
 
+  owner @{HOME}/.cache/mesa_shader_cache_db/ rw,
+  owner @{HOME}/.cache/mesa_shader_cache_db/index rwk,
+  owner @{HOME}/.cache/mesa_shader_cache_db/part*/ rw,
+  owner @{HOME}/.cache/mesa_shader_cache_db/part*/mesa_cache.db rwk,
+  owner @{HOME}/.cache/mesa_shader_cache_db/part*/mesa_cache.idx rwk,
+
   # Fallback location when @{HOME}/.cache is not available
   owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/ rw,
   owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/index rw,

profiles/apparmor.d/abstractions/nameservice

@@ -2,6 +2,7 @@
 #
 #    Copyright (C) 2002-2009 Novell/SUSE
 #    Copyright (C) 2009-2011 Canonical Ltd.
+#    Copyright (C) 2011-2024 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -11,29 +12,11 @@
 
   abi <abi/4.0>,
 
-  # Many programs wish to perform nameservice-like operations, such as
-  # looking up users by name or id, groups by name or id, hosts by name
-  # or IP, etc. These operations may be performed through files, dns,
-  # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
-  @{etc_ro}/group          r,
-  @{etc_ro}/host.conf      r,
-  @{etc_ro}/hosts          r,
-  @{etc_ro}/nsswitch.conf  r,
-  @{etc_ro}/gai.conf       r,
-  @{etc_ro}/passwd         r,
-  @{etc_ro}/protocols      r,
-
-  # On systems with authselect installed, /etc/nsswitch.conf is a symlink to /etc/authselect/nsswitch.conf
-  @{etc_ro}/authselect/nsswitch.conf r,
+  include <abstractions/nameservice-strict>
 
   # libtirpc (used for NIS/YP login) needs this
   @{etc_ro}/netconfig r,
 
-  # When using libnss-extrausers, the passwd and group files are merged from
-  # an alternate path
-  /var/lib/extrausers/group  r,
-  /var/lib/extrausers/passwd r,
-
   # When using sssd, the passwd and group files are stored in an alternate path
   # and the nss plugin also needs to talk to a pipe
   /var/lib/sss/mc/group   r,
@@ -41,16 +24,13 @@
   /var/lib/sss/mc/passwd  r,
   /var/lib/sss/pipes/nss  rw,
 
-  @{etc_ro}/resolv.conf r,
   # On systems where /etc/resolv.conf is managed programmatically, it is
   # a symlink to @{run}/(whatever program is managing it)/resolv.conf.
-  @{run}/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
+  @{run}/{NetworkManager,connman,netconfig}/resolv.conf r,
   @{etc_ro}/resolvconf/run/resolv.conf  r,
-  @{run}/systemd/resolve/stub-resolv.conf r,
   /mnt/wsl/resolv.conf r,
 
   @{etc_ro}/samba/lmhosts  r,
-  @{etc_ro}/services       r,
   # db backend
   /var/lib/misc/*.db      r,
   # The Name Service Cache Daemon can cache lookups, sometimes leading
@@ -60,13 +40,19 @@
   /{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts}    r,
   # nscd renames and unlinks files in it's operation that clients will
   # have open
-  @{run}/nscd/db*  rmix,
+  @{run}/nscd/db*  mix,
+
+  # make libnss-libvirt name resolution work.
+  /var/lib/libvirt/dnsmasq/*  r,
+
+  # make libnss-libvirt name resolution work.
+  /var/lib/libvirt/dnsmasq/  r,
+  /var/lib/libvirt/dnsmasq/*.status  r,
 
   # The nss libraries are sometimes used in addition to PAM; make sure
   # they are available
   /{usr/,}lib{,32,64}/libnss_*.so*      mr,
   /{usr/,}lib/@{multiarch}/libnss_*.so*      mr,
-  @{etc_ro}/default/nss               r,
 
   # avahi-daemon is used for mdns4 resolution
   @{run}/avahi-daemon/socket rw,
@@ -93,9 +79,6 @@
   # kerberos
   include <abstractions/kerberosclient>
 
-  #libnss-systemd
-  include <abstractions/nss-systemd>
-
   # Also allow lookups for systemd-exec's DynamicUsers via D-Bus
   #   https://www.freedesktop.org/software/systemd/man/systemd.exec.html
   dbus send

profiles/apparmor.d/abstractions/nameservice-strict

@@ -0,0 +1,40 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Many programs wish to perform nameservice-like operations, such as looking up
+# users by name or id, groups by name or id, hosts by name or IP, etc.
+
+  abi <abi/4.0>,
+
+  include <abstractions/nss-systemd>
+
+  @{etc_ro}/default/nss r,
+  @{etc_ro}/gai.conf r,
+  @{etc_ro}/group r,
+  @{etc_ro}/host.conf r,
+  @{etc_ro}/hosts r,
+  @{etc_ro}/nsswitch.conf r,
+  @{etc_ro}/passwd r,
+  @{etc_ro}/protocols r,
+  @{etc_ro}/resolv.conf r,
+  @{etc_ro}/services r,
+
+  # On systems with authselect installed, /etc/nsswitch.conf is a symlink to /etc/authselect/nsswitch.conf
+  @{etc_ro}/authselect/nsswitch.conf r,
+
+  # Alternative location for group & passwd files
+  /var/lib/extrausers/group  r,
+  /var/lib/extrausers/passwd r,
+  /var/lib/nscd/group r,
+  /var/lib/nscd/passwd r,
+
+  @{run}/nscd/db* r,
+  @{run}/resolvconf/resolv.conf r,
+  @{run}/systemd/resolve/resolv.conf r,
+  @{run}/systemd/resolve/stub-resolv.conf r,
+
+  include if exists <abstractions/nameservice-strict.d>
+
+# vim:syntax=apparmor

profiles/apparmor.d/abstractions/php

@@ -13,25 +13,25 @@
   abi <abi/4.0>,
 
   # shared snippets for config files
-  /etc/php{,5,7,8}/** r,
+  /etc/php{,5,7,8,-legacy}/** r,
 
   # Xlibs
   /usr/X11R6/lib{,32,64}/lib*.so* mr,
   # php extensions
-  /usr/lib{64,}/php{,5,7,8}/*/*.so mr,
+  /usr/lib{64,}/php{,5,7,8,-legacy}/*/*.so mr,
 
   # ICU (unicode support) data tables
   /usr/share/icu/*/*.dat r,
 
   # php session mmap socket
-  /var/lib/php{,5,7,8}/session_mm_* rwlk,
+  /var/lib/php{,5,7,8,-legacy}/session_mm_* rwlk,
   # file based session handler
-  /var/lib/php{,5,7,8}/sess_* rwlk,
-  /var/lib/php{,5,7,8}/sessions/* rwlk,
+  /var/lib/php{,5,7,8,-legacy}/sess_* rwlk,
+  /var/lib/php{,5,7,8,-legacy}/sessions/* rwlk,
 
   # php libraries
-  /usr/share/php{,5,7,8}/ r,
-  /usr/share/php{,5,7,8}/** mr,
+  /usr/share/php{,5,7,8,-legacy}/ r,
+  /usr/share/php{,5,7,8,-legacy}/** mr,
 
   # MySQL extension
   /usr/share/mysql/** r,

profiles/apparmor.d/abstractions/python

@@ -45,5 +45,10 @@
   owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/    r,
   owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r,
 
+  # Starting with Python 3.8, you can use the PYTHONPYCACHEPREFIX environment
+  # variable to define a cache directory for Python.
+  owner @{HOME}/.cache/Python/ rw,
+  owner @{HOME}/.cache/Python/** rw,
+
   # Include additions to the abstraction
   include if exists <abstractions/python.d>

profiles/apparmor.d/bin.ping

@@ -24,6 +24,7 @@ profile ping /{usr/,}bin/{,iputils-}ping {
 
   /{,usr/}bin/{,iputils-}ping mixr,
   /etc/modules.conf r,
+  @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/bin.ping>

profiles/apparmor.d/php-fpm

@@ -4,7 +4,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
+profile php-fpm /usr/{bin,sbin}/php-fpm* flags=(attach_disconnected) {
   # load common libraries and their support files
   include <abstractions/base>
   # resolve hostnames/usernames
@@ -32,15 +32,15 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
   /var/log/php*-fpm.log rw,
 
   # we need to be able to create all sockets
-  @{run}/php{,-fpm}/php*-fpm.pid rw,
+  @{run}/php{,-fpm,-fpm-legacy}/php*-fpm.pid rw,
   @{run}/php*-fpm.pid rw,
-  @{run}/php{,-fpm}/php*-fpm.sock rwlk,
+  @{run}/php{,-fpm,-fpm-legacy}/*.sock{,et} rwlk,
 
   # LP: #2061113
   owner @{run}/systemd/notify w,
 
   # to reload
-  /usr/sbin/php-fpm* rix,
+  /usr/{bin,sbin}/php-fpm* rix,
 
   # no idea why php tries to open / read/write
   deny / rw,

profiles/apparmor.d/slirp4netns

@@ -7,6 +7,10 @@ include <tunables/global>
 profile slirp4netns /usr/bin/slirp4netns flags=(unconfined) {
   userns,
 
+  # pivot_root is required for running `slirp4netns --enable-sandbox` inside LXD.
+  # https://github.com/rootless-containers/slirp4netns/issues/348
+  pivot_root,
+
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/slirp4netns>
 }

profiles/apparmor.d/toybox

@@ -4,7 +4,7 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile toybox /bin/toybox flags=(unconfined) {
+profile toybox /usr/bin/toybox flags=(unconfined) {
   userns,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/transmission

@@ -5,7 +5,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-profile transmission-daemon /usr/bin/transmission-daemon flags=(complain) {
+profile transmission-daemon /usr/bin/transmission-daemon flags=(complain,attach_disconnected) {
   # Don't use abstractions/transmission-common here, as the
   # access needed is narrower than the user applications
   include <abstractions/base>
@@ -47,7 +47,7 @@ profile transmission-cli /usr/bin/transmission-cli flags=(complain) {
   include if exists <local/transmission-cli>
 }
 
-profile transmission-gtk /usr/bin/transmission-gtk flags=(complain) {
+profile transmission-gtk /usr/bin/transmission-gtk flags=(complain,attach_disconnected) {
   include <abstractions/transmission-common>
   include <abstractions/dbus-session-strict>
   include <abstractions/dconf>

profiles/apparmor.d/tunables/global

@@ -17,6 +17,7 @@ include <tunables/multiarch>
 include <tunables/proc>
 include <tunables/alias>
 include <tunables/kernelvars>
+include <tunables/system>
 include <tunables/xdg-user-dirs>
 include <tunables/share>
 include <tunables/etc>

profiles/apparmor.d/tunables/system

@@ -0,0 +1,99 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# Any digit
+@{d}=[0-9]
+
+# Any letter
+@{l}=[a-zA-Z]
+
+# Single alphanumeric character
+@{c}=[0-9a-zA-Z]
+
+# Word character: matches any letter, digit or underscore.
+@{w}=[a-zA-Z0-9_]
+
+# Single hexadecimal character
+@{h}=[0-9a-fA-F]
+
+# Integer up to 10 digits (0-9999999999)
+@{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}
+
+# hexadecimal, alphanumeric and word up to 64 characters
+@{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}
+@{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}
+@{word}=@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}
+
+# Unsigned integer over 8 bits (0...255)
+@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5]
+
+# Unsigned integer over 16 bits (0...65,535 5 digits)
+@{u16}={@{d},[1-9]@{d},[1-9][@{d}@{d},[1-9]@{d}@{d}@{d},[1-6]@{d}@{d}@{d}@{d}}
+
+# Unsigned integer over 32 bits (0...4,294,967,295 10 digits)
+@{u32}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-4]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}}
+
+# Unsigned integer over 64 bits (0...18,446,744,073,709,551,615 20 digits).
+@{u64}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},1@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}}
+
+# Any x digits characters
+@{int2}=@{d}@{d}
+@{int4}=@{int2}@{int2}
+@{int6}=@{int4}@{int2}
+@{int8}=@{int4}@{int4}
+@{int9}=@{int8}@{d}
+@{int10}=@{int8}@{int2}
+@{int12}=@{int8}@{int4}
+@{int15}=@{int8}@{int4}@{int2}@{d}
+@{int16}=@{int8}@{int8}
+@{int32}=@{int16}@{int16}
+@{int64}=@{int32}@{int32}
+
+# Any x hexadecimal characters
+@{hex2}=@{h}@{h}
+@{hex4}=@{hex2}@{hex2}
+@{hex6}=@{hex4}@{hex2}
+@{hex8}=@{hex4}@{hex4}
+@{hex9}=@{hex8}@{h}
+@{hex10}=@{hex8}@{hex2}
+@{hex12}=@{hex8}@{hex4}
+@{hex15}=@{hex8}@{hex4}@{hex2}@{h}
+@{hex16}=@{hex8}@{hex8}
+@{hex32}=@{hex16}@{hex16}
+@{hex38}=@{hex32}@{hex6}
+@{hex64}=@{hex32}@{hex32}
+
+# Any x alphanumeric characters
+@{rand2}=@{c}@{c}
+@{rand4}=@{rand2}@{rand2}
+@{rand6}=@{rand4}@{rand2}
+@{rand8}=@{rand4}@{rand4}
+@{rand9}=@{rand8}@{c}
+@{rand10}=@{rand8}@{rand2}
+@{rand12}=@{rand8}@{rand4}
+@{rand15}=@{rand8}@{rand4}@{rand2}@{c}
+@{rand16}=@{rand8}@{rand8}
+@{rand32}=@{rand16}@{rand16}
+@{rand64}=@{rand32}@{rand32}
+
+# Any x word characters
+@{word2}=@{w}@{w}
+@{word4}=@{word2}@{word2}
+@{word6}=@{word4}@{word2}
+@{word8}=@{word4}@{word4}
+@{word9}=@{word8}@{w}
+@{word10}=@{word8}@{word2}
+@{word12}=@{word8}@{word4}
+@{word15}=@{word8}@{word4}@{word2}@{w}
+@{word16}=@{word8}@{word8}
+@{word32}=@{word16}@{word16}
+@{word64}=@{word32}@{word32}
+
+include if exists <tunables/system.d>

profiles/apparmor.d/usr.sbin.dovecot

@@ -45,6 +45,7 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
   /etc/SuSE-release r,
   @{PROC}/@{pid}/mounts r,
   @{PROC}/sys/fs/suid_dumpable r,
+  @{PROC}/sys/kernel/core_pattern r,
   /usr/bin/doveconf rix,
   /usr/lib*/dovecot/anvil mrPx,
   /usr/lib*/dovecot/auth mrPx,

profiles/apparmor.d/usr.sbin.smbd

@@ -13,6 +13,7 @@ profile smbd /usr/{bin,sbin}/smbd {
   include <abstractions/wutmp>
 
   capability audit_write,
+  capability chown,
   capability dac_override,
   capability dac_read_search,
   capability fowner,

profiles/apparmor.d/zgrep

@@ -17,6 +17,8 @@ profile zgrep /usr/bin/{x,}zgrep {
   include <abstractions/bash>
 
   /dev/tty rw,
+  @{etc_ro}/nsswitch.conf  r,
+  /etc/passwd r,
   /usr/bin/{ba,da,}sh ix,
   /usr/bin/bzip2 Cx -> helper,
   /usr/bin/cat ix,
@@ -35,6 +37,9 @@ profile zgrep /usr/bin/{x,}zgrep {
   owner /tmp/zgrep* rw,
   /usr/bin/zgrep r,
 
+  deny /etc/nsswitch.conf r,
+  deny /etc/passwd r,
+
   include if exists <local/zgrep>
 
   profile helper {

profiles/apparmor/profiles/extras/bwrap-userns-restrict

@@ -1,17 +1,12 @@
-# This profile allows almost everything and only exists to allow
-# bwrap to work on a system with user namespace restrictions
-# being enforced.
-# bwrap is allowed access to user namespaces and capabilities
-# within the user namespace, but its children do not have
-# capabilities, blocking bwrap from being able to be used to
-# arbitrarily by-pass the user namespace restrictions.
-#
-# Note: the bwrap child is stacked against the bwrap profile due to
-# bwraps use of no-new-privs
+# This profile allows almost everything and only exists to allow bwrap
+# to work on a system with user namespace restrictions being enforced.
+# bwrap is allowed access to user namespaces and capabilities within
+# the user namespace, but its children do not have capabilities,
+# blocking bwrap from being able to be used to arbitrarily by-pass the
+# user namespace restrictions.
 
-# disabled by default as it can break some use cases on a system that
-# doesn't have or has disable user namespace restrictions for unconfined
-# use aa-enforce to enable it
+# Note: the bwrap child is stacked against the bwrap profile due to
+# bwraps use of no-new-privs.
 
 abi <abi/4.0>,
 
@@ -19,9 +14,11 @@ include <tunables/global>
 
 profile bwrap /usr/bin/bwrap flags=(attach_disconnected,mediate_deleted) {
   allow capability,
-  # not allow all, to allow for pix stack
-  # sadly we have to allow  m every where to allow children to work under
-  # stacking.
+  # not allow all, to allow for pix stack on systems that don't support
+  # rule priority.
+  #
+  # sadly we have to allow 'm' every where to allow children to work under
+  # profile stacking atm.
   allow file rwlkm /{**,},
   allow network,
   allow unix,
@@ -34,7 +31,23 @@ profile bwrap /usr/bin/bwrap flags=(attach_disconnected,mediate_deleted) {
   allow umount,
   allow pivot_root,
   allow dbus,
-  allow px /** -> bwrap//&unpriv_bwrap,
+
+  # stacked like this due to no-new-privs restriction
+  # this will stack a target profile against bwrap and unpriv_bwrap
+  # Ideally
+  # - there would be a transition at userns creation first. This would allow
+  #   for the bwrap profile to be tighter, and looser within the user
+  #   ns. bwrap will still have to fairly loose until a transition at
+  #   namespacing in general (not just user ns) is available.
+  # - there would be an independent second target as fallback
+  #   This would allow for select target profiles to be used, and not
+  #   necessarily stack the unpriv_bwrap in cases where this is desired
+  #
+  # the ix works here because stack will apply to ix fallback
+  # Ideally we would sanitize the environment across a privilege boundry
+  # (leaving bwarp into application) but flatpak etc use environment glibc
+  # sanitized environment variables as part of the sandbox setup.
+  allow pix /** -> &bwrap//&unpriv_bwrap,
 
   # the local include should not be used without understanding the userns
   # restriction.
@@ -42,6 +55,7 @@ profile bwrap /usr/bin/bwrap flags=(attach_disconnected,mediate_deleted) {
   include if exists <local/bwrap-userns-restrict>
 }
 
+# The unpriv_bwrap profile is used to strip capabilities within the userns
 profile unpriv_bwrap flags=(attach_disconnected,mediate_deleted) {
   # not allow all, to allow for pix stack
   allow file rwlkm /{**,},
@@ -57,6 +71,9 @@ profile unpriv_bwrap flags=(attach_disconnected,mediate_deleted) {
   allow pivot_root,
   allow dbus,
 
+  # bwrap profile does stacking against itself this will keep the target
+  # profile from having elevated privileges in the container.
+  # If done recursively the stack will remove any duplicate
   allow pix /** -> &unpriv_bwrap,
 
   audit deny capability,

profiles/apparmor/profiles/extras/postfix-anvil

@@ -13,12 +13,12 @@
 
 include <tunables/global>
 
-profile postfix-anvil /usr/lib/postfix/{bin/,sbin/,}anvil {
+profile postfix-anvil /usr/lib{,exec}/postfix/{bin/,sbin/,}anvil {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/postfix-common>
 
-  /usr/lib/postfix/{bin/,sbin/,}anvil         mrix,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}anvil  mrix,
 
   /etc/postfix/main.cf                        r,
   /{var/spool/postfix/,}private/anvil         rw,

profiles/apparmor/profiles/extras/postfix-bounce

@@ -14,12 +14,12 @@
 
 include <tunables/global>
 
-profile postfix-bounce /usr/lib/postfix/{bin/,sbin/,}bounce {
+profile postfix-bounce /usr/lib{,exec}/postfix/{bin/,sbin/,}bounce {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/postfix-common>
 
-  /usr/lib/postfix/{bin/,sbin/,}bounce                             mrix,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}bounce                      mrix,
 
   /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/*                 rwkl,
   /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/                  rwl,

profiles/apparmor/profiles/extras/postfix-cleanup

@@ -14,7 +14,7 @@
 
 include <tunables/global>
 
-profile postfix-cleanup /usr/lib/postfix/{bin/,sbin/,}cleanup {
+profile postfix-cleanup /usr/lib{,exec}/postfix/{bin/,sbin/,}cleanup {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/postfix-common>
@@ -22,7 +22,7 @@ profile postfix-cleanup /usr/lib/postfix/{bin/,sbin/,}cleanup {
   capability net_bind_service,
   capability dac_read_search,
 
-  /usr/lib/postfix/{bin/,sbin/,}cleanup                   mrix,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}cleanup            mrix,
 
   /{var/spool/postfix/,}incoming/[0-9]*.[0-9]*            rwl,
   /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/*      rwl,

profiles/apparmor/profiles/extras/postfix-discard

@@ -14,10 +14,10 @@
 
 include <tunables/global>
 
-profile postfix-discard /usr/lib/postfix/{bin/,sbin/,}discard {
+profile postfix-discard /usr/lib{,exec}/postfix/{bin/,sbin/,}discard {
   include <abstractions/base>
 
-  /usr/lib/postfix/{bin/,sbin/,}discard mrix,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}discard mrix,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/postfix-discard>

profiles/apparmor/profiles/extras/postfix-dnsblog

@@ -13,10 +13,10 @@
 
 include <tunables/global>
 
-profile postfix-dnsblog /usr/lib/postfix/{bin/,sbin/,}dnsblog {
+profile postfix-dnsblog /usr/lib{,exec}/postfix/{bin/,sbin/,}dnsblog {
   include <abstractions/base>
 
-  /usr/lib/postfix/{bin/,sbin/,}dnsblog mrix,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}dnsblog mrix,
 
   /var/spool/postfix/private/dnsblog rw,
 

profiles/apparmor/profiles/extras/postfix-error

@@ -14,12 +14,12 @@
 
 include <tunables/global>
 
-profile postfix-error /usr/lib/postfix/{bin/,sbin/,}error {
+profile postfix-error /usr/lib{,exec}/postfix/{bin/,sbin/,}error {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/postfix-common>
 
-  /usr/lib/postfix/{bin/,sbin/,}error mrix,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}error mrix,
 
   owner /var/spool/postfix/active/* rwk,
   /var/spool/postfix/pid/unix.error rwk,

profiles/apparmor/profiles/extras/postfix-flush

@@ -14,12 +14,12 @@
 
 include <tunables/global>
 
-profile postfix-flush /usr/lib/postfix/{bin/,sbin/,}flush {
+profile postfix-flush /usr/lib{,exec}/postfix/{bin/,sbin/,}flush {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/postfix-common>
 
-  /usr/lib/postfix/{bin/,sbin/,}flush                mrix,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}flush         mrix,
 
   /{var/spool/postfix/,}deferred/                    r,
   /{var/spool/postfix/,}deferred/[0-9A-F]/[0-9A-F]/* rwl,

profiles/apparmor/profiles/extras/postfix-lmtp

@@ -14,12 +14,12 @@
 
 include <tunables/global>
 
-profile postfix-lmtp /usr/lib/postfix/{bin/,sbin/,}lmtp {
+profile postfix-lmtp /usr/lib{,exec}/postfix/{bin/,sbin/,}lmtp {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/postfix-common>
 
-  /usr/lib/postfix/{bin/,sbin/,}lmtp mrix,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}lmtp mrix,
 
   /var/spool/postfix/active/* rwk,
   /var/spool/postfix/pid/unix.lmtp rwk,

profiles/apparmor/profiles/extras/postfix-local

@@ -14,7 +14,7 @@
 
 include <tunables/global>
 
-profile postfix-local /usr/lib/postfix/{bin/,sbin/,}local {
+profile postfix-local /usr/lib{,exec}/postfix/{bin/,sbin/,}local {
   include <abstractions/base>
   include <abstractions/bash>
   include <abstractions/nameservice>
@@ -27,7 +27,7 @@ profile postfix-local /usr/lib/postfix/{bin/,sbin/,}local {
   /var/mailman/mail/wrapper                             Px,
   /usr/bin/mlmmj-recieve                                Px,
 
-  /usr/lib/postfix/{bin/,sbin/,}local                   mrix,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}local            mrix,
   /{usr/,}bin/bash                                      mixr,
   /{usr/,}bin/date                                      mixr,
 

profiles/apparmor/profiles/extras/postfix-master

@@ -14,7 +14,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-profile postfix-master /usr/lib/postfix/{bin/,sbin/,}master {
+profile postfix-master /usr/lib{,exec}/postfix/{bin/,sbin/,}master {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/postfix-common>
@@ -37,25 +37,28 @@ profile postfix-master /usr/lib/postfix/{bin/,sbin/,}master {
   /{var/spool/postfix/,}private/tlsmgr            rwl,
   /{var/spool/postfix/,}public/{cleanup,flush,pickup,postlog,qmgr,showq,tlsmgr} rwl,
 
-  /usr/lib/postfix/{bin/,sbin/,}anvil               Px,
-  /usr/lib/postfix/{bin/,sbin/,}bounce              Px,
-  /usr/lib/postfix/{bin/,sbin/,}cleanup             Px,
-  /usr/lib/postfix/{bin/,sbin/,}error               Px,
-  /usr/lib/postfix/{bin/,sbin/,}flush               Px,
-  /usr/lib/postfix/{bin/,sbin/,}local               Px,
-  /usr/lib/postfix/{bin/,sbin/,}lmtp                mrPx,
-  /usr/lib/postfix/{bin/,sbin/,}master              mrix,
-  /usr/lib/postfix/{bin/,sbin/,}nqmgr               Px,
-  /usr/lib/postfix/{bin/,sbin/,}proxymap            Px,
-  /usr/lib/postfix/{bin/,sbin/,}pickup              Px,
-  /usr/lib/postfix/{bin/,sbin/,}pipe                Px,
-  /usr/lib/postfix/{bin/,sbin/,}qmgr                Px,
-  /usr/lib/postfix/{bin/,sbin/,}scache              Px,
-  /usr/lib/postfix/{bin/,sbin/,}showq               Px,
-  /usr/lib/postfix/{bin/,sbin/,}smtp                Px,
-  /usr/lib/postfix/{bin/,sbin/,}smtpd               Px,
-  /usr/lib/postfix/{bin/,sbin/,}tlsmgr              Px,
-  /usr/lib/postfix/{bin/,sbin/,}trivial-rewrite     Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}anvil               Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}bounce              Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}cleanup             Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}error               Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}flush               Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}local               Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}lmtp                mrPx,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}master              mrix,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}nqmgr               Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}proxymap            Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}pickup              Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}pipe                Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}postfix-tlsproxy    Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}postscreen          Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}qmgr                Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}scache              Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}showq               Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}smtp                Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}smtpd               Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}spawn               Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}tlsmgr              Px,
+  /usr/lib{,exec}/postfix/{bin/,sbin/,}trivial-rewrite     Px,
 
   owner /var/lib/postfix/master.lock rwk,