bump release version to 2.11.1

Merge from trunk revision 3715

The added testcase for a ptrace target with an empty string
(ptrace_garbage_lp1689667_1.in) was causing the swig python test script
to fail. The generated python swig record for libapparmor ends up
setting a number of fields to None or other values that indicate the
value is unset, and the test script was checking if the value in the
field didn't evaluate to False in a python 'if' test.

Unfortunately, python evaluates the empty string '' as False in 'if'
tests, resulting in the specific field that contained the empty string
to be dropped from the returned record. This commit fixes that by
special case checking for the empty string.

Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>

.bzrignore

@@ -2,6 +2,7 @@ apparmor-*
 parser/po/*.mo
 parser/af_names.h
 parser/cap_names.h
+parser/tst_lib
 parser/tst_misc
 parser/tst_regex
 parser/tst_symtab
@@ -19,6 +20,7 @@ parser/*.7.html
 parser/*.5.html
 parser/*.8.html
 parser/apparmor_parser
+parser/libapparmor_re/parse.cc
 parser/libapparmor_re/regexp.cc
 parser/techdoc.aux
 parser/techdoc.log

Makefile

@@ -19,7 +19,7 @@ DIRS=libraries/libapparmor \
 
 #REPO_URL?=lp:apparmor
 # --per-file-timestamps is failing over SSH, https://bugs.launchpad.net/bzr/+bug/1257078
-REPO_URL?=https://code.launchpad.net/~apparmor-dev/apparmor/master
+REPO_URL?=https://code.launchpad.net/~apparmor-dev/apparmor/2.11
 # alternate possibilities to export from
 #REPO_URL=.
 #REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/"

common/Version

@@ -1 +1 @@
-2.11.0
+2.11.1

libraries/libapparmor/src/Makefile.am

@@ -27,7 +27,7 @@ INCLUDES = $(all_includes)
 # http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
 #
 AA_LIB_CURRENT = 5
-AA_LIB_REVISION = 0
+AA_LIB_REVISION = 1
 AA_LIB_AGE = 4
 
 SUFFIXES = .pc.in .pc

libraries/libapparmor/swig/python/test/test_python.py.in

@@ -121,7 +121,7 @@ class AAPythonBindingsTests(unittest.TestCase):
                     continue
                 else:
                     new_record[key] = str(value)
-            elif record.__getattr__(key):
+            elif value or value == '':
                 new_record[key] = str(value)
 
         return new_record

libraries/libapparmor/testsuite/Makefile.am

@@ -17,8 +17,8 @@ clean-local:
 	rm -rf tmp.err.* tmp.out.* site.exp site.bak test_multi/out
 	rm -f libaalogparse.log libaalogparse.sum
 
-check-local:
-	if ! test -f libaalogparse.log ; then echo '*** libaalogparse.log not found - is dejagnu installed? ***'; exit 1; fi
-	if grep ERROR libaalogparse.log ; then exit 1 ; fi
+check-local: check-DEJAGNU
+	@if ! test -f libaalogparse.log ; then echo '*** libaalogparse.log not found - is dejagnu installed? ***'; exit 1; fi
+	@if grep ERROR libaalogparse.log ; then exit 1 ; fi
 
 EXTRA_DIST = test_multi/*.in test_multi/*.out test_multi/*.err

libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1494272099.261:3455): apparmor="DENIED" operation="ptrace" profile="/bin/netstat" pid=1962 comm="netstat" target=""

libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.out

@@ -0,0 +1,11 @@
+START
+File: ptrace_garbage_lp1689667_1.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1494272099.261:3455
+Operation: ptrace
+Profile: /bin/netstat
+Command: netstat
+Name2: 
+PID: 1962
+Epoch: 1494272099
+Audit subid: 3455

libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.profile

@@ -0,0 +1,2 @@
+/bin/netstat {
+}

libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_2.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1494272099.261:3455): apparmor="DENIED" operation="ptrace" profile="/bin/netstat" pid=1962 comm="netstat" target=8022C0FF81A0FFFF8022C0FF81A0FFFF1080CBFF81A0FFFF1080CBFF81A0FFFF2080CBFF81A0FFFF2080CBFF81A0FFFF9E03

libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_2.out

@@ -0,0 +1,10 @@
+START
+File: ptrace_garbage_lp1689667_2.in
+Event type: AA_RECORD_INVALID
+Audit ID: 1494272099.261:3455
+Operation: ptrace
+Profile: /bin/netstat
+Command: netstat
+PID: 1962
+Epoch: 1494272099
+Audit subid: 3455

libraries/libapparmor/testsuite/test_multi/ptrace_no_denied_mask.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1495217772.047:4471): apparmor="DENIED" operation="ptrace" profile="/usr/bin/pidgin" pid=21704 comm="pidgin" peer="unconfined"

libraries/libapparmor/testsuite/test_multi/ptrace_no_denied_mask.out

@@ -0,0 +1,11 @@
+START
+File: ptrace_no_denied_mask.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1495217772.047:4471
+Operation: ptrace
+Profile: /usr/bin/pidgin
+Peer: unconfined
+Command: pidgin
+PID: 21704
+Epoch: 1495217772
+Audit subid: 4471

libraries/libapparmor/testsuite/test_multi/ptrace_no_denied_mask.profile

@@ -0,0 +1,2 @@
+/usr/bin/pidgin {
+}

parser/af_unix.cc

@@ -196,16 +196,20 @@ static void writeu16(std::ostringstream &o, int v)
 #define CMD_OPT		4
 
 void unix_rule::downgrade_rule(Profile &prof) {
+	unsigned int mask = (unsigned int) -1;
+
 	if (!prof.net.allow && !prof.alloc_net_table())
 		yyerror(_("Memory allocation error."));
+	if (sock_type_n != -1)
+		mask = 1 << sock_type_n;
 	if (deny) {
-		prof.net.deny[AF_UNIX] |= 1 << sock_type_n;
+		prof.net.deny[AF_UNIX] |= mask;
 		if (!audit)
-			prof.net.quiet[AF_UNIX] |= 1 << sock_type_n;
+			prof.net.quiet[AF_UNIX] |= mask;
 	} else {
-		prof.net.allow[AF_UNIX] |= 1 << sock_type_n;
+		prof.net.allow[AF_UNIX] |= mask;
 		if (audit)
-			prof.net.audit[AF_UNIX] |= 1 << sock_type_n;
+			prof.net.audit[AF_UNIX] |= mask;
 	}
 }
 

parser/apparmor.d.pod

@@ -111,7 +111,7 @@ capabilities(7))
 
 B<NETWORK RULE> = [ I<QUALIFIERS> ] 'network' [ I<DOMAIN> ] [ I<TYPE> | I<PROTOCOL> ]
 
-B<DOMAIN> = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' | 'unix' | 'rds' | 'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'mpls' | 'ib' | 'kcm' ) ','
+B<DOMAIN> = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' | 'unix' | 'rds' | 'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'mpls' | 'ib' | 'kcm' | 'smc' ) ','
 
 B<TYPE> = ( 'stream' | 'dgram' | 'seqpacket' |  'rdm' | 'raw' | 'packet' )
 

profiles/apparmor.d/abstractions/base

@@ -82,6 +82,7 @@
   @{PROC}/meminfo                r,
   @{PROC}/stat                   r,
   @{PROC}/cpuinfo                r,
+  /sys/devices/system/cpu/       r,
   /sys/devices/system/cpu/online r,
 
   # glibc's *printf protections read the maps file

profiles/apparmor.d/abstractions/freedesktop.org

@@ -10,10 +10,10 @@
 # ------------------------------------------------------------------
 
   # system configuration
-  /usr/share/applications/               r,
-  /usr/share/applications/defaults.list  r,
-  /usr/share/applications/mimeinfo.cache r,
-  /usr/share/applications/*.desktop      r,
+  /usr/{,local/}share/applications/{*/,}               r,
+  /usr/{,local/}share/applications/{*/,}defaults.list  r,
+  /usr/{,local/}share/applications/{*/,}mimeinfo.cache r,
+  /usr/{,local/}share/applications/{*/,}*.desktop      r,
   /usr/share/icons/               r,
   /usr/share/icons/**             r,
   /usr/share/pixmaps/             r,

profiles/apparmor.d/abstractions/gnome

@@ -66,6 +66,10 @@
   /var/cache/**/icon-theme.cache  r,
   /usr/share/**/icon-theme.cache  r,
 
+  # GLib schemas
+  /usr/{local/,}share/glib-[0-9]*/schemas/   r,
+  /usr/{local/,}share/glib-[0-9]*/schemas/** r,
+
   # gnome VFS modules
   /etc/gnome-vfs-2.0/modules/ r,
   /etc/gnome-vfs-2.0/modules/* r,

profiles/apparmor.d/abstractions/nameservice

@@ -29,6 +29,7 @@
   # When using sssd, the passwd and group files are stored in an alternate path
   # and the nss plugin also needs to talk to a pipe
   /var/lib/sss/mc/group   r,
+  /var/lib/sss/mc/initgroups r,
   /var/lib/sss/mc/passwd  r,
   /var/lib/sss/pipes/nss  rw,
 

profiles/apparmor.d/abstractions/perl

@@ -15,8 +15,8 @@
 
   /usr/lib{,32,64}/perl5/**                    r,
   /usr/lib{,32,64}/perl{,5}/**.so*             mr,
-  /usr/lib/@{multiarch}/perl{,5}/**            r,
-  /usr/lib/@{multiarch}/perl{,5}/[0-9]*/**.so* mr,
+  /usr/lib/@{multiarch}/perl{,5,-base}/**            r,
+  /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr,
 
   /usr/share/perl/**             r,
   /usr/share/perl5/**            r,

profiles/apparmor.d/abstractions/postfix-common

@@ -22,7 +22,7 @@
 
   /etc/mailname         r,
   /etc/postfix/*.cf     r,
-  /etc/postfix/*.db     r,
+  /etc/postfix/*.db     rk,
   @{PROC}/net/if_inet6  r,
   /usr/lib/postfix/*.so mr,
   /usr/lib{,32,64}/sasl2/*    mr,

profiles/apparmor.d/abstractions/python

@@ -10,18 +10,18 @@
 #
 # ------------------------------------------------------------------
 
-  /usr/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{pyc,so}           mr,
-  /usr/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{egg,py,pth}       r,
-  /usr/lib{,32,64}/python{2.[4-7],3.[0-5]}/{site,dist}-packages/ r,
-  /usr/lib{,32,64}/python3.[0-5]/lib-dynload/*.so            mr,
+  /usr/lib{,32,64}/python{2.[4-7],3.[0-6]}/**.{pyc,so}           mr,
+  /usr/lib{,32,64}/python{2.[4-7],3.[0-6]}/**.{egg,py,pth}       r,
+  /usr/lib{,32,64}/python{2.[4-7],3.[0-6]}/{site,dist}-packages/ r,
+  /usr/lib{,32,64}/python3.[0-6]/lib-dynload/*.so            mr,
 
-  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{pyc,so}           mr,
-  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{egg,py,pth}       r,
-  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-5]}/{site,dist}-packages/ r,
-  /usr/local/lib{,32,64}/python3.[0-5]/lib-dynload/*.so            mr,
+  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-6]}/**.{pyc,so}           mr,
+  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-6]}/**.{egg,py,pth}       r,
+  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-6]}/{site,dist}-packages/ r,
+  /usr/local/lib{,32,64}/python3.[0-6]/lib-dynload/*.so            mr,
 
   # Site-wide configuration
-  /etc/python{2.[4-7],3.[0-5]}/** r,
+  /etc/python{2.[4-7],3.[0-6]}/** r,
 
   # shared python paths
   /usr/share/{pyshared,pycentral,python-support}/**      r,
@@ -34,4 +34,4 @@
   /usr/lib/wx/python/*.pth r,
 
   # python build configuration and headers
-  /usr/include/python{2.[4-7],3.[0-5]}*/pyconfig.h r,
+  /usr/include/python{2.[4-7],3.[0-6]}*/pyconfig.h r,

profiles/apparmor.d/abstractions/samba

@@ -11,6 +11,7 @@
 
   /etc/samba/* r,
   /usr/lib*/ldb/*.so mr,
+  /usr/lib*/samba/ldb/*.so mr,
   /usr/share/samba/*.dat r,
   /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
   /var/cache/samba/ w,

profiles/apparmor.d/abstractions/user-download

@@ -15,7 +15,7 @@
   owner @{HOME}/tmp/**       		rwl,
   owner @{HOME}/[dD]ownload{,s}/	r,
   owner @{HOME}/[dD]ownload{,s}/**	rwl,
-  owner @{HOME}/[a-zA-Z0-9]* 		rwl,
+  owner @{HOME}/[^.]*			rwl,
   owner @{HOME}/@{XDG_DESKTOP_DIR}/	r,
   owner @{HOME}/@{XDG_DESKTOP_DIR}/*	rwl,
   owner @{HOME}/@{XDG_DOWNLOAD_DIR}/	r,

profiles/apparmor.d/abstractions/user-write

@@ -14,8 +14,8 @@
   owner @{HOME}/@{XDG_DESKTOP_DIR}/       r,
   owner @{HOME}/@{XDG_DOCUMENTS_DIR}/     r,
   owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/   r,
-  owner @{HOME}/[a-zA-Z0-9]*/             rw,
-  owner @{HOME}/[a-zA-Z0-9]*              rwl,
+  owner @{HOME}/[^.]*/                    rw,
+  owner @{HOME}/[^.]*                     rwl,
   owner @{HOME}/@{XDG_DESKTOP_DIR}/**     rwl,
   owner @{HOME}/@{XDG_DOCUMENTS_DIR}/**   rwl,
   owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/** rwl,

profiles/apparmor.d/abstractions/wayland

@@ -11,4 +11,4 @@
 
   owner /var/run/user/*/weston-shared-* rw,
   owner /run/user/*/wayland-[0-9]* rw,
-  owner /run/user/*/{mesa,mutter,sdl,weston,xwayland}-shared-* rw,
+  owner /run/user/*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,

profiles/apparmor.d/usr.lib.dovecot.imap-login

@@ -26,6 +26,7 @@
 
   /usr/lib/dovecot/imap-login mr,
   /{,var/}run/dovecot/anvil rw,
+  /{,var/}run/dovecot/login-master-notify* rw,
   /{,var/}run/dovecot/login/ r,
   /{,var/}run/dovecot/login/* rw,
 

profiles/apparmor.d/usr.sbin.dovecot

@@ -12,7 +12,7 @@
 
 #include <tunables/global>
 
-/usr/sbin/dovecot {
+/usr/sbin/dovecot flags=(attach_disconnected) {
   #include <abstractions/authentication>
   #include <abstractions/base>
   #include <abstractions/dovecot-common>

profiles/apparmor.d/usr.sbin.traceroute

@@ -15,6 +15,7 @@
   #include <abstractions/consoles>
   #include <abstractions/nameservice>
 
+  deny capability net_admin, # noisy setsockopt() calls
   capability net_raw,
 
   network inet raw,
@@ -23,6 +24,7 @@
   /usr/sbin/traceroute mrix,
   /usr/bin/traceroute.db mrix,
   @{PROC}/net/route r,
+  @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.traceroute>

profiles/apparmor.d/usr.sbin.winbindd

@@ -20,6 +20,7 @@
   @{PROC}/sys/kernel/core_pattern r,
   /tmp/.winbindd/ w,
   /tmp/krb5cc_* rwk,
+  /usr/lib*/samba/gensec/krb*.so mr,
   /usr/lib*/samba/idmap/*.so mr,
   /usr/lib*/samba/nss_info/*.so mr,
   /usr/lib*/samba/pdb/*.so mr,

profiles/apparmor/profiles/extras/usr.lib.postfix.anvil

@@ -13,7 +13,6 @@
 /usr/lib/postfix/anvil {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   capability setgid,

profiles/apparmor/profiles/extras/usr.lib.postfix.bounce

@@ -13,7 +13,6 @@
 /usr/lib/postfix/bounce {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   capability setgid,

profiles/apparmor/profiles/extras/usr.lib.postfix.cleanup

@@ -13,7 +13,6 @@
 /usr/lib/postfix/cleanup {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   capability net_bind_service,

profiles/apparmor/profiles/extras/usr.lib.postfix.error

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2006 Novell/SUSE
+#    Copyright (C) 2017 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -13,8 +14,13 @@
 /usr/lib/postfix/error {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
-  /usr/lib/postfix/error rmix,
+  @{PROC}/sys/kernel/ngroups_max r,
+  /usr/lib/postfix/error mrix,
+  owner /var/spool/postfix/active/* rwk,
+  /var/spool/postfix/pid/unix.error rwk,
+  /var/spool/postfix/pid/unix.retry rwk,
+  owner /var/spool/postfix/private/defer w,
+
 }

profiles/apparmor/profiles/extras/usr.lib.postfix.flush

@@ -13,7 +13,6 @@
 /usr/lib/postfix/flush {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   capability setgid,

profiles/apparmor/profiles/extras/usr.lib.postfix.lmtp

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2006 Novell/SUSE
+#    Copyright (C) 2017 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -13,8 +14,10 @@
 /usr/lib/postfix/lmtp {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
-  /usr/lib/postfix/lmtp rmix,
+  /usr/lib/postfix/lmtp mrix,
+  /var/spool/postfix/active/* rwk,
+  /var/spool/postfix/pid/unix.lmtp rwk,
+
 }

profiles/apparmor/profiles/extras/usr.lib.postfix.local

@@ -14,7 +14,6 @@
   #include <abstractions/base>
   #include <abstractions/bash>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/user-mail>
   #include <abstractions/postfix-common>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.master

@@ -12,7 +12,6 @@
 
 /usr/lib/postfix/master {
   #include <abstractions/base>
-  #include <abstractions/kerberosclient>
   #include <abstractions/nameservice>
   #include <abstractions/postfix-common>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.nqmgr

@@ -12,7 +12,6 @@
 
 /usr/lib/postfix/nqmgr {
   #include <abstractions/base>
-  #include <abstractions/kerberosclient>
   #include <abstractions/nameservice>
   #include <abstractions/postfix-common>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.pickup

@@ -12,7 +12,6 @@
 
 /usr/lib/postfix/pickup {
   #include <abstractions/base>
-  #include <abstractions/kerberosclient>
   #include <abstractions/nameservice>
   #include <abstractions/postfix-common>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.pipe

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2006 Novell/SUSE
+#    Copyright (C) 2017 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -12,6 +13,14 @@
 
 /usr/lib/postfix/pipe {
   #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/postfix-common>
+
+  /usr/lib/postfix/pipe mrix,
+  /var/spool/postfix/active/* rwk,
+  /var/spool/postfix/private/bounce w,
+  /var/spool/postfix/private/defer w,
+  /var/spool/postfix/private/rewrite w,
+  /var/spool/postfix/private/trace w,
 
-  /usr/lib/postfix/pipe rmix,
 }

profiles/apparmor/profiles/extras/usr.lib.postfix.qmgr

@@ -12,7 +12,6 @@
 
 /usr/lib/postfix/qmgr {
   #include <abstractions/base>
-  #include <abstractions/kerberosclient>
   #include <abstractions/nameservice>
   #include <abstractions/postfix-common>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.qmqpd

@@ -13,7 +13,6 @@
 /usr/lib/postfix/qmqpd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   /usr/lib/postfix/qmqpd rmix,

profiles/apparmor/profiles/extras/usr.lib.postfix.showq

@@ -13,7 +13,6 @@
 /usr/lib/postfix/showq {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   /usr/lib/postfix/showq                       rmix,

profiles/apparmor/profiles/extras/usr.lib.postfix.smtp

@@ -13,7 +13,6 @@
 /usr/lib/postfix/smtp {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
   #include <abstractions/openssl>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd

@@ -13,7 +13,6 @@
 /usr/lib/postfix/smtpd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
   #include <abstractions/openssl>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.spawn

@@ -13,7 +13,6 @@
 /usr/lib/postfix/spawn {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   /usr/lib/postfix/spawn rmix,

profiles/apparmor/profiles/extras/usr.lib.postfix.trivial-rewrite

@@ -13,7 +13,6 @@
 /usr/lib/postfix/trivial-rewrite {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   /usr/lib/postfix/trivial-rewrite            rmix,

profiles/apparmor/profiles/extras/usr.lib.postfix.verify

@@ -13,7 +13,6 @@
 /usr/lib/postfix/verify {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   /usr/lib/postfix/verify rmix,

profiles/apparmor/profiles/extras/usr.lib.postfix.virtual

@@ -13,7 +13,6 @@
 /usr/lib/postfix/virtual {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   capability setgid,

utils/aa-audit.pod

@@ -6,7 +6,7 @@ aa-audit - set an AppArmor security profile to I<audit> mode.
 
 =head1 SYNOPSIS
 
-B<aa-audit I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-r>]>
+B<aa-audit I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<--no-reload>] [I<-r>]>
 
 =head1 OPTIONS
 
@@ -15,9 +15,12 @@ B<-d --dir  /path/to/profiles>
    Specifies where to look for the AppArmor security profile set.
    Defaults to /etc/apparmor.d.
 
+B<--no-reload>
+   Do not reload the profile after modifying it.
+
 B<-r --remove>
 
-   Removes the audit mode for the profile.  
+   Removes the audit mode for the profile.
 
 =head1 DESCRIPTION
 

utils/aa-cleanprof.pod

@@ -6,7 +6,7 @@ aa-cleanprof - clean an existing AppArmor security profile.
 
 =head1 SYNOPSIS
 
-B<aa-cleanprof I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-s>]>
+B<aa-cleanprof I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<--no-reload]> [I<-s>]>
 
 =head1 OPTIONS
 
@@ -15,6 +15,9 @@ B<-d --dir  /path/to/profiles>
    Specifies where to look for the AppArmor security profile set.
    Defaults to /etc/apparmor.d.
 
+B<--no-reload>
+   Do not reload the profile after modifying it.
+
 B<-s --silent>
 
    Silently overwrites the profile without user prompt.
@@ -22,7 +25,7 @@ B<-s --silent>
 =head1 DESCRIPTION
 
 B<aa-cleanprof> is used to perform a cleanup on one or more profiles.
-The tool removes any existing superfluous rules (rules that are covered 
+The tool removes any existing superfluous rules (rules that are covered
 under an include or another rule), reorders the rules to group similar rules
 together and removes all comments from the file.
 

utils/aa-complain.pod

@@ -26,7 +26,7 @@ aa-complain - set an AppArmor security profile to I<complain> mode.
 
 =head1 SYNOPSIS
 
-B<< aa-complain I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] >>
+B<aa-complain I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<--no-reload>]>
 
 =head1 OPTIONS
 
@@ -35,6 +35,9 @@ B<-d --dir  /path/to/profiles>
    Specifies where to look for the AppArmor security profile set.
    Defaults to /etc/apparmor.d.
 
+B<--no-reload>
+   Do not reload the profile after modifying it.
+
 =head1 DESCRIPTION
 
 B<aa-complain> is used to set the enforcement mode for one or more profiles to I<complain> mode.

utils/aa-disable.pod

@@ -26,7 +26,7 @@ aa-disable - disable an AppArmor security profile
 
 =head1 SYNOPSIS
 
-B<aa-disable I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-r>]>
+B<aa-disable I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<--no-reload>] [I<-r>]>
 
 =head1 OPTIONS
 
@@ -35,11 +35,14 @@ B<-d --dir  /path/to/profiles>
    Specifies where to look for the AppArmor security profile set.
    Defaults to /etc/apparmor.d.
 
+B<--no-reload>
+   Do not unreload the profile after modifying it.
+
 =head1 DESCRIPTION
 
-B<aa-disable> is used to I<disable> one or more profiles. 
+B<aa-disable> is used to I<disable> one or more profiles.
 This command will unload the profile from the kernel and prevent the
-profile from being loaded on AppArmor startup. 
+profile from being loaded on AppArmor startup.
 The I<aa-enforce> and I<aa-complain> utilities may be used to to change
 this behavior.
 

utils/aa-enforce.pod

@@ -27,7 +27,7 @@ being disabled or I<complain> mode.
 
 =head1 SYNOPSIS
 
-B<< aa-enforce I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] >>
+B<aa-enforce I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<--no-reload>]>
 
 =head1 OPTIONS
 
@@ -36,12 +36,15 @@ B<-d --dir / path/to/profiles>
    Specifies where to look for the AppArmor security profile set.
    Defaults to /etc/apparmor.d.
 
+B<--no-reload>
+   Do not reload the profile after modifying it.
+
 =head1 DESCRIPTION
 
 B<aa-enforce> is used to set one or more profiles to I<enforce> mode.
 This command is only relevant in conjunction with the I<aa-complain> utility
 which sets a profile to complain mode and the I<aa-disable> utility which
-unloads and disables a profile. 
+unloads and disables a profile.
 The default mode for a security policy is enforce and the I<aa-complain>
 utility must be run to change this behavior.
 

utils/aa-status.pod

@@ -102,23 +102,23 @@ following values:
 
 =over 4
 
-=item 0
+=item B<0>
 
 if apparmor is enabled and policy is loaded.
 
-=item 1
+=item B<1>
 
 if apparmor is not enabled/loaded.
 
-=item 2
+=item B<2>
 
 if apparmor is enabled but no policy is loaded.
 
-=item 3
+=item B<3>
 
 if the apparmor control files aren't available under /sys/kernel/security/.
 
-=item 4
+=item B<4>
 
 if the user running the script doesn't have enough privileges to read
 the apparmor control files.

utils/apparmor/aa.py

@@ -1374,24 +1374,16 @@ def handle_children(profile, hat, root):
                             if ynans == 'y':
                                 hat = exec_target
                                 if not aa[profile].get(hat, False):
-                                    aa[profile][hat] = profile_storage(profile, hat, 'handle_children()')
+                                    stub_profile = create_new_profile(hat, True)
+                                    aa[profile][hat] = stub_profile[hat][hat]
+
                                 aa[profile][hat]['profile'] = True
 
                                 if profile != hat:
                                     aa[profile][hat]['flags'] = aa[profile][profile]['flags']
 
-                                stub_profile = create_new_profile(hat, True)
-
                                 aa[profile][hat]['flags'] = 'complain'
 
-                                aa[profile][hat]['allow']['path'] = hasher()
-                                if stub_profile[hat][hat]['allow'].get('path', False):
-                                    aa[profile][hat]['allow']['path'] = stub_profile[hat][hat]['allow']['path']
-
-                                aa[profile][hat]['include'] = hasher()
-                                if stub_profile[hat][hat].get('include', False):
-                                    aa[profile][hat]['include'] = stub_profile[hat][hat]['include']
-
                                 file_name = aa[profile][profile]['filename']
                                 filelist[file_name]['profiles'][profile][hat] = True
 
@@ -1967,13 +1959,15 @@ def save_profiles():
             q.explanation = _('The following local profiles were changed. Would you like to save them?')
             q.functions = ['CMD_SAVE_CHANGES', 'CMD_SAVE_SELECTED', 'CMD_VIEW_CHANGES', 'CMD_VIEW_CHANGES_CLEAN', 'CMD_ABORT']
             q.default = 'CMD_VIEW_CHANGES'
-            q.options = changed
             q.selected = 0
             ans = ''
             arg = None
             while ans != 'CMD_SAVE_CHANGES':
                 if not changed:
                     return
+
+                q.options = sorted(changed.keys())
+
                 ans, arg = q.promptUser()
                 if ans == 'CMD_SAVE_SELECTED':
                     profile_name = list(changed.keys())[arg]
@@ -3574,6 +3568,9 @@ def get_file_perms(profile, path, audit, deny):
                     for perm in incperms[allow_or_deny][owner_or_all]:
                         perms[allow_or_deny][owner_or_all].add(perm)
 
+                    if 'a' in perms[allow_or_deny][owner_or_all] and 'w' in perms[allow_or_deny][owner_or_all]:
+                        perms[allow_or_deny][owner_or_all].remove('a')  # a is a subset of w, so remove it
+
             for incpath in incperms['paths']:
                 perms['paths'].add(incpath)
 
@@ -3598,6 +3595,9 @@ def propose_file_rules(profile_obj, rule_obj):
         merged_rule_obj.perms.add(perm)
         merged_rule_obj.raw_rule = None
 
+    if 'a' in merged_rule_obj.perms and 'w' in merged_rule_obj.perms:
+        merged_rule_obj.perms.remove('a')  # a is a subset of w, so remove it
+
     pathlist = {original_path} | existing_perms['paths'] | set(glob_common(original_path))
 
     for user_glob in user_globs:

utils/apparmor/logparser.py

@@ -338,6 +338,13 @@ class ReadLog:
             return(e['pid'], e['parent'], 'unknown_hat',
                              [profile, hat, aamode, hat])
         elif e['operation'] == 'ptrace':
+            if not e['peer']:
+                self.debug_logger.debug('ignored garbage ptrace event with empty peer')
+                return None
+            if not e['denied_mask']:
+                self.debug_logger.debug('ignored garbage ptrace event with empty denied_mask')
+                return None
+
             return(e['pid'], e['parent'], 'ptrace',
                              [profile, hat, prog, aamode, e['denied_mask'], e['peer']])
         elif e['operation'] == 'signal':

utils/apparmor/rule/network.py

@@ -27,7 +27,7 @@ _ = init_translation()
 network_domain_keywords   = [ 'unspec', 'unix', 'inet', 'ax25', 'ipx', 'appletalk', 'netrom', 'bridge', 'atmpvc', 'x25', 'inet6',
                               'rose', 'netbeui', 'security', 'key', 'netlink', 'packet', 'ash', 'econet', 'atmsvc', 'rds', 'sna',
                               'irda', 'pppox', 'wanpipe', 'llc', 'can', 'tipc', 'bluetooth', 'iucv', 'rxrpc', 'isdn', 'phonet',
-                              'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib', 'kcm' ]
+                              'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib', 'kcm', 'smc' ]
 
 network_type_keywords     = ['stream', 'dgram', 'seqpacket', 'rdm', 'raw', 'packet']
 network_protocol_keywords = ['tcp', 'udp', 'icmp']

utils/test/test-aa.py

@@ -781,6 +781,7 @@ class AaTest_get_file_perms_1(AATest):
 class AaTest_get_file_perms_2(AATest):
     tests = [
         ('/usr/share/common-licenses/foo/bar',      {'allow': {'all': {'r'},            'owner': {'w'}  }, 'deny': {'all':set(),    'owner': set()},    'paths': {'/usr/share/common-licenses/**'}              }),
+        ('/usr/share/common-licenses/what/ever',    {'allow': {'all': {'r'},            'owner': {'w'}  }, 'deny': {'all':set(),    'owner': set()},    'paths': {'/usr/share/common-licenses/**', '/usr/share/common-licenses/what/ever'}      }),
         ('/dev/null',                               {'allow': {'all': {'r', 'w', 'k'},  'owner': set()  }, 'deny': {'all':set(),    'owner': set()},    'paths': {'/dev/null'}                                  }),
         ('/foo/bar',                                {'allow': {'all': {'r', 'w'},       'owner': set()  }, 'deny': {'all':set(),    'owner': set()},    'paths': {'/foo/bar'}                                   }),  # exec perms not included
         ('/no/thing',                               {'allow': {'all': set(),            'owner': set()  }, 'deny': {'all':set(),    'owner': set()},    'paths': set()                                          }),
@@ -808,6 +809,7 @@ class AaTest_get_file_perms_2(AATest):
         profile['include']['abstractions/enchant'] = True  # includes abstractions/aspell
 
         profile['file'].add(FileRule.parse('owner /usr/share/common-licenses/**  w,'))
+        profile['file'].add(FileRule.parse('owner /usr/share/common-licenses/what/ever a,'))  # covered by the above 'w' rule, so 'a' should be ignored
         profile['file'].add(FileRule.parse('/dev/null rwk,'))
         profile['file'].add(FileRule.parse('/foo/bar rwix,'))
 
@@ -822,6 +824,7 @@ class AaTest_propose_file_rules(AATest):
         (['/foo/bar',                           'rw'],  ['/foo/bar rw,']                                                                                                        ),
         (['/usr/lib/ispell/',                   'w'],   ['/{usr/,}lib{,32,64}/** rw,', '/usr/lib/ispell/ rw,']                                                                     ),
         (['/usr/lib/aspell/some.so',            'k'],   ['/usr/lib/aspell/* mrk,', '/usr/lib/aspell/*.so mrk,', '/{usr/,}lib{,32,64}/** mrk,', '/usr/lib/aspell/some.so mrk,']     ),
+        (['/foo/log',                           'w'],   ['/foo/log w,']                                                                                                            ),
     ]
 
     def _run_test(self, params, expected):
@@ -850,6 +853,7 @@ class AaTest_propose_file_rules(AATest):
         profile['file'].add(FileRule.parse('owner /usr/share/common-licenses/**  w,'))
         profile['file'].add(FileRule.parse('/dev/null rwk,'))
         profile['file'].add(FileRule.parse('/foo/bar rwix,'))
+        profile['file'].add(FileRule.parse('/foo/log a,'))  # will be replaced with '/foo/log w,' (not 'wa')
 
         rule_obj = FileRule(params[0], params[1], None, FileRule.ALL, owner=False, log_event=True)
         proposals = propose_file_rules(profile, rule_obj)

utils/test/test-libapparmor-test_multi.py

@@ -66,6 +66,8 @@ class TestLibapparmorTestMulti(AATest):
                     pass
                 elif parsed_items['operation'] == 'exec' and label in ['sock_type', 'family', 'protocol']:
                     pass  # XXX 'exec' + network? really?
+                elif parsed_items['operation'] == 'ptrace' and label == 'name2' and params.endswith('/ptrace_garbage_lp1689667_1'):
+                    pass  # libapparmor would better qualify this case as invalid event
                 elif not parsed_items.get(label, None):
                     raise Exception('parsed_items[%s] not set' % label)
                 elif not expected.get(label, None):

utils/test/test-parser-simple-tests.py

@@ -49,6 +49,15 @@ exception_not_raised = [
     'change_profile/onx_conflict_unsafe1.sd',
     'change_profile/onx_conflict_unsafe2.sd',
 
+    # duplicated conditionals aren't detected by the tools
+    'generated_dbus/duplicated-conditionals-45127.sd',
+    'generated_dbus/duplicated-conditionals-45131.sd',
+    'generated_dbus/duplicated-conditionals-45124.sd',
+    'generated_dbus/duplicated-conditionals-45130.sd',
+    'generated_dbus/duplicated-conditionals-45125.sd',
+    'generated_dbus/duplicated-conditionals-45128.sd',
+    'generated_dbus/duplicated-conditionals-45129.sd',
+
     'dbus/bad_modifier_2.sd',
     'dbus/bad_regex_01.sd',
     'dbus/bad_regex_02.sd',