Prepare for AppArmor 3.0.1 release

- update version file

Signed-off-by: John Johansen <john.johansen@canonical.com>

binutils/Makefile

@@ -156,12 +156,12 @@ install-arch: arch
 	install -m 755 -d ${SBINDIR}
 	ln -sf aa-status ${SBINDIR}/apparmor_status
 	install -m 755 ${SBINTOOLS} ${SBINDIR}
-	ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
 
 .PHONY: install-indep
 install-indep: indep
 	$(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR}
 	$(MAKE) install_manpages DESTDIR=${DESTDIR}
+	ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
 
 ifndef VERBOSE
 .SILENT: clean

binutils/aa-enabled.pod

@@ -83,7 +83,7 @@ if B<aa-enabled> doesn't have enough privileges to read the apparmor control fil
 
 =item B<10>
 
-AppArmor is enabled but does not have access to shared LSM interaces.
+AppArmor is enabled but does not have access to shared LSM interfaces.
 
 =item B<64>
 

binutils/aa-features-abi.pod

@@ -32,7 +32,7 @@ B<aa-features-abi> [OPTIONS] <SOURCE> [OUTPUT OPTIONS]
 
 B<aa-features-abi> is used to extract a features abi and output to
 either stdout or a specified file. A SOURCE_OPTION must be specified.
-If an output option is not specified the features abi is writen to
+If an output option is not specified the features abi is written to
 stdout.
 
 =head1 OPTIONS

binutils/aa_enabled.c

@@ -20,7 +20,7 @@ void print_help(const char *command)
 {
 	printf(_("%s: [options]\n"
 		 "  options:\n"
-		 "  -x | --exclusive    Shared interfaces must be availabe\n"
+		 "  -x | --exclusive    Shared interfaces must be available\n"
 		 "  -q | --quiet        Don't print out any messages\n"
 		 "  -h | --help         Print help\n"),
 	       command);

binutils/aa_status.c

@@ -10,6 +10,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/wait.h>

binutils/po/aa_enabled.pot

@@ -1,13 +1,14 @@
-# Copyright (C) 2015 Canonical Ltd
-# This file is distributed under the same license as the AppArmor package.
-# John Johansen <john.johansen@canonical.com>, 2015.
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR Canonical Ltd
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
 #
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
-"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"POT-Creation-Date: 2020-10-14 03:58-0700\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -16,51 +17,57 @@ msgstr ""
 "Content-Type: text/plain; charset=CHARSET\n"
 "Content-Transfer-Encoding: 8bit\n"
 
-#: ../aa_enabled.c:26
+#: ../aa_enabled.c:21
 #, c-format
 msgid ""
 "%s: [options]\n"
 "  options:\n"
+"  -x | --exclusive    Shared interfaces must be availabe\n"
 "  -q | --quiet        Don't print out any messages\n"
 "  -h | --help         Print help\n"
 msgstr ""
 
-#: ../aa_enabled.c:45
-#, c-format
-msgid "unknown or incompatible options\n"
-msgstr ""
-
-#: ../aa_enabled.c:55
-#, c-format
-msgid "unknown option '%s'\n"
-msgstr ""
-
-#: ../aa_enabled.c:64
-#, c-format
-msgid "Yes\n"
-msgstr ""
-
-#: ../aa_enabled.c:71
+#: ../aa_enabled.c:37
 #, c-format
 msgid "No - not available on this system.\n"
 msgstr ""
 
-#: ../aa_enabled.c:74
+#: ../aa_enabled.c:41
 #, c-format
 msgid "No - disabled at boot.\n"
 msgstr ""
 
-#: ../aa_enabled.c:77
+#: ../aa_enabled.c:45
 #, c-format
 msgid "Maybe - policy interface not available.\n"
 msgstr ""
 
-#: ../aa_enabled.c:81
+#: ../aa_enabled.c:50
 #, c-format
 msgid "Maybe - insufficient permissions to determine availability.\n"
 msgstr ""
 
-#: ../aa_enabled.c:84
+#: ../aa_enabled.c:54
 #, c-format
-msgid "Error - '%s'\n"
+msgid "Partially - public shared interfaces are not available.\n"
+msgstr ""
+
+#: ../aa_enabled.c:58
+#, c-format
+msgid "Error - %s\n"
+msgstr ""
+
+#: ../aa_enabled.c:73
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr ""
+
+#: ../aa_enabled.c:87
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr ""
+
+#: ../aa_enabled.c:98
+#, c-format
+msgid "Yes\n"
 msgstr ""

binutils/po/aa_exec.pot

@@ -0,0 +1,55 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR Canonical Ltd
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
+"POT-Creation-Date: 2020-10-14 03:58-0700\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../aa_exec.c:50
+#, c-format
+msgid ""
+"USAGE: %s [OPTIONS] <prog> <args>\n"
+"\n"
+"Confine <prog> with the specified PROFILE.\n"
+"\n"
+"OPTIONS:\n"
+"  -p PROFILE, --profile=PROFILE\t\tPROFILE to confine <prog> with\n"
+"  -n NAMESPACE, --namespace=NAMESPACE\tNAMESPACE to confine <prog> in\n"
+"  -d, --debug\t\t\t\tshow messages with debugging information\n"
+"  -i, --immediate\t\t\tchange profile immediately instead of at exec\n"
+"  -v, --verbose\t\t\t\tshow messages with stats\n"
+"  -h, --help\t\t\t\tdisplay this help\n"
+"\n"
+msgstr ""
+
+#: ../aa_exec.c:65
+#, c-format
+msgid "[%ld] aa-exec: ERROR: "
+msgstr ""
+
+#: ../aa_exec.c:76
+#, c-format
+msgid "[%ld] aa-exec: DEBUG: "
+msgstr ""
+
+#: ../aa_exec.c:89
+#, c-format
+msgid "[%ld] "
+msgstr ""
+
+#: ../aa_exec.c:107
+#, c-format
+msgid "[%ld] exec"
+msgstr ""

binutils/po/aa_features_abi.pot

@@ -0,0 +1,51 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR Canonical Ltd
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
+"POT-Creation-Date: 2020-10-14 03:58-0700\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../aa_features_abi.c:53
+#, c-format
+msgid ""
+"USAGE: %s [OPTIONS] <SOURCE> [OUTPUT OPTIONS]\n"
+"\n"
+"Output AppArmor feature abi from SOURCE to OUTPUT\n"
+"OPTIONS:\n"
+"  -d, --debug      show messages with debugging information\n"
+"  -v, --verbose    show messages with stats\n"
+"  -h, --help       display this help\n"
+"SOURCE:\n"
+"  -f F, --file=F   load features abi from file F\n"
+"  -x, --extract    extract features abi from the kernel\n"
+"OUTPUT OPTIONS:\n"
+"  --stdout         default, write features to stdout\n"
+"  -w F, --write=F  write features abi to the file F instead of stdout\n"
+"\n"
+msgstr ""
+
+#: ../aa_features_abi.c:73
+#, c-format
+msgid "%s: ERROR: "
+msgstr ""
+
+#: ../aa_features_abi.c:85
+#, c-format
+msgid "%s: DEBUG: "
+msgstr ""
+
+#: ../aa_features_abi.c:98
+msgid "\n"
+msgstr ""

common/Version

@@ -1 +1 @@
-3.0.0
+3.0.1

libraries/libapparmor/include/sys/apparmor.h

@@ -21,6 +21,7 @@
 #include <stdbool.h>
 #include <stdint.h>
 #include <unistd.h>
+#include <sys/socket.h>
 #include <sys/types.h>
 
 #ifdef __cplusplus

libraries/libapparmor/src/Makefile.am

@@ -26,9 +26,9 @@ INCLUDES = $(all_includes)
 # For more information, see:
 # http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
 #
-AA_LIB_CURRENT = 8
+AA_LIB_CURRENT = 9
 AA_LIB_REVISION = 0
-AA_LIB_AGE = 7
+AA_LIB_AGE = 8
 
 SUFFIXES = .pc.in .pc
 

libraries/libapparmor/src/kernel.c

@@ -227,9 +227,10 @@ static inline pid_t aa_gettid(void)
  * present.
  */
 static pthread_once_t proc_attr_base_ctl = PTHREAD_ONCE_INIT;
-static char *proc_attr_base = "/proc/%d/attr/%s";
-static char *proc_attr_base_stacking = "/proc/%d/attr/apparmor/%s";
-static char *proc_attr_base_unavailable = "/proc/%d/attr/apparmor/unavailable/%s";
+static const char *proc_attr_base_old = "/proc/%d/attr/%s";
+static const char *proc_attr_base_stacking = "/proc/%d/attr/apparmor/%s";
+static const char *proc_attr_base_unavailable = "/proc/%d/attr/apparmor/unavailable/%s";
+static const char *proc_attr_base;
 
 static void proc_attr_base_init_once(void)
 {
@@ -247,8 +248,9 @@ static void proc_attr_base_init_once(void)
 		 * in use by another LSM
 		 */
 		proc_attr_base = proc_attr_base_unavailable;
+	} else {
+		proc_attr_base = proc_attr_base_old;
 	}
-	/* else default to pre-assigned value */
 }
 
 static char *procattr_path(pid_t pid, const char *attr)
@@ -262,6 +264,38 @@ static char *procattr_path(pid_t pid, const char *attr)
 	return NULL;
 }
 
+static int procattr_open(pid_t tid, const char *attr, int flags)
+{
+	char *tmp;
+	int fd;
+
+	tmp = procattr_path(tid, attr);
+	if (!tmp) {
+		return -1;
+	}
+	fd = open(tmp, flags);
+	free(tmp);
+	/* Test is we can fallback to a different interface this is ugly.
+	 * If only the old interface is available:
+	 *    proc_attr_base == proc_attr_base_old - no fallback
+	 * else if is_enabled()
+	 *    apparmor is available on the old interface
+	 *    we do NOT use is_private_enabled() as
+	 *    1. the new private interface would have been tried first above
+	 *    2. that can be true even when another LSM is using the
+	 *       old interface where is_enabled() is only successful if
+	 *       the old interface is available to apparmor.
+	 */
+	if (fd == -1 && errno == EACCES && proc_attr_base != proc_attr_base_old && is_enabled()) {
+		if (asprintf(&tmp, proc_attr_base_old, tid, attr) < 0)
+			return -1;
+		fd = open(tmp, flags);
+		free(tmp);
+	}
+
+	return fd;
+}
+
 /**
  * parse_unconfined - check for the unconfined label
  * @con: the confinement context
@@ -371,12 +405,7 @@ int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
 		goto out;
 	}
 
-	tmp = procattr_path(tid, attr);
-	if (!tmp)
-		goto out;
-
-	fd = open(tmp, O_RDONLY);
-	free(tmp);
+	fd = procattr_open(tid, attr, O_RDONLY);
 	if (fd == -1) {
 		goto out;
 	}
@@ -487,18 +516,13 @@ static int setprocattr(pid_t tid, const char *attr, const char *buf, int len)
 {
 	int rc = -1;
 	int fd, ret;
-	char *ctl = NULL;
 
 	if (!buf) {
 		errno = EINVAL;
 		goto out;
 	}
 
-	ctl = procattr_path(tid, attr);
-	if (!ctl)
-		goto out;
-
-	fd = open(ctl, O_WRONLY);
+	fd = procattr_open(tid, attr, O_WRONLY);
 	if (fd == -1) {
 		goto out;
 	}
@@ -519,9 +543,6 @@ static int setprocattr(pid_t tid, const char *attr, const char *buf, int len)
 	(void)close(fd);
 
 out:
-	if (ctl) {
-		free(ctl);
-	}
 	return rc;
 }
 

libraries/libapparmor/src/libapparmor.map

@@ -117,6 +117,7 @@ APPARMOR_2.13.1 {
 
 APPARMOR_3.0 {
   global:
+	aa_features_new_from_file;
 	aa_features_write_to_fd;
 	aa_features_value;
   local:
@@ -126,6 +127,7 @@ APPARMOR_3.0 {
 PRIVATE {
 	global:
 		_aa_is_blacklisted;
+		_aa_asprintf;
 		_aa_autofree;
 		_aa_autoclose;
 		_aa_autofclose;

parser/Makefile

@@ -54,7 +54,7 @@ endif
 CPPFLAGS += -D_GNU_SOURCE
 
 STDLIB_INCLUDE:="\#include <stdlib.h>"
-HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | cpp ${CPPFLAGS} | grep -q reallocarray && echo true)
+HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | ${CPP} ${CPPFLAGS} | grep -q reallocarray && echo true)
 
 WARNINGS = -Wall
 CXX_WARNINGS = ${WARNINGS} ${EXTRA_WARNINGS}

parser/apparmor.d.pod

@@ -1273,7 +1273,7 @@ I<auto> keyword. Eg.
 To indicate that the rule only applies to auto binding of unix domain
 sockets. It is important to note this only applies to the I<bind>
 permission as once the socket is bound to an address it is
-indistiguishable from a socket that have an addr bound with a
+indistinguishable from a socket that have an addr bound with a
 specified name. When the I<auto> keyword is used with other permissions
 or as part of a peer addr it will be replaced with a pattern that
 can match an autobound socket. Eg. For some kernels
@@ -1752,7 +1752,7 @@ If the policy abi is specified as B<kernel> then the running kernel's
 abi will be used. This should never be used in shipped policy as it
 can cause system breakage when a new kernel is installed.
 
-=head3 ABI compatability with AppArmor 2.x
+=head3 ABI compatibility with AppArmor 2.x
 
 AppArmor 3 remains compatible with AppArmor 2.x by detecting when a
 profile does not have a feature ABI specified. In this case the policy

parser/apparmor_xattrs.pod

@@ -27,7 +27,7 @@
 
 =head1 NAME
 
-AppArmor profile xattr(7) matching
+apparmor_xattrs - AppArmor profile xattr(7) matching
 
 =head1 DESCRIPTION
 

parser/base_cap_names.h

@@ -8,6 +8,8 @@
 
 {"bpf", CAP_BPF, CAP_SYS_ADMIN, CAPFLAG_BASE_FEATURE},
 
+{"checkpoint_restore", CAP_CHECKPOINT_RESTORE, CAP_SYS_ADMIN, CAPFLAG_BASE_FEATURE},
+
 {"chown", CAP_CHOWN, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
 
 {"dac_override", CAP_DAC_OVERRIDE, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},

parser/capability.h

@@ -29,6 +29,10 @@
 #define CAP_BPF 39
 #endif
 
+#ifndef CAP_CHECKPOINT_RESTORE
+#define CAP_CHECKPOINT_RESTORE 40
+#endif
+
 typedef enum capability_flags {
 	CAPFLAGS_CLEAR = 0,
 	CAPFLAG_BASE_FEATURE = 1,

parser/parser.conf

@@ -65,10 +65,15 @@
 ### policy to be used in AppArmor 3.x without the warning
 ###    Warning from stdin (stdin line 1): apparmor_parser: File 'example'
 ###    missing feature abi, falling back to default policy feature abi.
+### For more info please see
+### https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorpolicyfeaturesabi
+
+### Turn off abi rule warnings without pinning the abi
+#warn=no-abi
 
 ### Only a single feature ABI rule should be used at a time.
 ## Pin older policy to the 5.4 kernel abi
-#policy-features=/etc/apparmor.d/abi/kernel-5.4-outoftree-network
+#policy-features=/etc/apparmor.d/abi/kernel-5.4-vanilla
 
 ## Pin older policy to the 5.4 kernel abi + out of tree network and af_unix
-#policy-features=/etc/apparmor.d/abi/kernel-5.4-vanilla
+#policy-features=/etc/apparmor.d/abi/kernel-5.4-outoftree-network

parser/parser_main.c

@@ -259,7 +259,7 @@ optflag_table_t warnflag_table[] = {
 	{ 1, "jobs", "enable job control warnings", WARN_JOBS },
 	{ 1, "dangerous", "warn on dangerous policy", WARN_DANGEROUS },
 	{ 1, "unexpected", "warn when an unexpected condition is found", WARN_UNEXPECTED },
-	{ 1, "format", "warn on unnecessary or confusing formating", WARN_FORMAT },
+	{ 1, "format", "warn on unnecessary or confusing formatting", WARN_FORMAT },
 	{ 1, "missing", "warn when missing qualifier and a default is used", WARN_MISSING },
 	{ 1, "override", "warn when overriding", WARN_OVERRIDE },
 	{ 1, "dev", "turn on warnings that are useful for profile development", WARN_DEV },
@@ -1159,9 +1159,11 @@ int process_profile(int option, aa_kernel_interface *kernel_interface,
 	/* cache file generated by load_policy */
 	retval = load_policy(option, kernel_interface, cachetmp);
 	if (retval == 0 && write_cache) {
-		if (cachetmp == -1) {
+		if (force_complain) {
+			pwarn(WARN_CACHE, "Caching disabled for: '%s' due to force complain\n", basename);
+		} else if (cachetmp == -1) {
 			unlink(cachetmpname);
-			pwarn(WARN_CACHE, "Warning failed to create cache: %s\n",
+			pwarn(WARN_CACHE, "Failed to create cache: %s\n",
 			       basename);
 		} else {
 			install_cache(cachetmpname, writecachename);

parser/po/apparmor-parser.pot

@@ -1,5 +1,5 @@
 # SOME DESCRIPTIVE TITLE.
-# Copyright (C) YEAR NOVELL, Inc.
+# Copyright (C) YEAR Canonical Ltd
 # This file is distributed under the same license as the PACKAGE package.
 # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
 #
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
-"POT-Creation-Date: 2014-09-13 00:11-0700\n"
+"POT-Creation-Date: 2020-10-14 04:04-0700\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -17,95 +17,106 @@ msgstr ""
 "Content-Type: text/plain; charset=CHARSET\n"
 "Content-Transfer-Encoding: 8bit\n"
 
-#: ../parser_include.c:113 ../parser_include.c:111
+#: ../parser_include.c:113 ../parser_include.c:111 ../parser_include.c:96
 msgid "Error: Out of memory.\n"
 msgstr ""
 
-#: ../parser_include.c:123 ../parser_include.c:121
+#: ../parser_include.c:123 ../parser_include.c:121 ../parser_include.c:106
 #, c-format
 msgid "Error: basedir %s is not a directory, skipping.\n"
 msgstr ""
 
-#: ../parser_include.c:137
+#: ../parser_include.c:137 ../parser_include.c:122
 #, c-format
 msgid "Error: Could not add directory %s to search path.\n"
 msgstr ""
 
-#: ../parser_include.c:147 ../parser_include.c:151
+#: ../parser_include.c:147 ../parser_include.c:151 ../parser_include.c:136
 msgid "Error: Could not allocate memory.\n"
 msgstr ""
 
 #: ../parser_interface.c:69 ../parser_interface.c:72 ../parser_interface.c:49
+#: ../parser_interface.c:52
 msgid "Bad write position\n"
 msgstr ""
 
 #: ../parser_interface.c:72 ../parser_interface.c:75 ../parser_interface.c:52
+#: ../parser_interface.c:55
 msgid "Permission denied\n"
 msgstr ""
 
 #: ../parser_interface.c:75 ../parser_interface.c:78 ../parser_interface.c:55
+#: ../parser_interface.c:58
 msgid "Out of memory\n"
 msgstr ""
 
 #: ../parser_interface.c:78 ../parser_interface.c:81 ../parser_interface.c:58
+#: ../parser_interface.c:61
 msgid "Couldn't copy profile: Bad memory address\n"
 msgstr ""
 
 #: ../parser_interface.c:81 ../parser_interface.c:84 ../parser_interface.c:61
+#: ../parser_interface.c:64
 msgid "Profile doesn't conform to protocol\n"
 msgstr ""
 
 #: ../parser_interface.c:84 ../parser_interface.c:87 ../parser_interface.c:64
+#: ../parser_interface.c:67
 msgid "Profile does not match signature\n"
 msgstr ""
 
 #: ../parser_interface.c:87 ../parser_interface.c:90 ../parser_interface.c:67
+#: ../parser_interface.c:70
 msgid "Profile version not supported by Apparmor module\n"
 msgstr ""
 
 #: ../parser_interface.c:90 ../parser_interface.c:93 ../parser_interface.c:70
+#: ../parser_interface.c:73
 msgid "Profile already exists\n"
 msgstr ""
 
 #: ../parser_interface.c:93 ../parser_interface.c:96 ../parser_interface.c:73
+#: ../parser_interface.c:76
 msgid "Profile doesn't exist\n"
 msgstr ""
 
 #: ../parser_interface.c:96 ../parser_interface.c:99 ../parser_interface.c:76
+#: ../parser_interface.c:79
 msgid "Permission denied; attempted to load a profile while confined?\n"
 msgstr ""
 
 #: ../parser_interface.c:99 ../parser_interface.c:102 ../parser_interface.c:79
+#: ../parser_interface.c:82
 #, c-format
 msgid "Unknown error (%d): %s\n"
 msgstr ""
 
-#: ../parser_interface.c:116 ../parser_interface.c:119
-#: ../parser_interface.c:96
+#: ../parser_interface.c:116 ../parser_interface.c:119 ../parser_interface.c:96
+#: ../parser_interface.c:100
 #, c-format
 msgid "%s: Unable to add \"%s\".  "
 msgstr ""
 
 #: ../parser_interface.c:121 ../parser_interface.c:124
-#: ../parser_interface.c:101
+#: ../parser_interface.c:101 ../parser_interface.c:105
 #, c-format
 msgid "%s: Unable to replace \"%s\".  "
 msgstr ""
 
 #: ../parser_interface.c:126 ../parser_interface.c:129
-#: ../parser_interface.c:106
+#: ../parser_interface.c:106 ../parser_interface.c:110
 #, c-format
 msgid "%s: Unable to remove \"%s\".  "
 msgstr ""
 
 #: ../parser_interface.c:131 ../parser_interface.c:134
-#: ../parser_interface.c:111
+#: ../parser_interface.c:111 ../parser_interface.c:115
 #, c-format
 msgid "%s: Unable to write to stdout\n"
 msgstr ""
 
 #: ../parser_interface.c:135 ../parser_interface.c:138
-#: ../parser_interface.c:115
+#: ../parser_interface.c:115 ../parser_interface.c:119
 #, c-format
 msgid "%s: Unable to write to output file\n"
 msgstr ""
@@ -113,24 +124,25 @@ msgstr ""
 #: ../parser_interface.c:138 ../parser_interface.c:162
 #: ../parser_interface.c:141 ../parser_interface.c:165
 #: ../parser_interface.c:118 ../parser_interface.c:142
+#: ../parser_interface.c:123 ../parser_interface.c:147
 #, c-format
 msgid "%s: ASSERT: Invalid option: %d\n"
 msgstr ""
 
 #: ../parser_interface.c:147 ../parser_interface.c:150
-#: ../parser_interface.c:127
+#: ../parser_interface.c:127 ../parser_interface.c:132
 #, c-format
 msgid "Addition succeeded for \"%s\".\n"
 msgstr ""
 
 #: ../parser_interface.c:151 ../parser_interface.c:154
-#: ../parser_interface.c:131
+#: ../parser_interface.c:131 ../parser_interface.c:136
 #, c-format
 msgid "Replacement succeeded for \"%s\".\n"
 msgstr ""
 
 #: ../parser_interface.c:155 ../parser_interface.c:158
-#: ../parser_interface.c:135
+#: ../parser_interface.c:135 ../parser_interface.c:140
 #, c-format
 msgid "Removal succeeded for \"%s\".\n"
 msgstr ""
@@ -141,7 +153,7 @@ msgid "PANIC bad increment buffer %p pos %p ext %p size %d res %p\n"
 msgstr ""
 
 #: ../parser_interface.c:656 ../parser_interface.c:658
-#: ../parser_interface.c:446
+#: ../parser_interface.c:446 ../parser_interface.c:476
 #, c-format
 msgid "profile %s network rules not enforced\n"
 msgstr ""
@@ -186,7 +198,7 @@ msgid "%s: Unable to write entire profile entry\n"
 msgstr ""
 
 #: ../parser_interface.c:839 ../parser_interface.c:831
-#: ../parser_interface.c:593
+#: ../parser_interface.c:593 ../parser_interface.c:579
 #, c-format
 msgid "%s: Unable to write entire profile entry to cache\n"
 msgstr ""
@@ -196,7 +208,7 @@ msgstr ""
 msgid "Could not open '%s'"
 msgstr ""
 
-#: parser_lex.l:104 parser_lex.l:167 parser_lex.l:173
+#: parser_lex.l:104 parser_lex.l:167 parser_lex.l:173 parser_lex.l:174
 #, c-format
 msgid "fstat failed for '%s'"
 msgstr ""
@@ -222,7 +234,7 @@ msgstr ""
 msgid "Found unexpected character: '%s'"
 msgstr ""
 
-#: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428
+#: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428 parser_lex.l:474
 msgid "Variable declarations do not accept trailing commas"
 msgstr ""
 
@@ -242,6 +254,7 @@ msgid "%s: Could not allocate memory for subdomainbase mount point\n"
 msgstr ""
 
 #: ../parser_main.c:577 ../parser_main.c:616 ../parser_main.c:479
+#: ../parser_main.c:1444
 #, c-format
 msgid ""
 "Warning: unable to find a suitable fs in %s, is it mounted?\n"
@@ -249,6 +262,7 @@ msgid ""
 msgstr ""
 
 #: ../parser_main.c:597 ../parser_main.c:635 ../parser_main.c:498
+#: ../parser_main.c:822
 #, c-format
 msgid ""
 "%s: Sorry. You need root privileges to run this program.\n"
@@ -256,6 +270,7 @@ msgid ""
 msgstr ""
 
 #: ../parser_main.c:604 ../parser_main.c:642 ../parser_main.c:505
+#: ../parser_main.c:828
 #, c-format
 msgid ""
 "%s: Warning! You've set this program setuid root.\n"
@@ -264,7 +279,7 @@ msgid ""
 msgstr ""
 
 #: ../parser_main.c:704 ../parser_main.c:813 ../parser_main.c:836
-#: ../parser_main.c:946 ../parser_main.c:860
+#: ../parser_main.c:946 ../parser_main.c:860 ../parser_main.c:1038
 #, c-format
 msgid "Error: Could not read profile %s: %s.\n"
 msgstr ""
@@ -286,26 +301,36 @@ msgstr ""
 #: parser_yacc.y:1166 parser_yacc.y:1170 parser_yacc.y:1180 parser_yacc.y:1190
 #: parser_yacc.y:1298 parser_yacc.y:1376 parser_yacc.y:1479 parser_yacc.y:1490
 #: parser_yacc.y:1565 parser_yacc.y:1583 parser_yacc.y:1590 parser_yacc.y:1639
-#: ../network.c:314 ../af_unix.cc:203
+#: ../network.c:314 ../af_unix.cc:203 ../parser_misc.c:215 ../parser_misc.c:939
+#: parser_yacc.y:343 parser_yacc.y:367 parser_yacc.y:533 parser_yacc.y:543
+#: parser_yacc.y:660 parser_yacc.y:741 parser_yacc.y:750 parser_yacc.y:1171
+#: parser_yacc.y:1219 parser_yacc.y:1255 parser_yacc.y:1264 parser_yacc.y:1268
+#: parser_yacc.y:1278 parser_yacc.y:1288 parser_yacc.y:1382 parser_yacc.y:1460
+#: parser_yacc.y:1592 parser_yacc.y:1597 parser_yacc.y:1674 parser_yacc.y:1692
+#: parser_yacc.y:1699 parser_yacc.y:1748 ../network.c:315 ../af_unix.cc:194
 msgid "Memory allocation error."
 msgstr ""
 
 #: ../parser_main.c:740 ../parser_main.c:872 ../parser_main.c:757
+#: ../parser_main.c:975
 #, c-format
 msgid "Cached load succeeded for \"%s\".\n"
 msgstr ""
 
 #: ../parser_main.c:744 ../parser_main.c:876 ../parser_main.c:761
+#: ../parser_main.c:979
 #, c-format
 msgid "Cached reload succeeded for \"%s\".\n"
 msgstr ""
 
 #: ../parser_main.c:910 ../parser_main.c:1058 ../parser_main.c:967
+#: ../parser_main.c:1132
 #, c-format
 msgid "%s: Errors found in file. Aborting.\n"
 msgstr ""
 
 #: ../parser_misc.c:426 ../parser_misc.c:597 ../parser_misc.c:339
+#: ../parser_misc.c:532
 msgid ""
 "Uppercase qualifiers \"RWLIMX\" are deprecated, please convert to lowercase\n"
 "See the apparmor.d(5) manpage for details.\n"
@@ -313,14 +338,17 @@ msgstr ""
 
 #: ../parser_misc.c:467 ../parser_misc.c:474 ../parser_misc.c:638
 #: ../parser_misc.c:645 ../parser_misc.c:380 ../parser_misc.c:387
+#: ../parser_misc.c:573 ../parser_misc.c:580
 msgid "Conflict 'a' and 'w' perms are mutually exclusive."
 msgstr ""
 
 #: ../parser_misc.c:491 ../parser_misc.c:662 ../parser_misc.c:404
+#: ../parser_misc.c:597
 msgid "Exec qualifier 'i' invalid, conflicting qualifier already specified"
 msgstr ""
 
 #: ../parser_misc.c:502 ../parser_misc.c:673 ../parser_misc.c:415
+#: ../parser_misc.c:608
 #, c-format
 msgid ""
 "Unconfined exec qualifier (%c%c) allows some dangerous environment variables "
@@ -329,22 +357,26 @@ msgstr ""
 
 #: ../parser_misc.c:510 ../parser_misc.c:551 ../parser_misc.c:681
 #: ../parser_misc.c:722 ../parser_misc.c:423 ../parser_misc.c:464
+#: ../parser_misc.c:616 ../parser_misc.c:657
 #, c-format
 msgid "Exec qualifier '%c' invalid, conflicting qualifier already specified"
 msgstr ""
 
 #: ../parser_misc.c:537 ../parser_misc.c:545 ../parser_misc.c:708
 #: ../parser_misc.c:716 ../parser_misc.c:450 ../parser_misc.c:458
+#: ../parser_misc.c:643 ../parser_misc.c:651
 #, c-format
 msgid "Exec qualifier '%c%c' invalid, conflicting qualifier already specified"
 msgstr ""
 
 #: ../parser_misc.c:593 ../parser_misc.c:764 ../parser_misc.c:506
+#: ../parser_misc.c:699
 #, c-format
 msgid "Internal: unexpected mode character '%c' in input"
 msgstr ""
 
 #: ../parser_misc.c:615 ../parser_misc.c:786 ../parser_misc.c:528
+#: ../parser_misc.c:721
 #, c-format
 msgid "Internal error generated invalid perm 0x%llx\n"
 msgstr ""
@@ -356,10 +388,12 @@ msgid "AppArmor parser error: %s\n"
 msgstr ""
 
 #: ../parser_merge.c:92 ../parser_merge.c:91 ../parser_merge.c:83
+#: ../parser_merge.c:71
 msgid "Couldn't merge entries. Out of Memory\n"
 msgstr ""
 
 #: ../parser_merge.c:111 ../parser_merge.c:113 ../parser_merge.c:105
+#: ../parser_merge.c:93
 #, c-format
 msgid "profile %s: has merged rule %s with conflicting x modifiers\n"
 msgstr ""
@@ -368,114 +402,117 @@ msgstr ""
 msgid "Profile attachment must begin with a '/'."
 msgstr ""
 
-#: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348
+#: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348 parser_yacc.y:407
 msgid ""
 "Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."
 msgstr ""
 
-#: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384
+#: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384 parser_yacc.y:449
 #, c-format
 msgid "Failed to create alias %s -> %s\n"
 msgstr ""
 
-#: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506
+#: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506 parser_yacc.y:581
 msgid "Profile flag chroot_relative conflicts with namespace_relative"
 msgstr ""
 
-#: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510
+#: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510 parser_yacc.y:585
 msgid "Profile flag mediate_deleted conflicts with delegate_deleted"
 msgstr ""
 
-#: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513
+#: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513 parser_yacc.y:588
 msgid "Profile flag attach_disconnected conflicts with no_attach_disconnected"
 msgstr ""
 
-#: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516
+#: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516 parser_yacc.y:591
 msgid "Profile flag chroot_attach conflicts with chroot_no_attach"
 msgstr ""
 
-#: parser_yacc.y:441 parser_yacc.y:484 parser_yacc.y:530
+#: parser_yacc.y:441 parser_yacc.y:484 parser_yacc.y:530 parser_yacc.y:607
 msgid "Profile flag 'debug' is no longer valid."
 msgstr ""
 
-#: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552
+#: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552 parser_yacc.y:629
 #, c-format
 msgid "Invalid profile flag: %s."
 msgstr ""
 
 #: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548 parser_yacc.y:594
+#: parser_yacc.y:673
 msgid "Assert: `rule' returned NULL."
 msgstr ""
 
 #: parser_yacc.y:501 parser_yacc.y:546 parser_yacc.y:552 parser_yacc.y:584
-#: parser_yacc.y:598 parser_yacc.y:630
+#: parser_yacc.y:598 parser_yacc.y:630 parser_yacc.y:677 parser_yacc.y:709
 msgid ""
 "Invalid mode, in deny rules 'x' must not be preceded by exec qualifier 'i', "
 "'p', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:524 parser_yacc.y:556 parser_yacc.y:602
+#: parser_yacc.y:524 parser_yacc.y:556 parser_yacc.y:602 parser_yacc.y:681
 msgid ""
 "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:549 parser_yacc.y:587 parser_yacc.y:633
+#: parser_yacc.y:549 parser_yacc.y:587 parser_yacc.y:633 parser_yacc.y:712
 msgid "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"
 msgstr ""
 
 #: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614 parser_yacc.y:660
+#: parser_yacc.y:739
 msgid "Assert: `network_rule' return invalid protocol."
 msgstr ""
 
-#: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786
+#: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786 parser_yacc.y:867
 msgid "Assert: `change_profile' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810
+#: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810 parser_yacc.y:905
 msgid "Assert: 'hat rule' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819
+#: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819 parser_yacc.y:914
 msgid "Assert: 'local_profile rule' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992
+#: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992 parser_yacc.y:1077
 #, c-format
 msgid "Unset boolean variable %s used in if-expression"
 msgstr ""
 
-#: parser_yacc.y:882 parser_yacc.y:986 parser_yacc.y:1092
+#: parser_yacc.y:882 parser_yacc.y:986 parser_yacc.y:1092 parser_yacc.y:1181
 msgid "unsafe rule missing exec permissions"
 msgstr ""
 
-#: parser_yacc.y:901 parser_yacc.y:954 parser_yacc.y:1060
+#: parser_yacc.y:901 parser_yacc.y:954 parser_yacc.y:1060 parser_yacc.y:1148
 msgid "subset can only be used with link rules."
 msgstr ""
 
-#: parser_yacc.y:903 parser_yacc.y:956 parser_yacc.y:1062
+#: parser_yacc.y:903 parser_yacc.y:956 parser_yacc.y:1062 parser_yacc.y:1150
 msgid "link and exec perms conflict on a file rule using ->"
 msgstr ""
 
-#: parser_yacc.y:905 parser_yacc.y:958 parser_yacc.y:1064
+#: parser_yacc.y:905 parser_yacc.y:958 parser_yacc.y:1064 parser_yacc.y:1152
 msgid "link perms are not allowed on a named profile transition.\n"
 msgstr ""
 
-#: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109
+#: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109 parser_yacc.y:1198
 #, c-format
 msgid "missing an end of line character? (entry: %s)"
 msgstr ""
 
 #: parser_yacc.y:975 parser_yacc.y:985 parser_yacc.y:1057 parser_yacc.y:1067
-#: parser_yacc.y:1145 parser_yacc.y:1155
+#: parser_yacc.y:1145 parser_yacc.y:1155 parser_yacc.y:1234 parser_yacc.y:1244
 msgid "Invalid network entry."
 msgstr ""
 
 #: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254 parser_yacc.y:1510
+#: parser_yacc.y:1617
 #, c-format
 msgid "Invalid capability %s."
 msgstr ""
 
-#: parser_yacc.y:1066 parser_yacc.y:1269 parser_yacc.y:1525
+#: parser_yacc.y:1066 parser_yacc.y:1269 parser_yacc.y:1525 parser_yacc.y:1637
 #, c-format
 msgid "AppArmor parser error for %s%s%s at line %d: %s\n"
 msgstr ""
@@ -491,17 +528,20 @@ msgid "%s: Illegal open {, nesting groupings not allowed\n"
 msgstr ""
 
 #: ../parser_regex.c:265 ../parser_regex.c:274 ../parser_regex.c:278
+#: ../parser_regex.c:306
 #, c-format
 msgid "%s: Regex grouping error: Invalid number of items between {}\n"
 msgstr ""
 
 #: ../parser_regex.c:271 ../parser_regex.c:280 ../parser_regex.c:284
+#: ../parser_regex.c:312
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close }, no matching open { detected\n"
 msgstr ""
 
 #: ../parser_regex.c:337 ../parser_regex.c:343 ../parser_regex.c:361
+#: ../parser_regex.c:403
 #, c-format
 msgid ""
 "%s: Regex grouping error: Unclosed grouping or character class, expecting "
@@ -514,16 +554,19 @@ msgid "%s: Internal buffer overflow detected, %d characters exceeded\n"
 msgstr ""
 
 #: ../parser_regex.c:355 ../parser_regex.c:361 ../parser_regex.c:377
+#: ../parser_regex.c:419
 #, c-format
 msgid "%s: Unable to parse input line '%s'\n"
 msgstr ""
 
 #: ../parser_regex.c:397 ../parser_regex.c:405 ../parser_regex.c:421
+#: ../parser_regex.c:487
 #, c-format
 msgid "%s: Invalid profile name '%s' - bad regular expression\n"
 msgstr ""
 
 #: ../parser_policy.c:202 ../parser_policy.c:402 ../parser_policy.c:375
+#: ../parser_policy.c:383
 #, c-format
 msgid "ERROR merging rules for profile %s, failed to load\n"
 msgstr ""
@@ -537,16 +580,19 @@ msgid ""
 msgstr ""
 
 #: ../parser_policy.c:279 ../parser_policy.c:359 ../parser_policy.c:332
+#: ../parser_policy.c:340
 #, c-format
 msgid "ERROR processing regexs for profile %s, failed to load\n"
 msgstr ""
 
 #: ../parser_policy.c:306 ../parser_policy.c:389 ../parser_policy.c:362
+#: ../parser_policy.c:370
 #, c-format
 msgid "ERROR expanding variables for profile %s, failed to load\n"
 msgstr ""
 
 #: ../parser_policy.c:390 ../parser_policy.c:382 ../parser_policy.c:355
+#: ../parser_policy.c:363
 #, c-format
 msgid "ERROR adding hat access rule for profile %s\n"
 msgstr ""
@@ -576,7 +622,7 @@ msgstr ""
 msgid "%s: Errors found in combining rules postprocessing. Aborting.\n"
 msgstr ""
 
-#: parser_lex.l:180 parser_lex.l:186
+#: parser_lex.l:180 parser_lex.l:186 parser_lex.l:187
 #, c-format
 msgid "Could not process include directory '%s' in '%s'"
 msgstr ""
@@ -586,7 +632,8 @@ msgid "Feature buffer full."
 msgstr ""
 
 #: ../parser_main.c:1115 ../parser_main.c:1132 ../parser_main.c:1024
-#: ../parser_main.c:1041
+#: ../parser_main.c:1041 ../parser_main.c:1332 ../parser_main.c:1354
+#: ../parser_misc.c:280 ../parser_misc.c:299 ../parser_misc.c:308
 msgid "Out of memory"
 msgstr ""
 
@@ -615,11 +662,11 @@ msgstr ""
 msgid "Internal error generated invalid DBus perm 0x%x\n"
 msgstr ""
 
-#: parser_yacc.y:575 parser_yacc.y:621
+#: parser_yacc.y:575 parser_yacc.y:621 parser_yacc.y:700
 msgid "deny prefix not allowed"
 msgstr ""
 
-#: parser_yacc.y:612 parser_yacc.y:658
+#: parser_yacc.y:612 parser_yacc.y:658 parser_yacc.y:737
 msgid "owner prefix not allowed"
 msgstr ""
 
@@ -635,41 +682,41 @@ msgstr ""
 msgid "owner prefix not allow on capability rules"
 msgstr ""
 
-#: parser_yacc.y:1357 parser_yacc.y:1613
+#: parser_yacc.y:1357 parser_yacc.y:1613 parser_yacc.y:1722
 #, c-format
 msgid "invalid mount conditional %s%s"
 msgstr ""
 
-#: parser_yacc.y:1374 parser_yacc.y:1628
+#: parser_yacc.y:1374 parser_yacc.y:1628 parser_yacc.y:1737
 msgid "bad mount rule"
 msgstr ""
 
-#: parser_yacc.y:1381 parser_yacc.y:1635
+#: parser_yacc.y:1381 parser_yacc.y:1635 parser_yacc.y:1744
 msgid "mount point conditions not currently supported"
 msgstr ""
 
-#: parser_yacc.y:1398 parser_yacc.y:1650
+#: parser_yacc.y:1398 parser_yacc.y:1650 parser_yacc.y:1759
 #, c-format
 msgid "invalid pivotroot conditional '%s'"
 msgstr ""
 
-#: ../parser_regex.c:241 ../parser_regex.c:236
+#: ../parser_regex.c:241 ../parser_regex.c:236 ../parser_regex.c:264
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close ], no matching open [ detected\n"
 msgstr ""
 
-#: ../parser_regex.c:257 ../parser_regex.c:256
+#: ../parser_regex.c:257 ../parser_regex.c:256 ../parser_regex.c:284
 #, c-format
 msgid "%s: Regex grouping error: Exceeded maximum nesting of {}\n"
 msgstr ""
 
-#: ../parser_policy.c:366 ../parser_policy.c:339
+#: ../parser_policy.c:366 ../parser_policy.c:339 ../parser_policy.c:347
 #, c-format
 msgid "ERROR processing policydb rules for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:396 ../parser_policy.c:369
+#: ../parser_policy.c:396 ../parser_policy.c:369 ../parser_policy.c:377
 #, c-format
 msgid "ERROR replacing aliases for profile %s, failed to load\n"
 msgstr ""
@@ -689,51 +736,244 @@ msgstr ""
 msgid "Error: Could not read cache file '%s', skipping...\n"
 msgstr ""
 
-#: ../parser_misc.c:575
+#: ../parser_misc.c:575 ../parser_misc.c:768
 #, c-format
 msgid "Internal: unexpected %s mode character '%c' in input"
 msgstr ""
 
-#: ../parser_misc.c:599
+#: ../parser_misc.c:599 ../parser_misc.c:792
 #, c-format
 msgid "Internal error generated invalid %s perm 0x%x\n"
 msgstr ""
 
-#: parser_yacc.y:703
+#: parser_yacc.y:703 parser_yacc.y:784
 msgid "owner prefix not allowed on mount rules"
 msgstr ""
 
-#: parser_yacc.y:720
+#: parser_yacc.y:720 parser_yacc.y:801
 msgid "owner prefix not allowed on dbus rules"
 msgstr ""
 
-#: parser_yacc.y:736
+#: parser_yacc.y:736 parser_yacc.y:817
 msgid "owner prefix not allowed on signal rules"
 msgstr ""
 
-#: parser_yacc.y:752
+#: parser_yacc.y:752 parser_yacc.y:833
 msgid "owner prefix not allowed on ptrace rules"
 msgstr ""
 
-#: parser_yacc.y:768
+#: parser_yacc.y:768 parser_yacc.y:849 parser_yacc.y:869
 msgid "owner prefix not allowed on unix rules"
 msgstr ""
 
-#: parser_yacc.y:794
+#: parser_yacc.y:794 parser_yacc.y:885
 msgid "owner prefix not allowed on capability rules"
 msgstr ""
 
-#: parser_yacc.y:1293
+#: parser_yacc.y:1293 parser_yacc.y:1377
 #, c-format
 msgid "dbus rule: invalid conditional group %s=()"
 msgstr ""
 
-#: parser_yacc.y:1371
+#: parser_yacc.y:1371 parser_yacc.y:1455
 #, c-format
 msgid "unix rule: invalid conditional group %s=()"
 msgstr ""
 
-#: ../parser_regex.c:368
+#: ../parser_regex.c:368 ../parser_regex.c:410
 #, c-format
 msgid "%s: Regex error: trailing '\\' escape character\n"
 msgstr ""
+
+#: ../parser_common.c:112
+#, c-format
+msgid "%s from %s (%s%sline %d): %s"
+msgstr ""
+
+#: ../parser_common.c:113
+msgid "Warning converted to Error"
+msgstr ""
+
+#: ../parser_common.c:113
+msgid "Warning"
+msgstr ""
+
+#: ../parser_interface.c:524
+#, c-format
+msgid "Unable to open stdout - %s\n"
+msgstr ""
+
+#: ../parser_interface.c:533
+#, c-format
+msgid "Unable to open output file - %s\n"
+msgstr ""
+
+#: parser_lex.l:326
+msgid "Failed to process filename\n"
+msgstr ""
+
+#: parser_lex.l:720
+#, c-format
+msgid "Lexer found unexpected character: '%s' (0x%x) in state: %s"
+msgstr ""
+
+#: ../parser_main.c:915
+#, c-format
+msgid "Unable to print the cache directory: %m\n"
+msgstr ""
+
+#: ../parser_main.c:951
+#, c-format
+msgid "Error: Could not load profile %s: %s\n"
+msgstr ""
+
+#: ../parser_main.c:961
+#, c-format
+msgid "Error: Could not replace profile %s: %s\n"
+msgstr ""
+
+#: ../parser_main.c:966
+#, c-format
+msgid "Error: Invalid load option specified: %d\n"
+msgstr ""
+
+#: ../parser_main.c:1077
+#, c-format
+msgid "Could not get cachename for '%s'\n"
+msgstr ""
+
+#: ../parser_main.c:1434
+msgid "Kernel features abi not found"
+msgstr ""
+
+#: ../parser_main.c:1438
+msgid "Failed to add kernel capabilities to known capabilities set"
+msgstr ""
+
+#: ../parser_main.c:1465
+#, c-format
+msgid "Failed to clear cache files (%s): %s\n"
+msgstr ""
+
+#: ../parser_main.c:1474
+msgid ""
+"The --create-cache-dir option is deprecated. Please use --write-cache.\n"
+msgstr ""
+
+#: ../parser_main.c:1479
+#, c-format
+msgid "Failed setting up policy cache (%s): %s\n"
+msgstr ""
+
+#: ../parser_misc.c:904
+#, c-format
+msgid "Namespace not terminated: %s\n"
+msgstr ""
+
+#: ../parser_misc.c:906
+#, c-format
+msgid "Empty namespace: %s\n"
+msgstr ""
+
+#: ../parser_misc.c:908
+#, c-format
+msgid "Empty named transition profile name: %s\n"
+msgstr ""
+
+#: ../parser_misc.c:910
+#, c-format
+msgid "Unknown error while parsing label: %s\n"
+msgstr ""
+
+#: parser_yacc.y:306
+msgid "Failed to setup default policy feature abi"
+msgstr ""
+
+#: parser_yacc.y:308
+#, c-format
+msgid ""
+"%s: File '%s' missing feature abi, falling back to default policy feature "
+"abi\n"
+msgstr ""
+
+#: parser_yacc.y:313
+msgid "Failed to add policy capabilities to known capabilities set"
+msgstr ""
+
+#: parser_yacc.y:350
+msgid "Profile names must begin with a '/' or a namespace"
+msgstr ""
+
+#: parser_yacc.y:372
+msgid "Profile attachment must begin with a '/' or variable."
+msgstr ""
+
+#: parser_yacc.y:375
+#, c-format
+msgid "profile id: invalid conditional group %s=()"
+msgstr ""
+
+#: parser_yacc.y:404
+msgid ""
+"The use of file paths as profile names is deprecated. See man apparmor.d for "
+"more information\n"
+msgstr ""
+
+#: parser_yacc.y:573
+#, c-format
+msgid "Profile flag '%s' conflicts with '%s'"
+msgstr ""
+
+#: parser_yacc.y:954
+msgid "RLIMIT 'cpu' no units specified using default units of seconds\n"
+msgstr ""
+
+#: parser_yacc.y:966
+msgid ""
+"RLIMIT 'rttime' no units specified using default units of microseconds\n"
+msgstr ""
+
+#: parser_yacc.y:1582
+msgid "Exec condition is required when unsafe or safe keywords are present"
+msgstr ""
+
+#: parser_yacc.y:1584
+msgid "Exec condition must begin with '/'."
+msgstr ""
+
+#: parser_yacc.y:1643
+#, c-format
+msgid "AppArmor parser error at line %d: %s\n"
+msgstr ""
+
+#: parser_yacc.y:1790
+#, c-format
+msgid "Could not open '%s': %m"
+msgstr ""
+
+#: parser_yacc.y:1795
+#, c-format
+msgid "fstat failed for '%s': %m"
+msgstr ""
+
+#: parser_yacc.y:1809
+#, c-format
+msgid "failed to find features abi '%s': %m"
+msgstr ""
+
+#: parser_yacc.y:1813
+#, c-format
+msgid ""
+"%s: %s features abi '%s' differs from policy declared feature abi, using the "
+"features abi declared in policy\n"
+msgstr ""
+
+#: ../parser_regex.c:98 ../parser_regex.c:238
+#, c-format
+msgid "%s: Invalid glob type %d\n"
+msgstr ""
+
+#: ../parser_regex.c:693
+#, c-format
+msgid "The current kernel does not support stacking of named transitions: %s\n"
+msgstr ""

profiles/apparmor.d/abstractions/X

@@ -17,6 +17,7 @@
 
   # .ICEauthority files required for X authentication, per user
   owner @{HOME}/.ICEauthority r,
+  owner @{run}/user/*/ICEauthority r,
 
   # .Xauthority files required for X connections, per user
   owner @{HOME}/.Xauthority r,
@@ -29,7 +30,7 @@
   owner @{run}/user/*/xauth_* r,
 
   # the unix socket to use to connect to the display
-  /tmp/.X11-unix/* r,
+  /tmp/.X11-unix/* rw,
   unix (connect, receive, send)
        type=stream
        peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
@@ -51,6 +52,8 @@
 
   # Xcompose
   owner @{HOME}/.XCompose         r,
+  /var/cache/libx11/compose/*     r,
+  deny /var/cache/libx11/compose/* wlk,
 
   # mouse themes
   /etc/X11/cursors/               r,

profiles/apparmor.d/abstractions/fonts

@@ -52,6 +52,8 @@
   owner @{HOME}/.fonts.conf.d/**        r,
   owner @{HOME}/.config/fontconfig/     r,
   owner @{HOME}/.config/fontconfig/**   r,
+  owner @{HOME}/.Fontmatrix/Activated/  r,
+  owner @{HOME}/.Fontmatrix/Activated/** r,
 
   /usr/local/share/fonts/               r,
   /usr/local/share/fonts/**             r,

profiles/apparmor.d/abstractions/mesa

@@ -12,11 +12,18 @@
 
   # User files
   owner @{HOME}/.cache/ w, # if user clears all caches
-  owner @{HOME}/.cache/mesa_shader_cache/ w,
+  owner @{HOME}/.cache/mesa_shader_cache/ rw,
   owner @{HOME}/.cache/mesa_shader_cache/index rw,
-  owner @{HOME}/.cache/mesa_shader_cache/??/ w,
-  owner @{HOME}/.cache/mesa_shader_cache/??/* rwk,
+  owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
+  owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
+  owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
 
+  # Fallback location when @{HOME}/.cache is not available
+  owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/ rw,
+  owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/index rw,
+  owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
+  owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
+  owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
 
   # Include additions to the abstraction
   include if exists <abstractions/mesa.d>

profiles/apparmor.d/abstractions/ubuntu-browsers

@@ -38,3 +38,4 @@
   /usr/lib/icecat-*/icecat Cx -> sanitized_helper,
   /usr/bin/opera Cx -> sanitized_helper,
   /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} Cx -> sanitized_helper,
+  /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Cx -> sanitized_helper,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration

@@ -28,10 +28,7 @@
   /usr/lib/mozilla/kmozillahelper Cxr -> sanitized_helper,
 
   # Exo-aware applications
-  /usr/bin/exo-open ixr,
-  /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
-  /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
-  /etc/xdg/xfce4/helpers.rc r,
+  include <abstractions/exo-open>
 
   # unity webapps integration. Could go in its own abstraction
   owner /run/user/*/dconf/user rw,

profiles/apparmor.d/abstractions/ubuntu-helpers

@@ -74,6 +74,12 @@ profile sanitized_helper {
   /opt/google/chrome{,-beta,-unstable}/chrome Pixr,
   /opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m,
 
+  # The same is needed for Brave
+  /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr,
+  /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr,
+  /opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr,
+  /opt/brave.com/brave{,-beta,-dev,-nightly}/{,**/}lib*.so{,.*} m,
+
   # Full access
   / r,
   /** rwkl,

profiles/apparmor.d/usr.sbin.dnsmasq

@@ -70,8 +70,6 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
   # access to iface mtu needed for Router Advertisement messages in IPv6
   # Neighbor Discovery protocol (RFC 2461)
   @{PROC}/sys/net/ipv6/conf/*/mtu r,
-  # closing superfluous file descriptors scans /proc/self/fd/ to find open ones
-  @{PROC}/@{pid}/fd/ r,
 
   # for the read-only TFTP server
   @{TFTP_DIR}/ r,

profiles/apparmor.d/usr.sbin.dovecot

@@ -33,8 +33,8 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
   capability sys_chroot,
   capability sys_resource,
 
-  signal send set=(int,quit,term) peer=/usr/lib/dovecot/*,
-  signal send set=(int,quit,term) peer=dovecot-*,
+  signal send set=(int,quit,term,kill) peer=/usr/lib/dovecot/*,
+  signal send set=(int,quit,term,kill) peer=dovecot-*,
 
   unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil),
   unix (receive, send) type=stream peer=(label=dovecot-anvil),
@@ -64,6 +64,7 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
   /usr/lib/dovecot/ssl-params mrPx,
   /usr/lib/dovecot/stats Px,
   /usr/{bin,sbin}/dovecot mrix,
+  /usr/share/dovecot/dh.pem r,
   /usr/share/dovecot/protocols.d/   r,
   /usr/share/dovecot/protocols.d/** r,
   /var/lib/dovecot/ w,

profiles/apparmor.d/usr.sbin.nscd

@@ -30,7 +30,7 @@ profile nscd /usr/{bin,sbin}/nscd {
   @{run}/nscd/ rw,
   @{run}/nscd/db* rwl,
   @{run}/nscd/socket wl,
-  /{var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
+  /{var/cache,var/db,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
   @{run}/{nscd/,}nscd.pid rwl,
   /var/lib/libvirt/dnsmasq/ r,
   /var/lib/libvirt/dnsmasq/*.status r,

profiles/apparmor/profiles/extras/sbin.dhclient

@@ -58,14 +58,14 @@ profile dhclient /{usr/,}sbin/dhclient {
   /usr/lib/{NetworkManager/,}nm-dhcp-helper rix,
   /var/lib/dhclient/dhclient{6,}.leases*	rw,
   /var/lib/dhcp/dhclient*.leases   rw,
-  /var/lib/dhcp6/dhclient.leases    rw,
+  /var/lib/dhcp{6,}/dhclient.leases    rw,
   /var/lib/NetworkManager/dhclient{6,}-*.conf r,
   /var/lib/NetworkManager/dhclient{6,}-*.lease rw,
   /var/log/lastlog            r,
   /var/log/messages           r,
   /var/log/wtmp               r,
   /{,var/}run/dhclient{6,}.pid    rw,
-  /{,var/}run/dhclient{6,}-*.pid  rw,
+  /{,var/}run/dhclient{6,}{-,.}*.pid  rw,
   /var/spool                  r,
   /var/spool/mail             r,
 

profiles/apparmor/profiles/extras/sbin.dhclient-script

@@ -12,13 +12,20 @@ profile dhclient-script /{usr/,}sbin/dhclient-script {
   include <abstractions/bash>
   include <abstractions/consoles>
 
+  /{usr/,}bin/dash rix,
   /{usr/,}bin/bash rix,
   /{usr/,}bin/grep rix,
   /{usr/,}bin/sleep rix,
   /{usr/,}bin/touch rix,
+  /{usr/,}bin/run-parts rix,
+  /{usr/,}bin/logger rix,
   /dev/.sysconfig/network/** r,
   /etc/netconfig.d/* mrix,
   /etc/sysconfig/network/** r,
+  /etc/dhcp/{**,} r,
   /{usr/,}sbin/dhclient-script r,
   /{usr/,}sbin/ip rix,
+  /{usr/,}sbin/resolvconf rPUx,
+
+  include if exists <local/sbin.dhclient-script>
 }

tests/regression/apparmor/aa_policy_cache.sh

@@ -56,7 +56,7 @@ create_cache_files()
 	do
 		cachefile="${cachedir}/${policy}"
 
-		echo "profile $policy { /f r, }" | ${subdomain} -qS > "$cachefile"
+		echo "profile $policy { /f r, }" | ${subdomain} "${parser_config}" -qS > "$cachefile"
 	done
 }
 

tests/regression/apparmor/uservars.inc.source

@@ -3,7 +3,8 @@ subdomain=${PWD}/../../../parser/apparmor_parser
 #subdomain=/sbin/apparmor_parser
 
 # 2. additional arguments to the apparmor parser
-parser_args="-q -K"
+parser_config="--config-file=${PWD}/../../../parser/parser.conf"
+parser_args="${parser_config} -q -K"
 
 # 3. directory to be used for temp files
 # Need to be able to access this directory by the root and nobody users.

tests/regression/apparmor/uservars.inc.system

@@ -3,7 +3,9 @@
 subdomain=/sbin/apparmor_parser
 
 # 2. additional arguments to the apparmor parser
-parser_args="-q -K"
+parser_config=""
+parser_args="${parser_config} -q -K"
+
 
 # 3. directory to be used for temp files
 # Need to be able to access this directory by the root and nobody users.

utils/Makefile

@@ -87,12 +87,17 @@ check_severity_db: /usr/include/linux/capability.h severity.db
 	test "$$RC" -eq 0
 
 # check_pod_files is defined in common/Make.rules
-.PHONY: check
-.SILENT: check
-check: check_severity_db check_pod_files
+.PHONY: check_lint
+.SILENT: check_lint
+check_lint:
 	for i in ${PYTOOLS} apparmor test/*.py; do \
 		echo Checking $$i; \
 		$(PYFLAKES) $$i || exit 1; \
 	done
+
+# check_pod_files is defined in common/Make.rules
+.PHONY: check
+.SILENT: check
+check: check_severity_db check_pod_files check_lint
 	$(MAKE) -C test check
 	$(MAKE) -C vim check

utils/aa-genprof

@@ -72,20 +72,14 @@ if args.json:
     aaui.set_json_mode()
 
 profiling = args.program
-profiledir = args.dir
 
-apparmor.init_aa()
+apparmor.init_aa(profiledir=args.dir)
 apparmor.set_logfile(args.file)
 
 aa_mountpoint = apparmor.check_for_apparmor()
 if not aa_mountpoint:
     raise apparmor.AppArmorException(_('It seems AppArmor was not started. Please enable AppArmor and try again.'))
 
-if profiledir:
-    apparmor.profile_dir = apparmor.get_full_path(profiledir)
-    if not os.path.isdir(apparmor.profile_dir):
-        raise apparmor.AppArmorException(_("%s is not a directory.") %profiledir)
-
 program = None
 #if os.path.exists(apparmor.which(profiling.strip())):
 if os.path.exists(profiling):

utils/aa-logprof

@@ -13,7 +13,6 @@
 #
 # ----------------------------------------------------------------------
 import argparse
-import os
 
 import apparmor.aa as apparmor
 import apparmor.ui as aaui
@@ -36,21 +35,16 @@ args = parser.parse_args()
 if args.json:
     aaui.set_json_mode()
 
-profiledir = args.dir
 logmark = args.mark or ''
 
-apparmor.init_aa()
+apparmor.init_aa(profiledir=args.dir)
+
 apparmor.set_logfile(args.file)
 
 aa_mountpoint = apparmor.check_for_apparmor()
 if not aa_mountpoint:
     raise apparmor.AppArmorException(_('It seems AppArmor was not started. Please enable AppArmor and try again.'))
 
-if profiledir:
-    apparmor.profile_dir = apparmor.get_full_path(profiledir)
-    if not os.path.isdir(apparmor.profile_dir):
-        raise apparmor.AppArmorException("%s is not a directory."%profiledir)
-
 apparmor.loadincludes()
 
 apparmor.read_profiles(True)

utils/aa-mergeprof

@@ -14,7 +14,6 @@
 #
 # ----------------------------------------------------------------------
 import argparse
-import os
 
 import apparmor.aa
 
@@ -22,7 +21,6 @@ import apparmor.severity
 import apparmor.cleanprofile as cleanprofile
 import apparmor.ui as aaui
 
-from apparmor.common import AppArmorException
 
 
 # setup exception handling
@@ -41,16 +39,10 @@ args = parser.parse_args()
 
 args.other = None
 
-apparmor.aa.init_aa()
+apparmor.aa.init_aa(profiledir=args.dir)
 
 profiles = args.files
 
-profiledir = args.dir
-if profiledir:
-    apparmor.aa.profile_dir = apparmor.aa.get_full_path(profiledir)
-    if not os.path.isdir(apparmor.aa.profile_dir):
-        raise AppArmorException(_("%s is not a directory.") %profiledir)
-
 def find_profiles_from_files(files):
     profile_to_filename = dict()
     for file_name in files:

utils/aa-notify

@@ -232,6 +232,27 @@ def follow_apparmor_events(logfile, wait=0):
                 format(int(time.time()) - start_time)
             )
 
+            (logdata, log_inode, log_size) = reopen_logfile_if_needed(logfile, logdata, log_inode, log_size)
+
+            for event in parse_logdata(logdata):
+                # @TODO Alternatively use os.times()
+                if int(time.time()) - start_time < wait:
+                    debug_logger.debug('Omitted an event seen during wait time')
+                    continue
+                yield event
+
+            if debug_logger.debugging and debug_logger.debug_level <= 10 and int(time.time()) - start_time > 100:
+                debug_logger.debug('Debug mode detected: aborting notification emitter after 100 seconds.')
+                sys.exit(0)
+
+            time.sleep(1)
+
+
+def reopen_logfile_if_needed(logfile, logdata, log_inode, log_size):
+    retry = True
+
+    while retry:
+        try:
             # Reopen file if inode has chaneged, e.g. rename by logrotate
             if os.stat(logfile).st_ino != log_inode:
                 debug_logger.debug('Logfile was renamed, reload to read the new file.')
@@ -249,18 +270,14 @@ def follow_apparmor_events(logfile, wait=0):
             if os.stat(logfile).st_size > log_size:
                 log_size = os.stat(logfile).st_size
 
-            for event in parse_logdata(logdata):
-                # @TODO Alternatively use os.times()
-                if int(time.time()) - start_time < wait:
-                    debug_logger.debug('Omitted an event seen during wait time')
-                    continue
-                yield event
-
-            if debug_logger.debug_level <= 10 and int(time.time()) - start_time > 100:
-                debug_logger.debug('Debug mode detected: aborting notification emitter after 100 seconds.')
-                sys.exit(0)
-
+            retry = False
+        except FileNotFoundError:
+            # @TODO: switch to epoll/inotify/
+            debug_logger.debug('Logfile not found, retrying.')
             time.sleep(1)
+            # @TODO: send notification if reopening the log fails too many times
+
+    return (logdata, log_inode, log_size)
 
 
 def get_apparmor_events(logfile, since=0):
@@ -407,7 +424,8 @@ def main():
         debug_logger.activateStderr()
         debug_logger.debug('Logging level: {}'.format(debug_logger.debug_level))
         debug_logger.debug('Running as uid: {0[0]}, euid: {0[1]}, suid: {0[2]}'.format(os.getresuid()))
-
+        if args.poll:
+            debug_logger.debug('Running with --debug and --poll. Will exit in 100s')
     # Sanity checks
     user_ids = os.getresuid()
     groups_ids = os.getresgid()

utils/apparmor/aa.py

@@ -454,7 +454,11 @@ def create_new_profile(localfile, is_stub=False):
     local_profile = hasher()
     local_profile[localfile] = ProfileStorage('NEW', localfile, 'create_new_profile()')
     local_profile[localfile]['flags'] = 'complain'
-    local_profile[localfile]['inc_ie'].add(IncludeRule('abstractions/base', False, True))
+
+    if os.path.join(profile_dir, 'abstractions/base') in include:
+        local_profile[localfile]['inc_ie'].add(IncludeRule('abstractions/base', False, True))
+    else:
+        aaui.UI_Important(_("WARNING: Can't find %s, therefore not adding it to the new profile.") % 'abstractions/base')
 
     if os.path.exists(localfile) and os.path.isfile(localfile):
         interpreter_path, abstraction = get_interpreter_and_abstraction(localfile)
@@ -464,7 +468,10 @@ def create_new_profile(localfile, is_stub=False):
             local_profile[localfile]['file'].add(FileRule(interpreter_path, None, 'ix', FileRule.ALL, owner=False))
 
             if abstraction:
-                local_profile[localfile]['inc_ie'].add(IncludeRule(abstraction, False, True))
+                if os.path.join(profile_dir, abstraction) in include:
+                    local_profile[localfile]['inc_ie'].add(IncludeRule(abstraction, False, True))
+                else:
+                    aaui.UI_Important(_("WARNING: Can't find %s, therefore not adding it to the new profile.") % abstraction)
 
             handle_binfmt(local_profile[localfile], interpreter_path)
         else:
@@ -2511,7 +2518,7 @@ def logger_path():
 
 ######Initialisations######
 
-def init_aa(confdir="/etc/apparmor"):
+def init_aa(confdir="/etc/apparmor", profiledir=None):
     global CONFDIR
     global conf
     global cfg
@@ -2534,7 +2541,10 @@ def init_aa(confdir="/etc/apparmor"):
     if cfg['settings'].get('default_owner_prompt', False):
         cfg['settings']['default_owner_prompt'] = ''
 
-    profile_dir = conf.find_first_dir(cfg['settings'].get('profiledir')) or '/etc/apparmor.d'
+    if profiledir:
+        profile_dir = profiledir
+    else:
+        profile_dir = conf.find_first_dir(cfg['settings'].get('profiledir')) or '/etc/apparmor.d'
     profile_dir = os.path.abspath(profile_dir)
     if not os.path.isdir(profile_dir):
         raise AppArmorException('Can\'t find AppArmor profiles in %s' % (profile_dir))

utils/apparmor/tools.py

@@ -25,10 +25,9 @@ _ = init_translation()
 
 class aa_tools:
     def __init__(self, tool_name, args):
-        apparmor.init_aa()
+        apparmor.init_aa(profiledir=args.dir)
 
         self.name = tool_name
-        self.profiledir = args.dir
         self.profiling = args.program
         self.check_profile_dir()
         self.silent = None
@@ -43,11 +42,6 @@ class aa_tools:
             self.silent = args.silent
 
     def check_profile_dir(self):
-        if self.profiledir:
-            apparmor.profile_dir = apparmor.get_full_path(self.profiledir)
-            if not os.path.isdir(apparmor.profile_dir):
-                raise apparmor.AppArmorException("%s is not a directory." % self.profiledir)
-
         if not user_perm(apparmor.profile_dir):
             raise apparmor.AppArmorException("Cannot write to profile directory: %s" % (apparmor.profile_dir))
 
@@ -183,6 +177,7 @@ class aa_tools:
 
     def cmd_autodep(self):
         apparmor.read_profiles()
+        apparmor.loadincludes()
 
         for (program, profile) in self.get_next_to_profile():
             if not program:

utils/po/de.po

@@ -1079,11 +1079,11 @@ msgstr "(C)hild sauber ausführen"
 
 #: ../apparmor/ui.py:239
 msgid "(N)amed"
-msgstr "(B)enannt"
+msgstr "Be(n)annt"
 
 #: ../apparmor/ui.py:240
 msgid "(N)amed Clean Exec"
-msgstr "(B)enannte sauber ausführen"
+msgstr "Be(n)annte sauber ausführen"
 
 #: ../apparmor/ui.py:241
 msgid "(U)nconfined"
@@ -1111,11 +1111,11 @@ msgstr "(C)hild vererbt saubere Ausführung"
 
 #: ../apparmor/ui.py:247
 msgid "(N)amed Inherit"
-msgstr "(B)enannte Vererbung"
+msgstr "Be(n)annte Vererbung"
 
 #: ../apparmor/ui.py:248
 msgid "(N)amed Inherit Clean Exec"
-msgstr "(B)enannte Vererbung sauber ausführen"
+msgstr "Be(n)annte Vererbung sauber ausführen"
 
 #: ../apparmor/ui.py:249
 msgid "(X) ix On"

utils/po/id.po

@@ -1147,11 +1147,11 @@ msgstr "(B)aru"
 
 #: ../apparmor/ui.py:254
 msgid "(G)lob"
-msgstr "(G)umpal"
+msgstr "G(u)mpal"
 
 #: ../apparmor/ui.py:255
 msgid "Glob with (E)xtension"
-msgstr "Gumpal dengan (E)kstensi"
+msgstr "Gumpal dengan E(k)stensi"
 
 #: ../apparmor/ui.py:256
 msgid "(A)dd Requested Hat"
@@ -1159,7 +1159,7 @@ msgstr "(T)ambahkan Topi yang Diminta"
 
 #: ../apparmor/ui.py:257
 msgid "(U)se Default Hat"
-msgstr "(G)unakan Topi Default"
+msgstr "Gunakan Topi (D)efault"
 
 #: ../apparmor/ui.py:258
 msgid "(S)can system log for AppArmor events"
@@ -1175,7 +1175,7 @@ msgstr "(L)ihat Profil"
 
 #: ../apparmor/ui.py:261
 msgid "(U)se Profile"
-msgstr "(G)unakan Profil"
+msgstr "Gunakan (P)rofil"
 
 #: ../apparmor/ui.py:262
 msgid "(C)reate New Profile"

utils/po/sv.po

@@ -1004,7 +1004,7 @@ msgstr ""
 
 #: ../apparmor/ui.py:223
 msgid "(A)llow"
-msgstr "(T)illåt"
+msgstr "Ti(l)låt"
 
 #: ../apparmor/ui.py:224
 msgid "(M)ore"

utils/severity.db

@@ -30,6 +30,7 @@
        CAP_SETUID 9
        CAP_FOWNER 9
        CAP_BPF 9
+       CAP_CHECKPOINT_RESTORE 9
 # Denial of service, bypass audit controls, information leak
        CAP_SYS_TIME 8
        CAP_NET_ADMIN 8

utils/test/test-aa-notify.py

@@ -189,6 +189,7 @@ optional arguments:
         result = 'Got output "%s", expected "%s"\n' % (output, expected_output_has)
         self.assertIn(expected_output_has, output, result + output)
 
+    @unittest.skipUnless(os.path.isfile('/var/log/wtmp'), 'Requires wtmp on system')
     def test_entries_since_login(self):
         '''Test showing log entries since last login'''
 

utils/test/test-translations.py

@@ -61,7 +61,7 @@ class TestHotkeyConflicts(AATest):
             keys = dict()
             for key in params:
                 text = t.gettext(CMDS[key])
-                hotkey = get_translated_hotkey(text)
+                hotkey = get_translated_hotkey(text).lower()
 
                 if keys.get(hotkey):
                     raise Exception("Hotkey conflict: '%s' and '%s' in language %s" % (keys[hotkey], text, language))