parser: change priority so that it accumulates based on permissions

The current behavior of priority rules can be non-intuitive with higher priority rules completely overriding lower priority rules even in permissions not held in common. This behavior does have use cases but its can be very confusing, and does not normal policy behavior Eg. priority=0 allow r /**, priority=1 deny w /**, will result in no allowed permissions even though the deny rule is only removing the w permission, beause the higher priority rule completely over ride lower priority permissions sets (including none shared permissions). Instead move to tracking the priority at a per permission level. This allows the w permission to still override at priority 1, while the read permission is allowed at priority 0. The final constructed state will still drop priority for the final permission set on the state. Note: this patch updates the equality tests for the cases where the complete override behavior was being tested for. The complete override behavior will be reintroduced in a future patch with a keyword extension, enabling that behavior to be used for ordered blocks etc. Signed-off-by: John Johansen <john.johansen@canonical.com>
parser: fix prefix dump to include priority
2025-09-02 15:25:27 +00:00 · 2025-02-06 12:24:04 -08:00 · 2025-02-06 10:54:42 -08:00 · 2025-02-06 10:53:19 -08:00 · 2025-02-06 08:34:02 -08:00 · 2025-02-05 16:44:42 +00:00
112 changed files with 2569 additions and 2410 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
-apparmor-
+apparmor-*
 cscope.*
 binutils/aa-enabled
 binutils/aa-enabled.1
@@ -203,7 +203,6 @@ utils/apparmor/*.pyc
 utils/apparmor/rule/*.pyc
 utils/apparmor.egg-info/
 utils/build/
-!utils/emacs/apparmor-mode.el
 utils/htmlcov/
 utils/test/common_test.pyc
 utils/test/.coverage
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -13,7 +13,6 @@ workflow:
 stages:
  - build
  - test
-  - spread

 .ubuntu-common:
  before_script:
@@ -127,6 +126,19 @@ test-profiles:
    - make -C profiles check-abstractions.d
    - make -C profiles check-local

+# Build the regression tests (don't run them because that needs kernel access)
+test-build-regression:
+  stage: test
+  needs: ["build-all"]
+  extends:
+    - .ubuntu-common
+  script:
+    # Additional dependencies required by regression tests
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
+    - apt-get install --no-install-recommends -y attr fuse-overlayfs libdbus-1-dev liburing-dev
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
+    - make -C tests/regression/apparmor -j $(nproc)
+
 shellcheck:
  stage: test
  needs: []
@@ -184,123 +196,3 @@ coverity:
      - "apparmor-*.tar.gz"
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PROJECT_PATH == "apparmor/apparmor"
-
-.image-garden-x86_64:
-  stage: spread
-  # TODO: use tagged release once container tagging is improved upstream.
-  image: registry.gitlab.com/zygoon/image-garden:latest
-  tags:
-    - linux
-    - x86_64
-    - kvm
-  variables:
-    ARCH: x86_64
-    GARDEN_DL_DIR: dl
-    CACHE_POLICY: pull-push
-    CACHE_COMPRESSION_LEVEL: fastest
-  before_script:
-    # Prepare the image in dry-run mode. This helps in debugging cache misses
-    # when files are not cached correctly by the runner, causing the build section
-    # below to always do hevy-duty work.
-    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" prepare_image_dry_run "Prepare image (dry run)"
-    - image-garden make --dry-run --debug "$GARDEN_SYSTEM.$ARCH.run" "$GARDEN_SYSTEM.$ARCH.qcow2" "$GARDEN_SYSTEM.seed.iso" "$GARDEN_SYSTEM.user-data" "$GARDEN_SYSTEM.meta-data"
-    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" prepare_image_dry_run
-  script:
-    # Prepare the image, for real.
-    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" prepare_image "Prepare image"
-    - image-garden make "$GARDEN_SYSTEM.$ARCH.run" "$GARDEN_SYSTEM.$ARCH.qcow2" "$GARDEN_SYSTEM.seed.iso" "$GARDEN_SYSTEM.user-data" "$GARDEN_SYSTEM.meta-data"
-    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" prepare_image
-  cache:
-    # Cache the base image (pre-customization).
-    - key: image-garden-base-${GARDEN_SYSTEM}.${ARCH}
-      policy: $CACHE_POLICY
-      when: always
-      paths:
-        - $GARDEN_DL_DIR
-        # Those are never mutated so they are safe to share.
-        - efi-code.*.img
-        - efi-vars.*.img
-    # Cache the customized system. This cache depends on .image-garden.mk file
-    # so that any customization updates are immediately acted upon.
-    - key:
-        prefix: image-garden-custom-${GARDEN_SYSTEM}.${ARCH}-
-        files:
-          - .image-garden.mk
-      policy: $CACHE_POLICY
-      when: always
-      paths:
-        - $GARDEN_SYSTEM.*
-        - $GARDEN_SYSTEM.seed.iso
-        - $GARDEN_SYSTEM.meta-data
-        - $GARDEN_SYSTEM.user-data
-
-# This job builds and caches the image that the job below looks at.
-image-ubuntu-cloud-24.04-x86_64:
-  extends: .image-garden-x86_64
-  variables:
-    GARDEN_SYSTEM: ubuntu-cloud-24.04
-  needs: []
-  dependencies: []
-  rules:
-    - if: $CI_COMMIT_TAG
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_BRANCH
-      changes:
-        paths:
-          - .image-garden.mk
-          - .gitlab-ci.yml
-        compare_to: "refs/heads/master"
-
-.spread-x86_64:
-  extends: .image-garden-x86_64
-  variables:
-    # GitLab project identifier of zygoon/spread-dist can be seen on
-    # https://gitlab.com/zygoon/spread-dist, under the three-dot menu on
-    # top-right.
-    SPREAD_GITLAB_PROJECT_ID: "65375371"
-    # Git revision of spread to install.
-    # This must have been built via spread-dist.
-    # TODO: switch to upstream 1.0 release when available.
-    SPREAD_REV: 413817eda7bec07a3885e0717c178b965f8924e1
-    # Run all the tasks for a given system.
-    SPREAD_ARGS: "garden:$GARDEN_SYSTEM:"
-    SPREAD_GOARCH: amd64
-  before_script:
-    # Prepare the image in dry-run mode. This helps in debugging cache misses
-    # when files are not cached correctly by the runner, causing the build section
-    # below to always do hevy-duty work.
-    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" prepare_image_dry_run "Prepare image (dry run)"
-    - image-garden make --dry-run --debug "$GARDEN_SYSTEM.$ARCH.run" "$GARDEN_SYSTEM.$ARCH.qcow2" "$GARDEN_SYSTEM.seed.iso" "$GARDEN_SYSTEM.user-data" "$GARDEN_SYSTEM.meta-data"
-    - stat .image-garden.mk "$GARDEN_SYSTEM".* || true
-    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" prepare_image_dry_run
-    # Install the selected revision of spread.
-    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_spread "Installing spread..."
-    # Install pre-built spread from https://gitlab.com/zygoon/spread-dist generic package repository.
-    - |
-      curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --location --output spread "${CI_API_V4_URL}/projects/${SPREAD_GITLAB_PROJECT_ID}/packages/generic/spread/${SPREAD_REV}/spread.${SPREAD_GOARCH}"
-    - chmod +x spread
-    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_spread
-  script:
-    - printf '\e[0K%s:%s:%s\r\e[0K%s\n' section_start "$(date +%s)" run_spread "Running spread for $GARDEN_SYSTEM..."
-    # TODO: transform to inject ^...$ to properly select jobs to run.
-    - mkdir -p spread-logs spread-artifacts
-    - ./spread -list $SPREAD_ARGS |
-      split --number=l/"${CI_NODE_INDEX:-1}"/"${CI_NODE_TOTAL:-1}" |
-      xargs --verbose ./spread -v -artifacts ./spread-artifacts -v | tee spread-logs/"$GARDEN_SYSTEM".log
-    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" run_spread
-  artifacts:
-    paths:
-      - spread-logs
-      - spread-artifacts
-    when: always
-
-spread-ubuntu-cloud-24.04-x86_64:
-  extends: .spread-x86_64
-  variables:
-    GARDEN_SYSTEM: ubuntu-cloud-24.04
-    SPREAD_ARGS: garden:$GARDEN_SYSTEM:tests/regression/ garden:$GARDEN_SYSTEM:tests/profiles/
-    CACHE_POLICY: pull
-  dependencies: []
-  needs:
-    - job: image-ubuntu-cloud-24.04-x86_64
-      optional: true
-  parallel: 4
--- a/README.md
+++ b/README.md
@@ -111,13 +111,21 @@ $ export PYTHON_VERSION=3
 $ export PYTHON_VERSIONS=python3
 ```

+Note that, in general, the build steps can be run in parallel, while the test
+steps do not gain much speedup from being run in parallel. This is because the
+test steps spawn a handful of long-lived test runner processes that mostly
+run their tests sequentially and do not use `make`'s jobserver. Moreover,
+process spawning overhead constitutes a significant part of test runtime, so
+reworking the test harnesses to add parallelism (which would be a major undertaking
+for the harnesses that do not have it already) would not produce much of a speedup.
+
 ### libapparmor:

 ```
 $ cd ./libraries/libapparmor
 $ sh ./autogen.sh
 $ sh ./configure --prefix=/usr --with-perl --with-python # see below
-$ make
+$ make -j $(nproc)
 $ make check
 $ make install
 ```
@@ -130,7 +138,7 @@ generate Ruby bindings to libapparmor.]

 ```
 $ cd binutils
-$ make
+$ make -j $(nproc)
 $ make check
 $ make install
 ```
@@ -139,7 +147,8 @@ $ make install

 ```
 $ cd parser
-$ make		# depends on libapparmor having been built first
+$ make -j $(nproc)		# depends on libapparmor having been built first
+$ make -j $(nproc) tst_binaries		# a build step of make check that can be parallelized
 $ make check
 $ make install
 ```
@@ -149,7 +158,7 @@ $ make install

 ```
 $ cd utils
-$ make
+$ make -j $(nproc)
 $ make check PYFLAKES=/usr/bin/pyflakes3
 $ make install
 ```
@@ -158,7 +167,7 @@ $ make install

 ```
 $ cd changehat/mod_apparmor
-$ make		# depends on libapparmor having been built first
+$ make -j $(nproc)		# depends on libapparmor having been built first
 $ make install
 ```

@@ -167,7 +176,7 @@ $ make install

 ```
 $ cd changehat/pam_apparmor
-$ make		# depends on libapparmor having been built first
+$ make -j $(nproc)		# depends on libapparmor having been built first
 $ make install
 ```

@@ -234,7 +243,7 @@ To run:
 ### Regression tests - using apparmor userspace installed on host
 ```
 $ cd tests/regression/apparmor (requires root)
-$ make USE_SYSTEM=1
+$ make -j $(nproc) USE_SYSTEM=1
 $ sudo make tests USE_SYSTEM=1
 $ sudo bash open.sh -r	 # runs and saves the last testcase from open.sh
 ```
@@ -247,7 +256,7 @@ $ sudo bash open.sh -r	 # runs and saves the last testcase from open.sh

 ```
 $ cd tests/regression/apparmor (requires root)
-$ make
+$ make -j $(nproc)
 $ sudo make tests
 $ sudo bash open.sh -r	 # runs and saves the last testcase from open.sh
 ```
--- a/binutils/aa_status.c
+++ b/binutils/aa_status.c
@@ -20,6 +20,8 @@
 #include <ctype.h>
 #include <dirent.h>
 #include <regex.h>
+#include <libintl.h>
+#define _(s) gettext(s)

 #include <sys/apparmor.h>
 #include <sys/apparmor_private.h>
@@ -131,7 +133,7 @@ const char *process_statuses[] = {"enforce", "complain", "prompt", "kill", "unco
 #define eprintf(...)                                                    \
 do {									\
 	if (!quiet)							\
-	  fprintf(stderr, __VA_ARGS__);					\
+		fprintf(stderr, __VA_ARGS__);					\
 } while (0)

 #define dprintf(...)							\
@@ -156,14 +158,14 @@ static int open_profiles(FILE **fp)

 	ret = stat("/sys/module/apparmor", &st);
 	if (ret != 0) {
-		eprintf("apparmor not present.\n");
+		eprintf(_("apparmor not present.\n"));
 		return AA_EXIT_DISABLED;
 	}
-	dprintf("apparmor module is loaded.\n");
+	dprintf(_("apparmor module is loaded.\n"));

 	ret = aa_find_mountpoint(&apparmorfs);
 	if (ret == -1) {
-		eprintf("apparmor filesystem is not mounted.\n");
+		eprintf(_("apparmor filesystem is not mounted.\n"));
 		return AA_EXIT_NO_CONTROL;
 	}

@@ -176,9 +178,9 @@ static int open_profiles(FILE **fp)
 	*fp = fopen(apparmor_profiles, "r");
 	if (*fp == NULL) {
 		if (errno == EACCES) {
-			eprintf("You do not have enough privilege to read the profile set.\n");
+			eprintf(_("You do not have enough privilege to read the profile set.\n"));
 		} else {
-			eprintf("Could not open %s: %s", apparmor_profiles, strerror(errno));
+			eprintf(_("Could not open %s: %s"), apparmor_profiles, strerror(errno));
 		}
 		return AA_EXIT_NO_PERM;
 	}
@@ -351,7 +353,7 @@ static int get_processes(struct profile *profiles,
 			continue;
 		} else if (rc == -1 ||
 			   asprintf(&exe, "/proc/%s/exe", entry->d_name) == -1) {
-			eprintf("ERROR: Failed to allocate memory\n");
+			eprintf(_("ERROR: Failed to allocate memory\n"));
 			ret = AA_EXIT_INTERNAL_ERROR;
 			goto exit;
 		} else if (mode) {
@@ -374,7 +376,7 @@ static int get_processes(struct profile *profiles,
 			// ensure enough space for NUL terminator
 			real_exe = calloc(PATH_MAX + 1, sizeof(char));
 			if (real_exe == NULL) {
-				eprintf("ERROR: Failed to allocate memory\n");
+				eprintf(_("ERROR: Failed to allocate memory\n"));
 				ret = AA_EXIT_INTERNAL_ERROR;
 				goto exit;
 			}
@@ -598,7 +600,7 @@ static int detailed_profiles(FILE *outf, filters_t *filters, bool json,
 		 */
 		subfilters.mode = &mode_filter;
 		if (regcomp(&mode_filter, profile_statuses[i], REG_NOSUB) != 0) {
-			eprintf("Error: failed to compile sub filter '%s'\n",
+			eprintf(_("Error: failed to compile sub filter '%s'\n"),
 				 profile_statuses[i]);
 			return AA_EXIT_INTERNAL_ERROR;
 		}
@@ -664,7 +666,7 @@ static int detailed_processes(FILE *outf, filters_t *filters, bool json,
 		 */
 		subfilters.mode = &mode_filter;
 		if (regcomp(&mode_filter, process_statuses[i], REG_NOSUB) != 0) {
-			eprintf("Error: failed to compile sub filter '%s'\n",
+			eprintf(_("Error: failed to compile sub filter '%s'\n"),
 				 profile_statuses[i]);
 			return AA_EXIT_INTERNAL_ERROR;
 		}
@@ -726,7 +728,7 @@ exit:

 static int print_legacy(const char *command)
 {
-	printf("Usage: %s [OPTIONS]\n"
+	printf(_("Usage: %s [OPTIONS]\n"
 	 "Legacy options and their equivalent command\n"
 	 "  --profiled             --count --profiles\n"
 	 "  --enforced             --count --profiles --mode=enforced\n"
@@ -734,8 +736,8 @@ static int print_legacy(const char *command)
 	 "  --kill                 --count --profiles --mode=kill\n"
 	 "  --prompt               --count --profiles --mode=prompt\n"
 	 "  --special-unconfined   --count --profiles --mode=unconfined\n"
-	 "  --process-mixed        --count --ps --mode=mixed\n",
-	command);
+	 "  --process-mixed        --count --ps --mode=mixed\n"),
+	 command);

 	exit(0);
 	return 0;
@@ -745,7 +747,7 @@ static int usage_filters(void)
 {
 	long unsigned int i;

-	printf("Usage of filters\n"
+	printf(_("Usage of filters\n"
 	 "Filters are used to reduce the output of information to only\n"
 	 "those entries that will match the filter. Filters use posix\n"
 	 "regular expression syntax. The possible values for exes that\n"
@@ -755,7 +757,7 @@ static int usage_filters(void)
 	 "  --filter.profiles: regular expression to match displayed profile names\n"
 	 "  --filter.pid:  regular expression to match displayed processes pids\n"
 	 "  --filter.exe:  regular expression to match executable\n"
-	);
+	));
 	for (i = 0; i < ARRAY_SIZE(process_statuses); i++) {
 		printf("%s%s", i ? ", " : "", process_statuses[i]);
 	}
@@ -773,7 +775,7 @@ static int print_usage(const char *command, bool error)
 		status = EXIT_FAILURE;
 	}

-	printf("Usage: %s [OPTIONS]\n"
+	printf(_("Usage: %s [OPTIONS]\n"
 	 "Displays various information about the currently loaded AppArmor policy.\n"
 	 "Default if no options given\n"
 	 "  --show=all\n\n"
@@ -790,8 +792,8 @@ static int print_usage(const char *command, bool error)
 	 "  --verbose       (default) displays data points about loaded policy set\n"
 	 "  --quiet         don't output error messages\n"
 	 "  -h[(legacy|filters)]      this message, or info on the specified option\n"
-	 "  --help[=(legacy|filters)] this message, or info on the specified option\n",
-	 command);
+	 "  --help[=(legacy|filters)] this message, or info on the specified option\n"),
+	command);

 	exit(status);

@@ -867,7 +869,7 @@ static int parse_args(int argc, char **argv)
 			} else if (strcmp(optarg, "filters") == 0) {
 				usage_filters();
 			} else {
-				eprintf("Error: Invalid --help option '%s'.\n", optarg);
+				eprintf(_("Error: Invalid --help option '%s'.\n"), optarg);
 				print_usage(argv[0], true);
 				break;
 			}
@@ -935,7 +937,7 @@ static int parse_args(int argc, char **argv)
 			} else if (strcmp(optarg, "processes") == 0) {
 				opt_show = SHOW_PROCESSES;
 			} else {
-				eprintf("Error: Invalid --show option '%s'.\n", optarg);
+				eprintf(_("Error: Invalid --show option '%s'.\n"), optarg);
 				print_usage(argv[0], true);
 				break;
 			}
@@ -957,7 +959,7 @@ static int parse_args(int argc, char **argv)
 			break;
 			
 		default:
-			eprintf("Error: Invalid command.\n");
+			eprintf(_("Error: Invalid command.\n"));
 			print_usage(argv[0], true);
 			break;
 		}
@@ -982,7 +984,7 @@ int main(int argc, char **argv)
 	if (argc > 1) {
 		int pos = parse_args(argc, argv);
 		if (pos < argc) {
-			eprintf("Error: Unknown options.\n");
+			eprintf(_("Error: Unknown options.\n"));
 			print_usage(progname, true);
 		}
 	} else {
@@ -994,24 +996,24 @@ int main(int argc, char **argv)

 	init_filters(&filters, &filter_set);
 	if (regcomp(filters.mode, opt_mode, REG_NOSUB) != 0) {
-		eprintf("Error: failed to compile mode filter '%s'\n",
+		eprintf(_("Error: failed to compile mode filter '%s'\n"),
 			 opt_mode);
 		return AA_EXIT_INTERNAL_ERROR;
 	}
 	if (regcomp(filters.profile, opt_profiles, REG_NOSUB) != 0) {
-		eprintf("Error: failed to compile profiles filter '%s'\n",
+		eprintf(_("Error: failed to compile profiles filter '%s'\n"),
 			 opt_profiles);
 		ret = AA_EXIT_INTERNAL_ERROR;
 		goto out;
 	}
 	if (regcomp(filters.pid, opt_pid, REG_NOSUB) != 0) {
-		eprintf("Error: failed to compile ps filter '%s'\n",
+		eprintf(_("Error: failed to compile ps filter '%s'\n"),
 			 opt_pid);
 		ret = AA_EXIT_INTERNAL_ERROR;
 		goto out;
 	}
 	if (regcomp(filters.exe, opt_exe, REG_NOSUB) != 0) {
-		eprintf("Error: failed to compile exe filter '%s'\n",
+		eprintf(_("Error: failed to compile exe filter '%s'\n"),
 			 opt_exe);
 		ret = AA_EXIT_INTERNAL_ERROR;
 		goto out;
@@ -1026,7 +1028,7 @@ int main(int argc, char **argv)
 		outf_save = outf;
 		outf = open_memstream(&buffer, &buffer_size);
 		if (!outf) {
-			eprintf("Failed to open memstream: %m\n");
+			eprintf(_("Failed to open memstream: %m\n"));
 			return AA_EXIT_INTERNAL_ERROR;
 		}
 	}
@@ -1037,7 +1039,7 @@ int main(int argc, char **argv)
 	 */
 	ret = get_profiles(fp, &profiles, &nprofiles);
 	if (ret != 0) {
-		eprintf("Failed to get profiles: %d....\n", ret);
+		eprintf(_("Failed to get profiles: %d....\n"), ret);
 		goto out;
 	}

@@ -1066,7 +1068,7 @@ int main(int argc, char **argv)

 		ret = get_processes(profiles, nprofiles, &processes, &nprocesses);
 		if (ret != 0) {
-			eprintf("Failed to get processes: %d....\n", ret);
+			eprintf(_("Failed to get processes: %d....\n"), ret);
 		} else if (opt_count) {
 			ret = simple_filtered_process_count(outf, &filters, opt_json,
 							processes, nprocesses);
@@ -1092,14 +1094,14 @@ int main(int argc, char **argv)
 		outf = outf_save;
 		json = cJSON_Parse(buffer);
 		if (!json) {
-			eprintf("Failed to parse json output");
+			eprintf(_("Failed to parse json output"));
 			ret = AA_EXIT_INTERNAL_ERROR;
 			goto out;
 		}

 		pretty = cJSON_Print(json);
 		if (!pretty) {
-			eprintf("Failed to print pretty json");
+			eprintf(_("Failed to print pretty json"));
 			ret = AA_EXIT_INTERNAL_ERROR;
 			goto out;
 		}
--- a/binutils/po/aa_enabled.pot
+++ b/binutils/po/aa_enabled.pot
@@ -1,14 +1,14 @@
-# SOME DESCRIPTIVE TITLE.
-# Copyright (C) YEAR Canonical Ltd
-# This file is distributed under the same license as the PACKAGE package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+# Translations for aa_enabled
+# Copyright (C) 2024 Canonical Ltd
+# This file is distributed under the same license as the AppArmor package.
+# John Johansen <john.johansen@canonical.com>, 2020.
 #
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
-"POT-Creation-Date: 2020-10-14 03:52-0700\n"
+"POT-Creation-Date: 2024-08-31 15:59-0700\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
--- a/binutils/po/aa_exec.pot
+++ b/binutils/po/aa_exec.pot
@@ -1,14 +1,14 @@
-# SOME DESCRIPTIVE TITLE.
-# Copyright (C) YEAR Canonical Ltd
-# This file is distributed under the same license as the PACKAGE package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+# Translations for aa_exec
+# Copyright (C) 2024 Canonical Ltd
+# This file is distributed under the same license as the AppArmor package.
+# John Johansen <john.johansen@canonical.com>, 2020.
 #
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
-"POT-Creation-Date: 2020-10-14 03:52-0700\n"
+"POT-Creation-Date: 2024-08-31 15:59-0700\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
--- a/binutils/po/aa_features_abi.pot
+++ b/binutils/po/aa_features_abi.pot
@@ -1,14 +1,14 @@
-# SOME DESCRIPTIVE TITLE.
-# Copyright (C) YEAR Canonical Ltd
-# This file is distributed under the same license as the PACKAGE package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+# Translations for aa_features_abi
+# Copyright (C) 2024 Canonical Ltd
+# This file is distributed under the same license as the AppArmor package.
+# John Johansen <john.johansen@canonical.com>, 2011.
 #
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
-"POT-Creation-Date: 2020-10-14 03:52-0700\n"
+"POT-Creation-Date: 2024-08-31 15:59-0700\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
--- a/binutils/po/aa_load.pot
+++ b/binutils/po/aa_load.pot
@@ -1,14 +1,14 @@
-# SOME DESCRIPTIVE TITLE.
-# Copyright (C) YEAR Canonical Ltd
-# This file is distributed under the same license as the PACKAGE package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+# Translations for aa_load
+# Copyright (C) 2024 Canonical Ltd
+# This file is distributed under the same license as the AppArmor package.
+# John Johansen <john.johansen@canonical.com>, 2020.
 #
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
-"POT-Creation-Date: 2025-02-18 07:37-0800\n"
+"POT-Creation-Date: 2024-08-31 15:59-0700\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
--- a/binutils/po/aa_status.pot
+++ b/binutils/po/aa_status.pot
@@ -0,0 +1,165 @@
+# Translations for aa_status
+# Copyright (C) 2024 Canonical Ltd
+# This file is distributed under the same license as the AppArmor package.
+# John Johansen <john.johansen@canonical.com>, 2024.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
+"POT-Creation-Date: 2024-08-31 17:49-0700\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../aa_status.c:161
+msgid "apparmor not present.\n"
+msgstr ""
+
+#: ../aa_status.c:164
+msgid "apparmor module is loaded.\n"
+msgstr ""
+
+#: ../aa_status.c:168
+msgid "apparmor filesystem is not mounted.\n"
+msgstr ""
+
+#: ../aa_status.c:181
+msgid "You do not have enough privilege to read the profile set.\n"
+msgstr ""
+
+#: ../aa_status.c:183
+#, c-format
+msgid "Could not open %s: %s"
+msgstr ""
+
+#: ../aa_status.c:356 ../aa_status.c:379
+msgid "ERROR: Failed to allocate memory\n"
+msgstr ""
+
+#: ../aa_status.c:587 ../aa_status.c:653
+#, c-format
+msgid "Error: failed to compile sub filter '%s'\n"
+msgstr ""
+
+#: ../aa_status.c:715
+#, c-format
+msgid ""
+"Usage: %s [OPTIONS]\n"
+"Legacy options and their equivalent command\n"
+"  --profiled             --count --profiles\n"
+"  --enforced             --count --profiles --mode=enforced\n"
+"  --complaining          --count --profiles --mode=complain\n"
+"  --kill                 --count --profiles --mode=kill\n"
+"  --prompt               --count --profiles --mode=prompt\n"
+"  --special-unconfined   --count --profiles --mode=unconfined\n"
+"  --process-mixed        --count --ps --mode=mixed\n"
+msgstr ""
+
+#: ../aa_status.c:734
+#, c-format
+msgid ""
+"Usage of filters\n"
+"Filters are used to reduce the output of information to only\n"
+"those entries that will match the filter. Filters use posix\n"
+"regular expression syntax. The possible values for exes that\n"
+"support filters are below\n"
+"\n"
+"  --filter.mode: regular expression to match the profile "
+"mode                 modes: enforce, complain, kill, unconfined, mixed\n"
+"  --filter.profiles: regular expression to match displayed profile names\n"
+"  --filter.pid:  regular expression to match displayed processes pids\n"
+"  --filter.exe:  regular expression to match executable\n"
+msgstr ""
+
+#: ../aa_status.c:762
+#, c-format
+msgid ""
+"Usage: %s [OPTIONS]\n"
+"Displays various information about the currently loaded AppArmor policy.\n"
+"Default if no options given\n"
+"  --show=all\n"
+"\n"
+"OPTIONS (one only):\n"
+"  --enabled       returns error code if AppArmor not enabled\n"
+"  --show=X        What information to show. {profiles,processes,all}\n"
+"  --count         print the number of entries. Implies --quiet\n"
+"  --filter.mode=filter      see filters\n"
+"  --filter.profiles=filter  see filters\n"
+"  --filter.pid=filter       see filters\n"
+"  --filter.exe=filter       see filters\n"
+"  --json          displays multiple data points in machine-readable JSON "
+"format\n"
+"  --pretty-json   same data as --json, formatted for human consumption as "
+"well\n"
+"  --verbose       (default) displays data points about loaded policy set\n"
+"  --quiet         don't output error messages\n"
+"  -h[(legacy|filters)]      this message, or info on the specified option\n"
+"  --help[=(legacy|filters)] this message, or info on the specified option\n"
+msgstr ""
+
+#: ../aa_status.c:856
+#, c-format
+msgid "Error: Invalid --help option '%s'.\n"
+msgstr ""
+
+#: ../aa_status.c:924
+#, c-format
+msgid "Error: Invalid --show option '%s'.\n"
+msgstr ""
+
+#: ../aa_status.c:946
+msgid "Error: Invalid command.\n"
+msgstr ""
+
+#: ../aa_status.c:971
+msgid "Error: Unknown options.\n"
+msgstr ""
+
+#: ../aa_status.c:983
+#, c-format
+msgid "Error: failed to compile mode filter '%s'\n"
+msgstr ""
+
+#: ../aa_status.c:988
+#, c-format
+msgid "Error: failed to compile profiles filter '%s'\n"
+msgstr ""
+
+#: ../aa_status.c:994
+#, c-format
+msgid "Error: failed to compile ps filter '%s'\n"
+msgstr ""
+
+#: ../aa_status.c:1000
+#, c-format
+msgid "Error: failed to compile exe filter '%s'\n"
+msgstr ""
+
+#: ../aa_status.c:1015
+#, c-format
+msgid "Failed to open memstream: %m\n"
+msgstr ""
+
+#: ../aa_status.c:1026
+#, c-format
+msgid "Failed to get profiles: %d....\n"
+msgstr ""
+
+#: ../aa_status.c:1050
+#, c-format
+msgid "Failed to get processes: %d....\n"
+msgstr ""
+
+#: ../aa_status.c:1076
+msgid "Failed to parse json output"
+msgstr ""
+
+#: ../aa_status.c:1083
+msgid "Failed to print pretty json"
+msgstr ""
--- a/common/Version
+++ b/common/Version
@@ -1 +1 @@
-4.1.0~beta5
+4.1.0~beta1
--- a/libraries/libapparmor/doc/aa_change_hat.pod
+++ b/libraries/libapparmor/doc/aa_change_hat.pod
@@ -22,15 +22,15 @@

 =head1 NAME

-aa_change_hat  - change to or from a "hat" within a AppArmor profile
+aa_change_hat - change to or from a "hat" within a AppArmor profile

 =head1 SYNOPSIS

 B<#include E<lt>sys/apparmor.hE<gt>>

-B<int aa_change_hat (char *subprofile, unsigned long magic_token);>
+B<int aa_change_hat (const char *subprofile, unsigned long magic_token);>

-B<int aa_change_hatv (char *subprofiles[], unsigned long magic_token);>
+B<int aa_change_hatv (const char *subprofiles[], unsigned long magic_token);>

 B<int aa_change_hat_vargs (unsigned long magic_token, ...);>

--- a/libraries/libapparmor/doc/aa_change_profile.pod
+++ b/libraries/libapparmor/doc/aa_change_profile.pod
@@ -22,7 +22,7 @@

 =head1 NAME

-aa_change_profile, aa_change_onexec - change a tasks profile
+aa_change_profile, aa_change_onexec - change a task's profile

 =head1 SYNOPSIS

@@ -58,8 +58,8 @@ The aa_change_onexec() function is like the aa_change_profile() function
 except it specifies that the profile transition should take place on the
 next exec instead of immediately.  The delayed profile change takes
 precedence over any exec transition rules within the confining profile.
-Delaying the profile boundary has a couple of advantages, it removes the
-need for stub transition profiles and the exec boundary is a natural security
+Delaying the profile boundary has a couple of advantages: it removes the
+need for stub transition profiles, and the exec boundary is a natural security
 layer where potentially sensitive memory is unmapped.

 =head1 RETURN VALUE
--- a/libraries/libapparmor/doc/aa_features.pod
+++ b/libraries/libapparmor/doc/aa_features.pod
@@ -54,7 +54,7 @@ B<typedef struct aa_features aa_features;>

 B<int aa_features_new(aa_features **features, int dirfd, const char *path);>

-B<int aa_features_new_from_file(aa_features **features, int fd);>
+B<int aa_features_new_from_file(aa_features **features, int file);>

 B<int aa_features_new_from_string(aa_features **features, const char *string, size_t size);>

--- a/libraries/libapparmor/doc/aa_find_mountpoint.pod
+++ b/libraries/libapparmor/doc/aa_find_mountpoint.pod
@@ -58,6 +58,9 @@ appropriately.

 =head1 ERRORS

+# podchecker warns about duplicate link targets for EACCES, EBUSY, ENOENT,
+# and ENOMEM, but this is a warning that is safe to ignore.
+
 B<aa_is_enabled>

 =over 4
--- a/libraries/libapparmor/doc/aa_stack_profile.pod
+++ b/libraries/libapparmor/doc/aa_stack_profile.pod
@@ -41,7 +41,7 @@ result is an intersection of all profiles which are stacked. Stacking profiles
 together is desirable when wanting to ensure that confinement will never become
 more permissive. When changing between two profiles, as performed with
 aa_change_profile(2), there is always the possibility that the new profile is
-more permissive than the old profile but that possibility is eliminated when
+more permissive than the old profile, but that possibility is eliminated when
 using aa_stack_profile().

 To stack a profile with the current confinement context, a task can use the
@@ -68,7 +68,7 @@ The aa_stack_onexec() function is like the aa_stack_profile() function
 except it specifies that the stacking should take place on the next exec
 instead of immediately. The delayed profile change takes precedence over any
 exec transition rules within the confining profile. Delaying the stacking
-boundary has a couple of advantages, it removes the need for stub transition
+boundary has a couple of advantages: it removes the need for stub transition
 profiles and the exec boundary is a natural security layer where potentially
 sensitive memory is unmapped.

--- a/libraries/libapparmor/src/Makefile.am
+++ b/libraries/libapparmor/src/Makefile.am
@@ -32,10 +32,10 @@ INCLUDES = $(all_includes)
 #
 # After changing the AA_LIB_* variables, also update EXPECTED_SO_NAME.

-AA_LIB_CURRENT = 25
-AA_LIB_REVISION = 1
-AA_LIB_AGE = 24
-EXPECTED_SO_NAME = libapparmor.so.1.24.1
+AA_LIB_CURRENT = 20
+AA_LIB_REVISION = 0
+AA_LIB_AGE = 19
+EXPECTED_SO_NAME = libapparmor.so.1.19.0

 SUFFIXES = .pc.in .pc

--- a/libraries/libapparmor/swig/Makefile.am
+++ b/libraries/libapparmor/swig/Makefile.am
@@ -1,3 +1,3 @@
 SUBDIRS = perl python ruby

-EXTRA_DIST = SWIG/*.i java/Makefile.am
+EXTRA_DIST = SWIG/*.i
--- a/libraries/libapparmor/swig/SWIG/libapparmor.i
+++ b/libraries/libapparmor/swig/SWIG/libapparmor.i
@@ -258,13 +258,7 @@ extern int aa_is_enabled(void);
 * allocation uninitialized (0) != SWIG_NEWOBJ
 */
 %#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L
-  /* 
-   * Some older versions of SWIG place this right after a goto label
-   * This would then be a label followed by a declaration, a C23 extension (!)
-   * To ensure this works for older SWIG versions and older compilers,
-   * make this a block element with curly braces.
-   */
-  {static_assert(SWIG_NEWOBJ != 0, "SWIG_NEWOBJ is 0");}
+  static_assert(SWIG_NEWOBJ != 0);
 %#endif
  if ($1 != NULL && alloc_tracking$argnum != NULL) {
    for (Py_ssize_t i=0; i<seq_len$argnum; i++) {
@@ -321,17 +315,10 @@ extern int aa_stack_onexec(const char *profile);
 * We can't use "typedef int pid_t" because we still support systems
 * with 16-bit PIDs and SWIG can't find sys/types.h
 *
- * Capture the passed-in value as a long because pid_t is guaranteed
- * to be a signed integer and because the aalogparse struct uses
- * (unsigned) longs to store pid values. While intmax_t would be more
- * technically correct, if sizeof(pid_t) > sizeof(long) then aalogparse
- * itself would also need fixing.
+ * Capture the passed-in value as an intmax_t because pid_t is guaranteed
+ * to be a signed integer
 */
-%typemap(in,noblock=1,fragment="SWIG_AsVal_long") pid_t (int conv_pid, long pid_large) {
-%#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L
-  static_assert(sizeof(pid_t) <= sizeof(long),
-    "pid_t type is too large to be stored in a long");
-%#endif
+%typemap(in,noblock=1,fragment="SWIG_AsVal_long") pid_t (int conv_pid, intmax_t pid_large) {
  conv_pid = SWIG_AsVal_long($input, &pid_large);
  if (!SWIG_IsOK(conv_pid)) {
    %argument_fail(conv_pid, "pid_t", $symname, $argnum);
@@ -341,7 +328,7 @@ extern int aa_stack_onexec(const char *profile);
   * Technically this is implementation-defined behaviour but we should be fine
   */
  $1 = (pid_t) pid_large;
-  if ((long) $1 != pid_large) {
+  if ((intmax_t) $1 != pid_large) {
    SWIG_exception_fail(SWIG_OverflowError, "pid_t is too large");
  }
 }
--- a/libraries/libapparmor/swig/java/Makefile.am
+++ b/libraries/libapparmor/swig/java/Makefile.am
@@ -1,21 +0,0 @@
-WRAPPERFILES = apparmorlogparse_wrap.c
-
-BUILT_SOURCES = apparmorlogparse_wrap.c
-
-all-local: apparmorlogparse_wrap.o
-	$(CC) -module apparmorlogparse_wrap.o -o libaalogparse.so
-        
-apparmorlogparse_wrap.o: apparmorlogparse_wrap.c
-	$(CC) -c apparmorlogparse_wrap.c $(CFLAGS) -I../../src -I/usr/include/classpath  -fno-strict-aliasing -o apparmorlogparse_wrap.o
-        
-clean-local:
-	rm -rf org
-
-apparmorlogparse_wrap.c: org/aalogparse ../SWIG/*.i
-	$(SWIG) -java -I../SWIG -I../../src -outdir org/aalogparse \
-		-package org.aalogparse -o apparmorlogparse_wrap.c libaalogparse.i
-
-org/aalogparse:
-	mkdir -p org/aalogparse
-
-EXTRA_DIST = $(BUILT_SOURCES) 
--- a/libraries/libapparmor/testsuite/test_multi/exec01.profile
+++ b/libraries/libapparmor/testsuite/test_multi/exec01.profile
@@ -1,2 +1,4 @@
 /home/cb/bin/hello.sh {
+  /usr/bin/rm mrix,
+
 }
--- a/libraries/libapparmor/testsuite/test_multi/exec02.profile
+++ b/libraries/libapparmor/testsuite/test_multi/exec02.profile
@@ -1,2 +1,4 @@
 /usr/bin/wireshark {
+  /usr/lib64/wireshark/extcap/androiddump mrix,
+
 }
--- a/libraries/libapparmor/testsuite/test_multi/testcase01.profile
+++ b/libraries/libapparmor/testsuite/test_multi/testcase01.profile
@@ -1,4 +1,4 @@
 /bin/ping {
-  ping2 ix,
+  /bin/ping mrix,

 }
--- a/libraries/libapparmor/testsuite/test_multi/testcase12.profile
+++ b/libraries/libapparmor/testsuite/test_multi/testcase12.profile
@@ -1,4 +1,4 @@
 /bin/ping {
-  /bin/ping ix,
+  /bin/ping mrix,

 }
--- a/libraries/libapparmor/testsuite/test_multi/testcase13.profile
+++ b/libraries/libapparmor/testsuite/test_multi/testcase13.profile
@@ -1,4 +1,4 @@
 /bin/ping {
-  /bin/ping ix,
+  /bin/ping mrix,

 }
--- a/libraries/libapparmor/testsuite/test_multi/testcase31.profile
+++ b/libraries/libapparmor/testsuite/test_multi/testcase31.profile
@@ -0,0 +1,4 @@
+/home/steve/aa-regression-tests/link {
+  /tmp/sdtest.8236-29816-IN8243/target l,
+
+}
--- a/libraries/libapparmor/testsuite/test_multi/testcase_dbus_09.profile
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dbus_09.profile
@@ -1,3 +1,4 @@
 /tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service {
-  dbus send bus=system path=/org/freedesktop/systemd1  interface=org.freedesktop.systemd1.Manager  member=LookupDynamicUserByName peer=( name=org.freedesktop.systemd1, label=unconfined),
+  dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName peer=(label=unconfined),
+
 }
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -388,7 +388,7 @@ aa_change_hat(2) can take advantage of subprofiles to run under different
 confinements, dependent on program logic. Several aa_change_hat(2)-aware
 applications exist, including an Apache module, mod_apparmor(5); a PAM
 module, pam_apparmor; and a Tomcat valve, tomcat_apparmor. Applications
-written or modified to use change_profile(2) transition permanently to the
+written or modified to use aa_change_profile(2) transition permanently to the
 specified profile. libvirt is one such application.

 =head2 Profile Head
@@ -604,7 +604,7 @@ modes:

 =item B<Ux>

- unconfined execute -- scrub the environment
+- unconfined execute -- use ld.so(8) secure-execution mode

 =item B<px>

@@ -612,7 +612,7 @@ modes:

 =item B<Px>

- discrete profile execute -- scrub the environment
+- discrete profile execute -- use ld.so(8) secure-execution mode

 =item B<cx>

@@ -620,7 +620,7 @@ modes:

 =item B<Cx>

- transition to subprofile on execute -- scrub the environment
+- transition to subprofile on execute -- use ld.so(8) secure-execution mode

 =item B<ix>

@@ -632,7 +632,7 @@ modes:

 =item B<Pix>

- discrete profile execute with inherit fallback -- scrub the environment
+- discrete profile execute with inherit fallback -- use ld.so(8) secure-execution mode

 =item B<cix>

@@ -640,7 +640,7 @@ modes:

 =item B<Cix>

- transition to subprofile on execute with inherit fallback -- scrub the environment
+- transition to subprofile on execute with inherit fallback -- use ld.so(8) secure-execution mode

 =item B<pux>

@@ -648,7 +648,7 @@ modes:

 =item B<PUx>

- discrete profile execute with fallback to unconfined -- scrub the environment
+- discrete profile execute with fallback to unconfined -- use ld.so(8) secure-execution mode

 =item B<cux>

@@ -656,7 +656,7 @@ modes:

 =item B<CUx>

- transition to subprofile on execute with fallback to unconfined -- scrub the environment
+- transition to subprofile on execute with fallback to unconfined -- use ld.so(8) secure-execution mode

 =item B<deny x>

@@ -715,20 +715,20 @@ constrained, see the apparmor(7) man page.

 B<WARNING> 'ux' should only be used in very special cases. It enables the
 designated child processes to be run without any AppArmor protection.
-'ux' does not scrub the environment of variables such as LD_PRELOAD;
-as a result, the calling domain may have an undue amount of influence
-over the callee.  Use this mode only if the child absolutely must be
+'ux' does not use ld.so(8) secure-execution mode to clear variables such as 
+LD_PRELOAD; as a result, the calling domain may have an undue amount of 
+influence over the callee. Use this mode only if the child absolutely must be
 run unconfined and LD_PRELOAD must be used. Any profile using this mode
 provides negligible security. Use at your own risk.

 Incompatible with other exec transition modes and the deny qualifier.

-=item B<Ux - unconfined execute -- scrub the environment>
+=item B<Ux - unconfined execute -- use ld.so(8) secure-execution mode>

 'Ux' allows the named program to run in 'ux' mode, but AppArmor
-will invoke the Linux Kernel's B<unsafe_exec> routines to scrub
-the environment, similar to setuid programs. (See ld.so(8) for some
-information on setuid/setgid environment scrubbing.)
+will invoke the Linux Kernel's B<unsafe_exec> routines to set ld.so(8)
+secure-execution mode and clear environment variables such as LD_PRELOAD, 
+similar to setuid programs. (See ld.so(8) for more information.)

 B<WARNING> 'Ux' should only be used in very special cases. It enables the
 designated child processes to be run without any AppArmor protection.
@@ -743,18 +743,18 @@ This mode requires that a discrete security profile is defined for a
 program executed and forces an AppArmor domain transition. If there is
 no profile defined then the access will be denied.

-B<WARNING> 'px' does not scrub the environment of variables such as
-LD_PRELOAD; as a result, the calling domain may have an undue amount of
+B<WARNING> 'px' does not use ld.so(8) secure-execution mode to clear variables 
+such as LD_PRELOAD; as a result, the calling domain may have an undue amount of 
 influence over the callee.

 Incompatible with other exec transition modes and the deny qualifier.

-=item B<Px - Discrete Profile execute mode -- scrub the environment>
+=item B<Px - Discrete Profile execute mode -- use ld.so(8) secure-execution mode>

 'Px' allows the named program to run in 'px' mode, but AppArmor
-will invoke the Linux Kernel's B<unsafe_exec> routines to scrub
-the environment, similar to setuid programs. (See ld.so(8) for some
-information on setuid/setgid environment scrubbing.)
+will invoke the Linux Kernel's B<unsafe_exec> routines to set ld.so(8)
+secure-execution mode and clear environment variables such as LD_PRELOAD, 
+similar to setuid programs. (See ld.so(8) for more information.)

 Incompatible with other exec transition modes and the deny qualifier.

@@ -764,18 +764,18 @@ This mode requires that a local security profile is defined and forces an
 AppArmor domain transition to the named profile. If there is no profile
 defined then the access will be denied.

-B<WARNING> 'cx' does not scrub the environment of variables such as
-LD_PRELOAD; as a result, the calling domain may have an undue amount of
+B<WARNING> 'cx' does not use ld.so(8) secure-execution mode to clear variables 
+such as LD_PRELOAD; as a result, the calling domain may have an undue amount of 
 influence over the callee.

 Incompatible with other exec transition modes and the deny qualifier.

-=item B<Cx - Transition to Subprofile execute mode -- scrub the environment>
+=item B<Cx - Transition to Subprofile execute mode -- use ld.so(8) secure-execution mode>

 'Cx' allows the named program to run in 'cx' mode, but AppArmor
-will invoke the Linux Kernel's B<unsafe_exec> routines to scrub
-the environment, similar to setuid programs. (See ld.so(8) for some
-information on setuid/setgid environment scrubbing.)
+will invoke the Linux Kernel's B<unsafe_exec> routines to set ld.so(8)
+secure-execution mode and clear environment variables such as LD_PRELOAD, 
+similar to setuid programs. (See ld.so(8) for more information.)

 Incompatible with other exec transition modes and the deny qualifier.

@@ -788,7 +788,7 @@ will inherit the current profile.
 This mode is useful when a confined program needs to call another
 confined program without gaining the permissions of the target's
 profile, or losing the permissions of the current profile. There is no
-version to scrub the environment because 'ix' executions don't change
+version to set secure-execution mode because 'ix' executions don't change
 privileges.

 Incompatible with other exec transition modes and the deny qualifier.
@@ -1690,11 +1690,11 @@ rule set.  Eg.
  change_profile /bin/bash -> {new_profile1,new_profile2,new_profile3},

 The exec mode dictates whether or not the Linux Kernel's B<unsafe_exec>
-routines should be used to scrub the environment, similar to setuid programs.
-(See ld.so(8) for some information on setuid/setgid environment scrubbing.) The
-B<safe> mode sets up environment scrubbing to occur when the new application is
-executed and B<unsafe> mode disables AppArmor's requirement for environment
-scrubbing (the kernel and/or libc may still require environment scrubbing). An
+routines should be used to set ld.so(8) secure-execution mode and clear 
+environment variables such as LD_PRELOAD, similar to setuid programs. 
+(See ld.so(8) for more information.) The B<safe> mode sets up secure-execution 
+mode for the new application, and B<unsafe> mode disables AppArmor's 
+requirement for it (the kernel and/or libc may still turn it on). An
 exec mode can only be specified when an exec condition is present.

  change_profile safe /bin/bash -> new_profile,
@@ -1796,61 +1796,6 @@ F</etc/apparmor.d/tunables/xdg-user-dirs.d> for B<@{XDG_*}>.
 The special B<@{profile_name}> variable is set to the profile name and may be
 used in all policy.

-=head3 Notes on variable expansion and the / character
-
-It is important to note that how AppArmor performs variable expansion
-depends on the context where a variable is used. When a variable is
-expanded it can result in a string with multiple path characters
-next to each other, in a way that is not evident when looking at
-policy.
-
-Eg.
-
-=over 4
-
-Given the following variable definition and rule
-
-@{HOME}=/home/*/
-file rw @{HOME}/*,
-
-The variable expansion results in a rule of
-
-file rw /home/*//*.
-
-=back
-
-When this occurs in a context where a path is expected, AppArmor will
-canonicalize the path by collapsing consecutive / characters into
-a single character. For the above example, this would be
-
-  file rw /home/*/*,
-
-There is one exception to this rule, when the consecutive / characters
-are at the beginning of a path, this indicates a posix namespace
-and the characters will not be collapsed.
-
-Eg.
-
-=over 4
-
-@{HOME}=/home/*/
-file rw /@{HOME}/*,
-
-will result in an expansion of
-
-file rw //home/*//*,
-
-which is collapsed to
-
-file rw //home/*/*,
-
-Note: that the leading // in the above example is not collapsed to a
-single /. However the second // (that was also seen in the first
-example) is collapsed.
-
-=back
-
-
 =head2 Alias rules

 AppArmor also provides alias rules for remapping paths for site-specific
@@ -2152,7 +2097,7 @@ An example AppArmor profile:
  	  /usr/lib/**         r,
  	  /tmp/foo.pid        wr,
  	  /tmp/foo.*          lrw,
-	  @{HOME}/.foo_file  rw,
+	  /@{HOME}/.foo_file  rw,
 	  /usr/bin/baz        Cx -> baz,

 	  # a comment about foo's hat (subprofile), bar.
@@ -2214,7 +2159,7 @@ negative values match when specifying one or the other. Eg, 'rw' matches when
 =head1 SEE ALSO

 apparmor(7), apparmor_parser(8), apparmor_xattrs(7), aa-complain(1),
-aa-enforce(1), aa_change_hat(2), mod_apparmor(5), and
+aa-enforce(1), aa_change_hat(2), aa_change_profile(2), mod_apparmor(5), and
 L<https://wiki.apparmor.net>.

 =cut
--- a/parser/apparmor.pod
+++ b/parser/apparmor.pod
@@ -206,8 +206,8 @@ which can help debugging profiles.
 =head2 Enable debug mode

 When debug mode is enabled, AppArmor will log a few extra messages to
-dmesg (not via the audit subsystem). For example, the logs will tell
-whether environment scrubbing has been applied.
+dmesg (not via the audit subsystem). For example, the logs will state when
+ld.so(8) secure-execution mode has been applied in a profile transition.

 To enable debug mode, run:

--- a/parser/capability.h
+++ b/parser/capability.h
@@ -63,7 +63,6 @@ typedef enum capability_flags {
 } capability_flags;

 int name_to_capability(const char *keyword);
-void capabilities_init(void);
 void __debug_capabilities(uint64_t capset, const char *name);
 bool add_cap_feature_mask(struct aa_features *features, capability_flags flags);
 void clear_cap_flag(capability_flags flags);
--- a/parser/libapparmor_re/README
+++ b/parser/libapparmor_re/README
@@ -10,6 +10,199 @@ aare_rules.{h,cc} - code to that binds parse -> expr-tree -> hfa generation
                    -> chfa generation into a basic interface for converting
 		    rules to a runtime ready state machine.

+Notes on the compiler pipeline order
+============================================
+
+Front End: Program driver logic and policy text parsing into an
+           abstract syntax tree.
+Middle Layer: Transforms and operations on the abstract syntax tree.
+              Converts syntax tree into expression tree for back end.
+Back End: transforms of syntax tree, and creation of policy HFA from
+          expression trees and HFAs.
+
+
+Basic order of the backend of the compiler pipe line and where the
+dump information occurs in the pipeline.
+
+===== Front End (parse -> AST ================
+       |
+       v
+    yyparse
+       |
+--->--+-->-+
+|           |
+|  +-->---- +---------------------------<-----------------------+
+|  |        |                                                   |
+|  |        v                                                   |
+|  |      yylex                                                 |
+|  |        |                                                   |
+|  ^   token match                                              |
+|  |        |                                                   |
+|  |        +----------------------------+                      |
+|  |        |                            |                      ^
+|  |        v                            v                      |
+|  +-<- rule match?                  preprocess                 |
+|           |                            |                      |
+|    early var expansion      +----------+-----------+          |
+|           |                 |          |           |          |
+^           v                 v          v           v          |
+|   new rule() / new ent   include   variable   conditional     |
+|           |                 |          |           |          |
+|           v                 +---->-----+----->-----+----->----+
+| new rule semantic check
+|           |
+-----<-----+
+            |
+----------- | ------ End of Parse --------------------
+            |
+            v
+post_parse_profile semantic check
+       |
+       v
+  post_process
+           |
+           v
+     add implied rules()
+           |
+           v
+  process_profile_variables()
+                    |
+                    v
+                  rule->expand_variables()
+                    |
+           +--------+
+           |
+           v
+   replace aliases (to be moved to backend rewrite)
+           |
+           v
+      merge rules
+           |
+           v
+       profile->merge_rules()
+                        |
+                        v
+                +-->--rule->is_mergeable()
+                |                |
+                ^                v
+                |           add to table
+                |                |
+                +-------+--------+
+                        |
+                        v
+                      sort->cmp()/oper<()
+                        |
+                      rule->merge()
+                        |
+           +------------+
+           |
+           v
+  process_profile_rules
+                   |
+                   v
+                 rule->gen_policy_re()
+                            |
+                            v
+===== Mid layer (AST -> expr tree) =================
+                            |
+                     +-> add_rule()			(aare_rules.{h,cc})
+                     |      |
+                     |      v
+                     |  rule parse			(parse.y)
+                     |      |    |
+                     |      |    v
+                     |      |   expr tree		(expr-tree.{h,cc})
+                     |      |       |
+                     |      v       |
+                     | unique perms |		(aare_rules.{h,cc})
+                     |      |       |
+                     |      +------ +
+                     |      |
+                     |      v
+                     |  add to rules expr tree	(aare_rules.{h,c})
+                     |      |
+                     +------+
+                            |
+         +------------------+
+         |
+         v
+    create_dfablob()
+         |
+         v
+      expr tree
+         |
+         v
+  create_chfa()		(aare_rules.cc)
+         |
+         v
+  expr normalization	(expr-tree.{h,cc})
+         |
+         v
+  expr simplification	(expr-tree.{h,c})
+         |
+         +- D expr-tree
+         |
+         +- D expr-simplified
+         |
+==== Back End - Create cHFA out of expr tree and other HFAs ====
+         v
+    hfa creation	(hfa.{h,cc})
+         |
+         +- D dfa-node-map
+         |
+         +- D dfa-uniq-perms
+         |
+         +- D dfa-states-initial
+         |
+         v
+    hfa rewrite		(not yet implemented)
+         |
+         v
+    filter deny		(hfa.{h,cc})
+         |
+         +- D dfa-states-post-filter
+         |
+         v
+    minimization	(hfa.{h,cc})
+         |
+         +- D dfa-minimize-partitions
+         |
+         +- D dfa-minimize-uniq-perms
+         |
+         +- D dfa-states-post-minimize
+         |
+         v
+   unreachable state removal	(hfa.{h,cc})
+         |
+         +- D dfa-states-post-unreachable
+         |
+         +- D dfa-states	constructed hfa
+         |
+         +- D dfa-graph
+         |
+         v
+equivalence class construction
+         |
+         +- D equiv
+         |
+     diff encode		(hfa.{h,cc})
+         |
+         +- D diff-encode
+         |
+compute perms table
+         |
+         +- D compressed-dfa == perm table dump
+         |
+   compressed hfa			(chfa.{h,cc}
+         |
+         +- D compressed-dfa == transition tables
+         |
+         +- D dfa-compressed-states    - compress HFA in state form
+         |
+         v
+  Return to Mid Layer
+
+
 Notes on the compress hfa file format (chfa)
 ==============================================

--- a/parser/libapparmor_re/chfa.cc
+++ b/parser/libapparmor_re/chfa.cc
@@ -25,6 +25,8 @@
 #include <iostream>
 #include <fstream>

+#include <limits>
+
 #include <arpa/inet.h>
 #include <stdio.h>
 #include <string.h>
@@ -592,10 +594,11 @@ void CHFA::weld_file_to_policy(CHFA &file_chfa, size_t &new_start,
 		//           to repeat
 		assert(accept.size() == old_base_size);
 		accept.resize(accept.size() + file_chfa.accept.size());
-		size_t size = policy_perms.size();
+		assert(policy_perms.size() < std::numeric_limits<ssize_t>::max());
+		ssize_t size = (ssize_t) policy_perms.size();
 		policy_perms.resize(size*2 + file_perms.size());
 		// shift and double the policy perms
-		for (size_t i = size - 1; size >= 0; i--) {
+		for (ssize_t i = size - 1; i >= 0; i--) {
 			policy_perms[i*2] = policy_perms[i];
 			policy_perms[i*2 + 1] = policy_perms[i];
 		}
--- a/parser/libapparmor_re/hfa.cc
+++ b/parser/libapparmor_re/hfa.cc
@@ -558,6 +558,14 @@ void DFA::dump_uniq_perms(const char *s)
 	//TODO: add prompt
 }

+// make sure work_queue and reachable insertion are always done together
+static void push_reachable(set<State *> &reachable, list<State *> &work_queue,
+		    State *state)
+{
+	work_queue.push_back(state);
+	reachable.insert(state);
+}
+
 /* Remove dead or unreachable states */
 void DFA::remove_unreachable(optflags const &opts)
 {
@@ -565,19 +573,18 @@ void DFA::remove_unreachable(optflags const &opts)

 	/* find the set of reachable states */
 	reachable.insert(nonmatching);
-	work_queue.push_back(start);
+	push_reachable(reachable, work_queue, start);
 	while (!work_queue.empty()) {
 		State *from = work_queue.front();
 		work_queue.pop_front();
-		reachable.insert(from);

 		if (from->otherwise != nonmatching &&
 		    reachable.find(from->otherwise) == reachable.end())
-			work_queue.push_back(from->otherwise);
+			push_reachable(reachable, work_queue, from->otherwise);

 		for (StateTrans::iterator j = from->trans.begin(); j != from->trans.end(); j++) {
 			if (reachable.find(j->second) == reachable.end())
-				work_queue.push_back(j->second);
+				push_reachable(reachable, work_queue, j->second);
 		}
 	}

@@ -1532,7 +1539,9 @@ int accept_perms(optflags const &opts, NodeVec *state, perms_t &perms,
 {
 	int error = 0;
 	perms_t exact;
-	std::vector<int>  priority(sizeof(perm32_t)*8,  MIN_INTERNAL_PRIORITY);	// 32 but wan't tied to perm32_t
+	// size of vector needs to be number of bits in the data type
+	// being used for the permission set.
+	std::vector<int>  priority(sizeof(perm32_t)*8,  MIN_INTERNAL_PRIORITY);
 	perms.clear();

 	if (!state)
--- a/parser/libapparmor_re/hfa.h
+++ b/parser/libapparmor_re/hfa.h
@@ -275,7 +275,7 @@ public:

 	ostream &dump(ostream &os)
 	{
-		cerr << *this << "\n";
+		os << *this << "\n";
 		for (StateTrans::iterator i = trans.begin(); i != trans.end(); i++) {
 			os << "    " << i->first.c << " -> " << *i->second << "\n";
 		}
--- a/parser/mount.cc
+++ b/parser/mount.cc
@@ -355,7 +355,8 @@ int is_valid_mnt_cond(const char *name, int src)
 static unsigned int extract_flags(struct value_list **list, unsigned int *inv)
 {
 	unsigned int flags = 0, invflags = 0;
-	*inv = 0;
+	if (inv)
+		*inv = 0;

 	struct value_list *entry, *tmp, *prev = NULL;
 	list_for_each_safe(*list, entry, tmp) {
@@ -368,11 +369,7 @@ static unsigned int extract_flags(struct value_list **list, unsigned int *inv)
 			       " => req: 0x%x inv: 0x%x\n",
 			       entry->value, mnt_opts_table[i].set,
 			       mnt_opts_table[i].clear, flags, invflags);
-			if (prev)
-				prev->next = tmp;
-			if (entry == *list)
-				*list = tmp;
-			entry->next = NULL;
+			list_remove_at(*list, prev, entry);
 			free_value_list(entry);
 		} else
 			prev = entry;
@@ -683,7 +680,7 @@ int mnt_rule::cmp(rule_t const &rhs) const {
 		return cmp_vec_int(opt_flagsv, rhs_mnt.opt_flagsv);
 	}

-static int build_mnt_flags(char *buffer, int size, unsigned int flags,
+static bool build_mnt_flags(char *buffer, int size, unsigned int flags,
 			   unsigned int opt_flags)
 {
 	char *p = buffer;
@@ -693,8 +690,8 @@ static int build_mnt_flags(char *buffer, int size, unsigned int flags,
 		/* all flags are optional */
 		len = snprintf(p, size, "%s", default_match_pattern);
 		if (len < 0 || len >= size)
-			return FALSE;
-		return TRUE;
+			return false;
+		return true;
 	}
 	for (i = 0; i <= 31; ++i) {
 		if ((opt_flags) & (1 << i))
@@ -705,7 +702,7 @@ static int build_mnt_flags(char *buffer, int size, unsigned int flags,
 			continue;

 		if (len < 0 || len >= size)
-			return FALSE;
+			return false;
 		p += len;
 		size -= len;
 	}
@@ -716,15 +713,15 @@ static int build_mnt_flags(char *buffer, int size, unsigned int flags,
 		 * like the empty string
 		 */
 		if (size < 9)
-			return FALSE;
+			return false;

 		strcpy(p, "(\\xfe|)");
 	}

-	return TRUE;
+	return true;
 }

-static int build_mnt_opts(std::string& buffer, struct value_list *opts)
+static bool build_mnt_opts(std::string& buffer, struct value_list *opts)
 {
 	struct value_list *ent;
 	pattern_t ptype;
@@ -732,19 +729,19 @@ static int build_mnt_opts(std::string& buffer, struct value_list *opts)

 	if (!opts) {
 		buffer.append(default_match_pattern);
-		return TRUE;
+		return true;
 	}

 	list_for_each(opts, ent) {
 		ptype = convert_aaregex_to_pcre(ent->value, 0, glob_default, buffer, &pos);
 		if (ptype == ePatternInvalid)
-			return FALSE;
+			return false;

 		if (ent->next)
 			buffer.append(",");
 	}

-	return TRUE;
+	return true;
 }

 void mnt_rule::warn_once(const char *name)
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -179,8 +179,6 @@ struct var_string {
 #define OPTION_STDOUT	4
 #define OPTION_OFILE	5

-#define BOOL int
-
 extern int preprocess_only;

 #define PATH_CHROOT_REL 0x1
@@ -213,13 +211,6 @@ do {						\
 	errno = perror_error;			\
 } while (0)

-#ifndef TRUE
-#define TRUE	(1)
-#endif
-#ifndef FALSE
-#define FALSE	(0)
-#endif
-
 #define MIN_PORT 0
 #define MAX_PORT 65535

@@ -251,17 +242,6 @@ do {						\
 	len;			\
 })

-#define list_find_prev(LIST, ENTRY)	\
-({					\
-	typeof(ENTRY) tmp, prev = NULL;	\
-	list_for_each((LIST), tmp) {	\
-		if (tmp == (ENTRY))	\
-			break;		\
-		prev = tmp;		\
-	}				\
-	prev;				\
-})
-
 #define list_pop(LIST)				\
 ({						\
 	typeof(LIST) _entry = (LIST);		\
@@ -279,12 +259,6 @@ do {						\
 		(LIST) = (ENTRY)->next;				\
 	(ENTRY)->next = NULL;					\

-#define list_remove(LIST, ENTRY)				\
-do {								\
-	typeof(ENTRY) prev = list_find_prev((LIST), (ENTRY));	\
-	list_remove_at((LIST), prev, (ENTRY));			\
-} while (0)
-

 #define DUP_STRING(orig, new, field, fail_target) \
 	do {									\
@@ -423,10 +397,10 @@ extern const char *basedir;
 #define glob_null	1
 extern pattern_t convert_aaregex_to_pcre(const char *aare, int anchor, int glob,
 					 std::string& pcre, int *first_re_pos);
-extern int build_list_val_expr(std::string& buffer, struct value_list *list);
-extern int convert_entry(std::string& buffer, char *entry);
+extern bool build_list_val_expr(std::string& buffer, struct value_list *list);
+extern bool convert_entry(std::string& buffer, char *entry);
 extern int clear_and_convert_entry(std::string& buffer, char *entry);
-extern int convert_range(std::string& buffer, bignum start, bignum end);
+extern bool convert_range(std::string& buffer, bignum start, bignum end);
 extern int process_regex(Profile *prof);
 extern int post_process_entry(struct cod_entry *entry);

@@ -445,7 +419,6 @@ extern void free_var_string(struct var_string *var);
 extern void warn_uppercase(void);
 extern int is_blacklisted(const char *name, const char *path);
 extern struct value_list *new_value_list(char *value);
-extern struct value_list *dup_value_list(struct value_list *list);
 extern void free_value_list(struct value_list *list);
 extern void print_value_list(struct value_list *list);
 extern struct cond_entry *new_cond_entry(char *name, int eq, struct value_list *list);
--- a/parser/parser_alias.c
+++ b/parser/parser_alias.c
@@ -142,8 +142,10 @@ static void process_entries(const void *nodep, VISIT value, int level unused)
 		}
 		if (dup) {
 			dup->alias_ignore = true;
-			/* adds to the front of the list, list iteratition
-			 * will skip it
+			/* The original entry->next is in dup->next, so we don't lose
+			 * any of the original elements of the linked list. Also, by
+			 * setting dup->alias_ignore, we trigger the check at the start
+			 * of the loop, skipping the new entry we just inserted.
 			 */
 			entry->next = dup;

--- a/parser/parser_include.c
+++ b/parser/parser_include.c
@@ -202,7 +202,7 @@ static void start_include_position(const char *filename)
 	current_lineno   = 1;
 }

-void push_include_stack(char *filename)
+void push_include_stack(const char *filename)
 {
 	struct include_stack_t *include = NULL;

--- a/parser/parser_include.h
+++ b/parser/parser_include.h
@@ -29,7 +29,7 @@ extern void parse_default_paths(void);
 extern int do_include_preprocessing(char *profilename);
 FILE *search_path(char *filename, char **fullpath, bool *skip);

-extern void push_include_stack(char *filename);
+extern void push_include_stack(const char *filename);
 extern void pop_include_stack(void);
 extern void reset_include_stack(const char *filename);

--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -245,7 +245,7 @@ static inline void sd_write_uint64(std::ostringstream &buf, u64 b)

 static inline void sd_write_name(std::ostringstream &buf, const char *name)
 {
-	PDEBUG("Writing name '%s'\n", name);
+	PDEBUG("Writing name '%s'\n", name ? name : "(null)");
 	if (name) {
 		sd_write8(buf, SD_NAME);
 		sd_write16(buf, strlen(name) + 1);
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -1620,7 +1620,6 @@ int main(int argc, char *argv[])
 	progname = argv[0];

 	init_base_dir();
-	capabilities_init();

 	process_early_args(argc, argv);
 	process_config_file(config_file);
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -35,6 +35,7 @@
 #include <sys/apparmor_private.h>

 #include <algorithm>
+#include <unordered_map>

 #include "capability.h"
 #include "lib.h"
@@ -61,6 +62,10 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size)
 }
 #endif

+#ifndef NULL
+#define NULL nullptr
+#endif
+
 int is_blacklisted(const char *name, const char *path)
 {
 	int retval = _aa_is_blacklisted(name);
@@ -71,12 +76,7 @@ int is_blacklisted(const char *name, const char *path)
 	return !retval ? 0 : 1;
 }

-struct keyword_table {
-	const char *keyword;
-	unsigned int token;
-};
-
-static struct keyword_table keyword_table[] = {
+static const unordered_map<string, int> keyword_table = {
 	/* network */
 	{"network",		TOK_NETWORK},
 	{"unix",		TOK_UNIX},
@@ -132,11 +132,9 @@ static struct keyword_table keyword_table[] = {
 	{"sqpoll",		TOK_SQPOLL},
 	{"all",			TOK_ALL},
 	{"priority",		TOK_PRIORITY},
-	/* terminate */
-	{NULL, 0}
 };

-static struct keyword_table rlimit_table[] = {
+static const unordered_map<string, int> rlimit_table = {
 	{"cpu",			RLIMIT_CPU},
 	{"fsize",		RLIMIT_FSIZE},
 	{"data",		RLIMIT_DATA},
@@ -162,37 +160,33 @@ static struct keyword_table rlimit_table[] = {
 #ifdef RLIMIT_RTTIME
 	{"rttime",		RLIMIT_RTTIME},
 #endif
-	/* terminate */
-	{NULL, 0}
 };

 /* for alpha matches, check for keywords */
-static int get_table_token(const char *name unused, struct keyword_table *table,
-			   const char *keyword)
+static int get_table_token(const char *name unused, const unordered_map<string, int> &table,
+			   const string &keyword)
 {
-	int i;
-
-	for (i = 0; table[i].keyword; i++) {
-		PDEBUG("Checking %s %s\n", name, table[i].keyword);
-		if (strcmp(keyword, table[i].keyword) == 0) {
-			PDEBUG("Found %s %s\n", name, table[i].keyword);
-			return table[i].token;
-		}
+	auto token_entry = table.find(keyword);
+	if (token_entry == table.end()) {
+		PDEBUG("Unable to find %s %s\n", name, keyword.c_str());
+		return -1;
+	} else {
+		PDEBUG("Found %s %s\n", name, keyword.c_str());
+		return token_entry->second;
 	}
-
-	PDEBUG("Unable to find %s %s\n", name, keyword);
-	return -1;
 }

 /* for alpha matches, check for keywords */
 int get_keyword_token(const char *keyword)
 {
-	return get_table_token("keyword", keyword_table, keyword);
+	// Can't use string_view because that requires C++17
+	return get_table_token("keyword", keyword_table, string(keyword));
 }

 int get_rlimit(const char *name)
 {
-	return get_table_token("rlimit", rlimit_table, name);
+	// Can't use string_view because that requires C++17
+	return get_table_token("rlimit", rlimit_table, string(name));
 }


@@ -208,55 +202,164 @@ struct capability_table {
 	capability_flags flags;
 };

+/*
+ * Enum for the results of adding a capability, with values assigned to match
+ * the int values returned by the old capable_add_cap function:
+ *
+ * -1: error
+ *  0: no change - capability already in table
+ *  1: added flag to capability in table
+ *  2: added new capability
+ */
+enum add_cap_result {
+	ERROR = -1, // Was only used for OOM conditions
+	ALREADY_EXISTS = 0,
+	FLAG_ADDED = 1,
+	CAP_ADDED = 2
+};
+
 static struct capability_table base_capability_table[] = {
 	/* capabilities */
 	#include "cap_names.h"
+};
+static const size_t BASE_CAP_TABLE_SIZE = sizeof(base_capability_table)/sizeof(struct capability_table);

-	/* terminate */
-	{NULL, 0, 0, CAPFLAGS_CLEAR}
+class capability_lookup {
+	vector<capability_table> cap_table;
+	// Use unordered_map to avoid pulling in two map implementations
+	// We may want to switch to boost::multiindex to avoid duplication
+	unordered_map<string, capability_table&> name_cap_map;
+	unordered_map<unsigned int, capability_table&> int_cap_map;
+
+	private:
+	void add_capability_table_entry_raw(capability_table entry) {
+		cap_table.push_back(entry);
+		capability_table &entry_ref = cap_table.back();
+		name_cap_map.emplace(string(entry_ref.name), entry_ref);
+		int_cap_map.emplace(entry_ref.cap, entry_ref);
+	}
+	public:
+	capability_lookup() :
+			cap_table(vector<capability_table>()),
+			name_cap_map(unordered_map<string, capability_table&>(BASE_CAP_TABLE_SIZE)),
+			int_cap_map(unordered_map<unsigned int, capability_table&>(BASE_CAP_TABLE_SIZE)) {
+		cap_table.reserve(BASE_CAP_TABLE_SIZE);
+		for (size_t i=0; i<BASE_CAP_TABLE_SIZE; i++) {
+			add_capability_table_entry_raw(base_capability_table[i]);
+		}
+	}
+
+	capability_table* find_cap_entry_by_name(string const & name) const {
+		auto map_entry = this->name_cap_map.find(name);
+		if (map_entry == this->name_cap_map.end()) {
+			return NULL;
+		} else {
+			PDEBUG("Found %s %s\n", name.c_str(), map_entry->second.name);
+			return &map_entry->second;
+		}
+	}
+
+	capability_table* find_cap_entry_by_num(unsigned int cap) const {
+		auto map_entry = this->int_cap_map.find(cap);
+		if (map_entry == this->int_cap_map.end()) {
+			return NULL;
+		} else {
+			PDEBUG("Found %d %d\n", cap, map_entry->second.cap);
+			return &map_entry->second;
+		}
+	}
+
+	int name_to_capability(string const &cap) const {
+		auto map_entry = this->name_cap_map.find(cap);
+		if (map_entry == this->name_cap_map.end()) {
+			PDEBUG("Unable to find %s %s\n", "capability", cap.c_str());
+			return -1;
+		} else {
+			return map_entry->second.cap;
+		}
+	}
+
+	const char *capability_to_name(unsigned int cap) const {
+		auto map_entry = this->int_cap_map.find(cap);
+		if (map_entry == this->int_cap_map.end()) {
+			return "invalid-capability";
+		} else {
+			return map_entry->second.name;
+		}
+	}
+
+	int capability_backmap(unsigned int cap) const {
+		auto map_entry = this->int_cap_map.find(cap);
+		if (map_entry == this->int_cap_map.end()) {
+			return NO_BACKMAP_CAP;
+		} else {
+			return map_entry->second.backmap;
+		}
+	}
+
+	bool capability_in_kernel(unsigned int cap) const {
+		auto map_entry = this->int_cap_map.find(cap);
+		if (map_entry == this->int_cap_map.end()) {
+			return false;
+		} else {
+			return map_entry->second.flags & CAPFLAG_KERNEL_FEATURE;
+		}
+	}
+
+	void __debug_capabilities(uint64_t capset, const char *name) const {
+		printf("%s:", name);
+
+		for (auto it = this->cap_table.cbegin(); it != this->cap_table.cend(); it++) {
+			if ((1ull << it->cap) & capset)
+				printf (" %s", it->name);
+		}
+		printf("\n");
+	}
+
+	add_cap_result capable_add_cap(string const & str, unsigned int cap,
+			    capability_flags flag) {
+		struct capability_table *ent = this->find_cap_entry_by_name(str);
+		if (ent) {
+			if (ent->cap != cap) {
+				pwarn(WARN_UNEXPECTED, "feature capability '%s:%d' does not equal expected %d. Ignoring ...\n", str.c_str(), cap, ent->cap);
+				/* TODO: make warn to error config */
+				return add_cap_result::ALREADY_EXISTS;
+			}
+			if (ent->flags & flag)
+				return add_cap_result::ALREADY_EXISTS;
+			ent->flags = (capability_flags) (ent->flags | flag);
+			return add_cap_result::FLAG_ADDED;
+		} else {
+			struct capability_table new_entry;
+			new_entry.name = strdup(str.c_str());
+			if (!new_entry.name) {
+				yyerror(_("Out of memory"));
+				return add_cap_result::ERROR;
+			}
+			new_entry.cap = cap;
+			new_entry.backmap = 0;
+			new_entry.flags = flag;
+			try {
+				this->add_capability_table_entry_raw(new_entry);
+			} catch (const std::bad_alloc &_e) {
+				yyerror(_("Out of memory"));
+				return add_cap_result::ERROR;
+			}
+			// TODO: exception catching for causes other than OOM
+			return add_cap_result::CAP_ADDED;
+		}
+	}
+
+	void clear_cap_flag(capability_flags flags)
+	{
+		for (auto it = this->cap_table.begin(); it != this->cap_table.end(); it++) {
+			PDEBUG("Clearing capability flag for capability \"%s\"\n",  it->name);
+			it->flags = (capability_flags) (it->flags & ~flags);
+		}
+	}
 };

-static struct capability_table *cap_table;
-static int cap_table_size;
-
-void capabilities_init(void)
-{
-	cap_table = (struct capability_table *) malloc(sizeof(base_capability_table));
-	if (!cap_table)
-		yyerror(_("Memory allocation error."));
-	memcpy(cap_table, base_capability_table, sizeof(base_capability_table));
-	cap_table_size = sizeof(base_capability_table)/sizeof(struct capability_table);
-}
-
-struct capability_table *find_cap_entry_by_name(const char *name)
-{
-	int i;
-
-	for (i = 0; cap_table[i].name; i++) {
-		PDEBUG("Checking %s %s\n", name, cap_table[i].name);
-		if (strcmp(name, cap_table[i].name) == 0) {
-			PDEBUG("Found %s %s\n", name, cap_table[i].name);
-			return &cap_table[i];
-		}
-	}
-
-	return NULL;
-}
-
-struct capability_table *find_cap_entry_by_num(unsigned int cap)
-{
-	int i;
-
-	for (i = 0; cap_table[i].name; i++) {
-		PDEBUG("Checking %d %d\n",  cap, cap_table[i].cap);
-		if (cap == cap_table[i].cap) {
-			PDEBUG("Found %d %d\n", cap, cap_table[i].cap);
-			return &cap_table[i];
-		}
-	}
-
-	return NULL;
-}
+static capability_lookup cap_table;

 /* don't mark up str with \0 */
 static const char *strn_token(const char *str, size_t &len)
@@ -294,59 +397,6 @@ bool strcomp (const char *lhs, const char *rhs)
 	return null_strcmp(lhs, rhs) < 0;
 }

-/*
- * Returns: -1: error
- *           0: no change - capability already in table
- *           1: added flag to capability in table
- *           2: added new capability
- */
-static int capable_add_cap(const char *str, int len, unsigned int cap,
-			    capability_flags flag)
-{
-	/* extract name from str so we can treat as a string */
-	autofree char *name = strndup(str, len);
-
-	if (!name) {
-		yyerror(_("Out of memory"));
-		return -1;
-	}
-	struct capability_table *ent = find_cap_entry_by_name(name);
-	if (ent) {
-		if (ent->cap != cap) {
-			pwarn(WARN_UNEXPECTED, "feature capability '%s:%d' does not equal expected %d. Ignoring ...\n", name, cap, ent->cap);
-			/* TODO: make warn to error config */
-			return 0;
-		}
-		if (ent->flags & flag)
-			return 0;	/* no change */
-		ent->flags = (capability_flags) (ent->flags | flag);
-		return 1;		/* modified */
-	} else {
-		struct capability_table *tmp;
-
-		tmp = (struct capability_table *) reallocarray(cap_table, sizeof(struct capability_table), cap_table_size+1);
-		if (!tmp) {
-			yyerror(_("Out of memory"));
-			/* TODO: change away from yyerror */
-			return -1;
-		}
-		cap_table = tmp;
-		ent = &cap_table[cap_table_size - 1]; /* overwrite null */
-		ent->name = strndup(name, len);
-		if (!ent->name) {
-			/* TODO: change away from yyerror */
-			yyerror(_("Out of memory"));
-			return -1;
-		}
-		ent->cap = cap;
-		ent->flags = flag;
-		cap_table[cap_table_size].name = NULL; /* new null */
-		cap_table_size++;
-	}
-
-	return 2;			/* added */
-}
-
 bool add_cap_feature_mask(struct aa_features *features, capability_flags flags)
 {
 	autofree char *value = NULL;
@@ -363,7 +413,8 @@ bool add_cap_feature_mask(struct aa_features *features, capability_flags flags)
 	for (capstr = strn_token(value, len);
 	     capstr;
 	     capstr = strn_token(capstr + len, len)) {
-		if (capable_add_cap(capstr, len, n, flags) < 0)
+		string capstr_as_str = string(capstr, len);
+		if (cap_table.capable_add_cap(capstr_as_str, n, flags) < 0)
 			return false;
 		n++;
 		if (len > valuelen) {
@@ -379,70 +430,32 @@ bool add_cap_feature_mask(struct aa_features *features, capability_flags flags)

 void clear_cap_flag(capability_flags flags)
 {
-	int i;
-
-	for (i = 0; cap_table[i].name; i++) {
-		PDEBUG("Clearing capability flag for capability \"%s\"\n",  cap_table[i].name);
-		cap_table[i].flags = (capability_flags) (cap_table[i].flags & ~flags);
-	}
+	cap_table.clear_cap_flag(flags);
 }

 int name_to_capability(const char *cap)
 {
-	struct capability_table *ent;
-
-	ent = find_cap_entry_by_name(cap);
-	if (ent)
-		return ent->cap;
-
-	PDEBUG("Unable to find %s %s\n", "capability", cap);
-	return -1;
+	return cap_table.name_to_capability(string(cap));
 }

 const char *capability_to_name(unsigned int cap)
 {
-	struct capability_table *ent;
-
-	ent = find_cap_entry_by_num(cap);
-	if (ent)
-		return ent->name;
-
-	return "invalid-capability";
+	return cap_table.capability_to_name(cap);
 }

 int capability_backmap(unsigned int cap)
 {
-	struct capability_table *ent;
-
-	ent = find_cap_entry_by_num(cap);
-	if (ent)
-		return ent->backmap;
-
-	return NO_BACKMAP_CAP;
+	return cap_table.capability_backmap(cap);
 }

 bool capability_in_kernel(unsigned int cap)
 {
-	struct capability_table *ent;
-
-	ent = find_cap_entry_by_num(cap);
-	if (ent)
-		return ent->flags & CAPFLAG_KERNEL_FEATURE;
-
-	return false;
+	return cap_table.capability_in_kernel(cap);
 }

 void __debug_capabilities(uint64_t capset, const char *name)
 {
-	unsigned int i;
-
-	printf("%s:", name);
-
-	for (i = 0; cap_table[i].name; i++) {
-		if ((1ull << cap_table[i].cap) & capset)
-			printf (" %s", cap_table[i].name);
-	}
-	printf("\n");
+	cap_table.__debug_capabilities(capset, name);
 }

 char *processunquoted(const char *string, int len)
@@ -1200,37 +1213,6 @@ void free_value_list(struct value_list *list)
 	}
 }

-struct value_list *dup_value_list(struct value_list *list)
-{
-	struct value_list *entry, *dup, *head = NULL;
-	char *value;
-
-	list_for_each(list, entry) {
-		value = NULL;
-		if (list->value) {
-			value = strdup(list->value);
-			if (!value)
-				goto fail2;
-		}
-		dup = new_value_list(value);
-		if (!dup)
-			goto fail;
-		if (head)
-			list_append(head, dup);
-		else
-			head = dup;
-	}
-
-	return head;
-
-fail:
-	free(value);
-fail2:
-	free_value_list(head);
-
-	return NULL;
-}
-
 void print_value_list(struct value_list *list)
 {
 	struct value_list *entry;
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -50,7 +50,7 @@ enum error_type {
 void filter_slashes(char *path)
 {
 	char *sptr, *dptr;
-	BOOL seen_slash = 0;
+	bool seen_slash = false;

 	if (!path || (strlen(path) < 2))
 		return;
@@ -69,7 +69,7 @@ void filter_slashes(char *path)
 				++sptr;
 			} else {
 				*dptr++ = *sptr++;
-				seen_slash = TRUE;
+				seen_slash = true;
 			}
 		} else {
 			seen_slash = 0;
@@ -111,14 +111,14 @@ pattern_t convert_aaregex_to_pcre(const char *aare, int anchor, int glob,
 #define MAX_ALT_DEPTH 50
 	*first_re_pos = 0;

-	int ret = TRUE;
+	int ret = 1;
 	/* flag to indicate input error */
 	enum error_type error;

 	const char *sptr;
 	pattern_t ptype;

-	BOOL bEscape = 0;	/* flag to indicate escape */
+	bool bEscape = false;	/* flag to indicate escape */
 	int ingrouping = 0;	/* flag to indicate {} context */
 	int incharclass = 0;	/* flag to indicate [ ] context */
 	int grouping_count[MAX_ALT_DEPTH] = {0};
@@ -150,7 +150,7 @@ pattern_t convert_aaregex_to_pcre(const char *aare, int anchor, int glob,
 			if (bEscape) {
 				pcre.append("\\\\");
 			} else {
-				bEscape = TRUE;
+				bEscape = true;
 				++sptr;
 				continue;	/*skip turning bEscape off */
 			}	/* bEscape */
@@ -393,7 +393,7 @@ pattern_t convert_aaregex_to_pcre(const char *aare, int anchor, int glob,
 			break;
 		}	/* switch (*sptr) */

-		bEscape = FALSE;
+		bEscape = false;
 		++sptr;
 	}		/* while error == e_no_error && *sptr) */

@@ -419,12 +419,12 @@ pattern_t convert_aaregex_to_pcre(const char *aare, int anchor, int glob,
 		PERROR(_("%s: Unable to parse input line '%s'\n"),
 		       progname, aare);

-		ret = FALSE;
+		ret = 0;
 		goto out;
 	}

 out:
-	if (ret == FALSE)
+	if (ret == 0)
 		ptype = ePatternInvalid;

 	if (parseopts.dump & DUMP_DFA_RULE_EXPR)
@@ -464,7 +464,7 @@ static void warn_once_xattr(const char *name)
    common_warn_once(name, "xattr attachment conditional ignored", &warned_name);
 }

-static int process_profile_name_xmatch(Profile *prof)
+static bool process_profile_name_xmatch(Profile *prof)
 {
 	std::string tbuf;
 	pattern_t ptype;
@@ -479,7 +479,7 @@ static int process_profile_name_xmatch(Profile *prof)
 		/* don't filter_slashes for profile names, do on attachment */
 		name = strdup(local_name(prof->name));
 		if (!name)
-			return FALSE;
+			return false;
 	}
 	filter_slashes(name);
 	ptype = convert_aaregex_to_pcre(name, 0, glob_default, tbuf,
@@ -491,7 +491,7 @@ static int process_profile_name_xmatch(Profile *prof)
 		PERROR(_("%s: Invalid profile name '%s' - bad regular expression\n"), progname, name);
 		if (!prof->attachment)
 			free(name);
-		return FALSE;
+		return false;
 	}

 	if (!prof->attachment)
@@ -506,11 +506,11 @@ static int process_profile_name_xmatch(Profile *prof)
 		/* build a dfa */
 		aare_rules *rules = new aare_rules();
 		if (!rules)
-			return FALSE;
+			return false;
 		if (!rules->add_rule(tbuf.c_str(), 0, RULE_ALLOW,
 				     AA_MAY_EXEC, 0, parseopts)) {
 			delete rules;
-			return FALSE;
+			return false;
 		}
 		if (prof->altnames) {
 			struct alt_name *alt;
@@ -525,7 +525,7 @@ static int process_profile_name_xmatch(Profile *prof)
 						RULE_ALLOW, AA_MAY_EXEC,
 						0, parseopts)) {
 					delete rules;
-					return FALSE;
+					return false;
 				}
 			}
 		}
@@ -567,7 +567,7 @@ static int process_profile_name_xmatch(Profile *prof)
 							&len);
 				if (!rules->append_rule(tbuf.c_str(), true, true, parseopts)) {
 					delete rules;
-					return FALSE;
+					return false;
 				}
 			}
 		}
@@ -581,10 +581,10 @@ build:
 		prof->xmatch = rules->create_dfablob(&prof->xmatch_size, &prof->xmatch_len, prof->xmatch_perms_table, parseopts, false, false, false);
 		delete rules;
 		if (!prof->xmatch)
-			return FALSE;
+			return false;
 	}

-	return TRUE;
+	return true;
 }

 static int warn_change_profile = 1;
@@ -606,21 +606,21 @@ static bool is_change_profile_perms(perm32_t perms)
 	return perms & AA_CHANGE_PROFILE;
 }

-static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
+static bool process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 {
 	std::string tbuf;
 	pattern_t ptype;
 	int pos;

 	if (!entry) 		/* shouldn't happen */
-		return TRUE;
+		return false;


 	if (!is_change_profile_perms(entry->perms))
 		filter_slashes(entry->name);
 	ptype = convert_aaregex_to_pcre(entry->name, 0, glob_default, tbuf, &pos);
 	if (ptype == ePatternInvalid)
-		return FALSE;
+		return false;

 	entry->pattern_type = ptype;

@@ -649,13 +649,13 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 					entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE),
 					entry->audit == AUDIT_FORCE ? entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE) : 0,
 					parseopts))
-			return FALSE;
+			return false;
 	} else if (!is_change_profile_perms(entry->perms)) {
 		if (!dfarules->add_rule(tbuf.c_str(), entry->priority,
 				entry->rule_mode, entry->perms,
 				entry->audit == AUDIT_FORCE ? entry->perms : 0,
 				parseopts))
-			return FALSE;
+			return false;
 	}

 	if (entry->perms & (AA_LINK_BITS)) {
@@ -669,7 +669,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 			filter_slashes(entry->link_name);
 			ptype = convert_aaregex_to_pcre(entry->link_name, 0, glob_default, lbuf, &pos);
 			if (ptype == ePatternInvalid)
-				return FALSE;
+				return false;
 			if (entry->subset)
 				perms |= LINK_TO_LINK_SUBSET(perms);
 			vec[1] = lbuf.c_str();
@@ -681,7 +681,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 				entry->rule_mode, perms,
 				entry->audit == AUDIT_FORCE ? perms & AA_LINK_BITS : 0,
 				2, vec, parseopts, false))
-			return FALSE;
+			return false;
 	}
 	if (is_change_profile_perms(entry->perms)) {
 		const char *vec[3];
@@ -702,7 +702,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 		if (entry->onexec) {
 			ptype = convert_aaregex_to_pcre(entry->onexec, 0, glob_default, xbuf, &pos);
 			if (ptype == ePatternInvalid)
-				return FALSE;
+				return false;
 			vec[0] = xbuf.c_str();
 		} else
 			/* allow change_profile for all execs */
@@ -713,14 +713,14 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)

 			if (!parse_label(&stack, &ns, &name,
 					 tbuf.c_str(), false)) {
-				return FALSE;
+				return false;
 			}

 			if (stack) {
 				fprintf(stderr,
 					_("The current kernel does not support stacking of named transitions: %s\n"),
 					tbuf.c_str());
-				return FALSE;
+				return false;
 			}

 			if (ns)
@@ -734,13 +734,13 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 		if (!dfarules->add_rule_vec(entry->priority, entry->rule_mode,
 					    AA_CHANGE_PROFILE | onexec_perms,
 					    0, index - 1, &vec[1], parseopts, false))
-			return FALSE;
+			return false;

 		/* onexec rules - both rules are needed for onexec */
 		if (!dfarules->add_rule_vec(entry->priority, entry->rule_mode,
 					    onexec_perms,
 					    0, 1, vec, parseopts, false))
-			return FALSE;
+			return false;

 		/**
 		 * pick up any exec bits, from the frontend parser, related to
@@ -750,19 +750,19 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 		if (!dfarules->add_rule_vec(entry->priority, entry->rule_mode,
 					    onexec_perms, 0, index, vec,
 					    parseopts, false))
-			return FALSE;
+			return false;
 	}
-	return TRUE;
+	return true;
 }

-int post_process_entries(Profile *prof)
+bool post_process_entries(Profile *prof)
 {
-	int ret = TRUE;
+	int ret = true;
 	struct cod_entry *entry;

 	list_for_each(prof->entries, entry) {
 		if (!process_dfa_entry(prof->dfa.rules, entry))
-			ret = FALSE;
+			ret = false;
 	}

 	return ret;
@@ -815,7 +815,7 @@ out:
 	return error;
 }

-int build_list_val_expr(std::string& buffer, struct value_list *list)
+bool build_list_val_expr(std::string& buffer, struct value_list *list)
 {
 	struct value_list *ent;
 	pattern_t ptype;
@@ -823,7 +823,7 @@ int build_list_val_expr(std::string& buffer, struct value_list *list)

 	if (!list) {
 		buffer.append(default_match_pattern);
-		return TRUE;
+		return true;
 	}

 	buffer.append("(");
@@ -840,12 +840,12 @@ int build_list_val_expr(std::string& buffer, struct value_list *list)
 	}
 	buffer.append(")");

-	return TRUE;
+	return true;
 fail:
-	return FALSE;
+	return false;
 }

-int convert_entry(std::string& buffer, char *entry)
+bool convert_entry(std::string& buffer, char *entry)
 {
 	pattern_t ptype;
 	int pos;
@@ -853,12 +853,12 @@ int convert_entry(std::string& buffer, char *entry)
 	if (entry) {
 		ptype = convert_aaregex_to_pcre(entry, 0, glob_default, buffer, &pos);
 		if (ptype == ePatternInvalid)
-			return FALSE;
+			return false;
 	} else {
 		buffer.append(default_match_pattern);
 	}

-	return TRUE;
+	return true;
 }

 int clear_and_convert_entry(std::string& buffer, char *entry)
@@ -959,7 +959,7 @@ static std::string generate_regex_range(bignum start, bignum end)
 	return result.str();
 }

-int convert_range(std::string& buffer, bignum start, bignum end)
+bool convert_range(std::string& buffer, bignum start, bignum end)
 {
 	pattern_t ptype;
 	int pos;
@@ -969,24 +969,24 @@ int convert_range(std::string& buffer, bignum start, bignum end)
 	if (!regex_range.empty()) {
 		ptype = convert_aaregex_to_pcre(regex_range.c_str(), 0, glob_default, buffer, &pos);
 		if (ptype == ePatternInvalid)
-			return FALSE;
+			return false;
 	} else {
 		buffer.append(default_match_pattern);
 	}

-	return TRUE;
+	return true;
 }

-int post_process_policydb_ents(Profile *prof)
+bool post_process_policydb_ents(Profile *prof)
 {
 	for (RuleList::iterator i = prof->rule_ents.begin(); i != prof->rule_ents.end(); i++) {
 		if ((*i)->skip())
 			continue;
 		if ((*i)->gen_policy_re(*prof) == RULE_ERROR)
-			return FALSE;
+			return false;
 	}

-	return TRUE;
+	return true;
 }


--- a/parser/parser_variable.c
+++ b/parser/parser_variable.c
@@ -79,7 +79,7 @@ struct var_string *split_out_var(const char *string)
 {
 	struct var_string *n = NULL;
 	const char *sptr;
-	BOOL bEscape = 0;	/* flag to indicate escape */
+	bool bEscape = false;	/* flag to indicate escape */

 	if (!string) 		/* shouldn't happen */
 		return NULL;
@@ -89,15 +89,11 @@ struct var_string *split_out_var(const char *string)
 	while (!n && *sptr) {
 		switch (*sptr) {
 		case '\\':
-			if (bEscape) {
-				bEscape = FALSE;
-			} else {
-				bEscape = TRUE;
-			}
+			bEscape = !bEscape;
 			break;
 		case '@':
 			if (bEscape) {
-				bEscape = FALSE;
+				bEscape = false;
 			} else if (*(sptr + 1) == '{') {
 				const char *eptr = get_var_end(sptr + 2);
 				if (!eptr)
@@ -111,8 +107,7 @@ struct var_string *split_out_var(const char *string)
 			}
 			break;
 		default:
-			if (bEscape)
-				bEscape = FALSE;
+			bEscape = false;
 		}
 		sptr++;
 	}
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -704,7 +704,7 @@ rules: rules opt_prefix block
 		if (($2).priority != 0) {
 			yyerror(_("priority is not allowed on rule blocks"));
 		}
-		PDEBUG("matched: %s%s%sblock\n",
+		PDEBUG("matched: %s%s%s%sblock\n",
 		       $2.audit == AUDIT_FORCE ? "audit " : "",
 		       $2.rule_mode == RULE_DENY ? "deny " : "",
 		       $2.rule_mode == RULE_PROMPT ? "prompt " : "",
--- a/parser/po/apparmor-parser.pot
+++ b/parser/po/apparmor-parser.pot
@@ -1,14 +1,14 @@
-# SOME DESCRIPTIVE TITLE.
-# Copyright (C) YEAR Canonical Ltd
-# This file is distributed under the same license as the PACKAGE package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+# Translations for apparmor_parser
+# Copyright (C) 2024 YEAR Canonical Ltd
+# This file is distributed under the same license as the AppArmor package.
+# John Johansen <john.johansen@canonical.com>, 2011.
 #
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
-"POT-Creation-Date: 2025-02-18 07:32-0800\n"
+"POT-Creation-Date: 2024-08-31 15:55-0700\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -326,7 +326,7 @@ msgstr ""
 #: parser_yacc.y:744 parser_yacc.y:1073 parser_yacc.y:1160 parser_yacc.y:1169
 #: parser_yacc.y:1173 parser_yacc.y:1183 parser_yacc.y:1193 parser_yacc.y:1287
 #: parser_yacc.y:1365 parser_yacc.y:1561 parser_yacc.y:1569 parser_yacc.y:1619
-#: parser_yacc.y:1624 parser_yacc.y:1701 parser_yacc.y:1750 ../network.cc:945
+#: parser_yacc.y:1624 parser_yacc.y:1701 parser_yacc.y:1750 ../network.cc:899
 #: ../af_unix.cc:197 ../all_rule.cc:102 ../all_rule.cc:131
 msgid "Memory allocation error."
 msgstr ""
@@ -411,12 +411,12 @@ msgid "AppArmor parser error: %s\n"
 msgstr ""

 #: ../parser_merge.c:92 ../parser_merge.c:91 ../parser_merge.c:83
-#: ../parser_merge.c:71 ../parser_merge.c:77
+#: ../parser_merge.c:71 ../parser_merge.c:74
 msgid "Couldn't merge entries. Out of Memory\n"
 msgstr ""

 #: ../parser_merge.c:111 ../parser_merge.c:113 ../parser_merge.c:105
-#: ../parser_merge.c:93 ../parser_merge.c:100
+#: ../parser_merge.c:93 ../parser_merge.c:97
 #, c-format
 msgid "profile %s: has merged rule %s with conflicting x modifiers\n"
 msgstr ""
@@ -542,7 +542,7 @@ msgstr ""

 #: parser_yacc.y:975 parser_yacc.y:985 parser_yacc.y:1057 parser_yacc.y:1067
 #: parser_yacc.y:1145 parser_yacc.y:1155 parser_yacc.y:1234 parser_yacc.y:1244
-#: ../network.cc:515
+#: ../network.cc:484
 msgid "Invalid network entry."
 msgstr ""

@@ -830,16 +830,16 @@ msgstr ""
 msgid "%s: Regex error: trailing '\\' escape character\n"
 msgstr ""

-#: ../parser_common.c:112 ../parser_common.c:139
+#: ../parser_common.c:112 ../parser_common.c:134
 #, c-format
 msgid "%s from %s (%s%sline %d): %s"
 msgstr ""

-#: ../parser_common.c:113 ../parser_common.c:140
+#: ../parser_common.c:113 ../parser_common.c:135
 msgid "Warning converted to Error"
 msgstr ""

-#: ../parser_common.c:113 ../parser_common.c:140
+#: ../parser_common.c:113 ../parser_common.c:135
 msgid "Warning"
 msgstr ""

@@ -1051,13 +1051,13 @@ msgstr ""
 msgid "Internal: unexpected %s perms character '%c' in input"
 msgstr ""

-#: ../parser_misc.c:1100
+#: ../parser_misc.c:1098
 msgid ""
 "Invalid perms, in deny rules 'x' must not be preceded by exec qualifier 'i', "
 "'p', or 'u'"
 msgstr ""

-#: ../parser_misc.c:1104
+#: ../parser_misc.c:1102
 msgid "Invalid perms, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"
 msgstr ""

@@ -1091,16 +1091,16 @@ msgstr ""
 msgid "attach_disconnected_path value must begin with a /"
 msgstr ""

-#: ../mount.cc:903
+#: ../mount.cc:897
 msgid ""
 "The use of source as mount point for propagation type flags is deprecated.\n"
 msgstr ""

-#: ../network.h:202
+#: ../network.h:200
 msgid "priority prefix not allowed on network rules"
 msgstr ""

-#: ../network.h:206
+#: ../network.h:204
 msgid "owner prefix not allowed on network rules"
 msgstr ""

--- a/parser/profile.cc
+++ b/parser/profile.cc
@@ -226,13 +226,13 @@ static bool add_proc_access(Profile *prof, const char *rule)
 		char *buffer = strdup("/proc/*/attr/apparmor/");
 		if (!buffer) {
 			PERROR("Memory allocation error\n");
-			return FALSE;
+			return false;
 		}
 		new_ent = new_entry(buffer, AA_MAY_READ, NULL);
 		if (!new_ent) {
 			free(buffer);
 			PERROR("Memory allocation error\n");
-			return FALSE;
+			return false;
 		}
 		add_entry_to_policy(prof, new_ent);

@@ -240,13 +240,13 @@ static bool add_proc_access(Profile *prof, const char *rule)
 		buffer = strdup("/sys/module/apparmor/parameters/enabled");
 		if (!buffer) {
 			PERROR("Memory allocation error\n");
-			return FALSE;
+			return false;
 		}
 		new_ent = new_entry(buffer, AA_MAY_READ, NULL);
 		if (!new_ent) {
 			free(buffer);
 			PERROR("Memory allocation error\n");
-			return FALSE;
+			return false;
 		}
 		add_entry_to_policy(prof, new_ent);

@@ -254,17 +254,17 @@ static bool add_proc_access(Profile *prof, const char *rule)
 		buffer = strdup(rule);
 		if (!buffer) {
 			PERROR("Memory allocation error\n");
-			return FALSE;
+			return false;
 		}
 		new_ent = new_entry(buffer, AA_MAY_WRITE, NULL);
 		if (!new_ent) {
 			free(buffer);
 			PERROR("Memory allocation error\n");
-			return FALSE;
+			return false;
 		}
 		add_entry_to_policy(prof, new_ent);

-		return TRUE;
+		return true;
 }

 #define CHANGEPROFILE_PATH "/proc/*/attr/{apparmor/,}{current,exec}"
--- a/parser/profile.h
+++ b/parser/profile.h
@@ -363,7 +363,7 @@ public:
 	struct cond_entry_list xattrs;

 	/* char *sub_name; */			/* subdomain name or NULL */
-	/* int default_deny; */			/* TRUE or FALSE */
+	/* bool default_deny; */
 	bool local;

 	Profile *parent;
--- a/parser/signal.cc
+++ b/parser/signal.cc
@@ -23,7 +23,7 @@
 #include <iomanip>
 #include <string>
 #include <sstream>
-#include <map>
+#include <unordered_map>

 #include "parser.h"
 #include "profile.h"
@@ -35,7 +35,7 @@
 #define MAXRT_SIG 32		/* Max RT above MINRT_SIG */

 /* Signal names mapped to and internal ordering */
-static struct signal_map { const char *name; int num; } signal_map[] = {
+static unordered_map<string, int> signal_map = {
 	{"hup",		1},
 	{"int",		2},
 	{"quit",	3},
@@ -55,7 +55,8 @@ static struct signal_map { const char *name; int num; } signal_map[] = {
 	{"chld",	17},
 	{"cont",	18},
 	{"stop",	19},
-	{"stp",		20},
+	{"stp",		20}, // parser's previous name for SIGTSTP
+	{"tstp",	20},
 	{"ttin",	21},
 	{"ttou",	22},
 	{"urg",		23},
@@ -64,14 +65,12 @@ static struct signal_map { const char *name; int num; } signal_map[] = {
 	{"vtalrm",	26},
 	{"prof",	27},
 	{"winch",	28},
-	{"io",		29},
+	{"io",		29}, // SIGIO == SIGPOLL
+	{"poll",	29},
 	{"pwr",		30},
 	{"sys",		31},
 	{"emt",		32},
 	{"exists",	35},
-
-	/* terminate */
-	{NULL,		0}
 };

 /* this table is ordered post sig_map[sig] mapping */
@@ -96,7 +95,7 @@ static const char *const sig_names[MAXMAPPED_SIG + 1] = {
 	"chld",
 	"cont",
 	"stop",
-	"stp",
+	"tstp",
 	"ttin",
 	"ttou",
 	"urg",
@@ -105,7 +104,7 @@ static const char *const sig_names[MAXMAPPED_SIG + 1] = {
 	"vtalrm",
 	"prof",
 	"winch",
-	"io",
+	"io", // SIGIO == SIGPOLL
 	"pwr",
 	"sys",
 	"emt",
@@ -130,12 +129,14 @@ int find_signal_mapping(const char *sig)
 			return -1;
 		return MINRT_SIG + n;
 	} else {
-		for (int i = 0; signal_map[i].name; i++) {
-			if (strcmp(sig, signal_map[i].name) == 0)
-				return signal_map[i].num;
+		// Can't use string_view because that requires C++17
+		auto sigmap = signal_map.find(string(sig));
+		if (sigmap != signal_map.end()) {
+			return sigmap->second;
+		} else {
+			return -1;
 		}
 	}
-	return -1;
 }

 void signal_rule::extract_sigs(struct value_list **list)
--- a/parser/tst/Makefile
+++ b/parser/tst/Makefile
@@ -6,7 +6,7 @@ PARSER_BIN=apparmor_parser
 PARSER=$(PARSER_DIR)/$(PARSER_BIN)
 # parser.conf to use in tests. Note that some test scripts have the parser options hardcoded, so passing PARSER_ARGS=... is not enough to override it.
 PARSER_ARGS=--config-file=./parser.conf
-PROVE_ARG=-f --directives
+PROVE_ARG=-f --directives -j2

 ifeq ($(VERBOSE),1)
  PROVE_ARG+=-v
@@ -37,6 +37,11 @@ error_output: $(PARSER)
 parser_sanity: $(PARSER) gen_xtrans gen_dbus
 	$(Q)LANG=C APPARMOR_PARSER="$(PARSER)" ${PROVE} ${PROVE_ARG} ${TESTS}

+# use this target for faster manual testing if you don't want/need to test all the profiles generated by gen-*.py
+parser_sanity-no-gen: clean $(PARSER)
+	@echo WARNING: not creating the profiles using the gen-*.py scripts
+	$(Q)LANG=C APPARMOR_PARSER="$(PARSER)" ${PROVE} ${PROVE_ARG} ${TESTS}
+
 caching: $(PARSER)
 	LANG=C ./caching.py -p "$(PARSER)" $(PYTEST_ARG)

--- a/parser/tst/simple_tests/network/network_bad_86.sd
+++ b/parser/tst/simple_tests/network/network_bad_86.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION network port range conditional test - missing end of range
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network port=22-,
+
+}
--- a/parser/tst/simple_tests/network/network_bad_87.sd
+++ b/parser/tst/simple_tests/network/network_bad_87.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION network port range conditional test - missing end of range
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(port=2222-),
+
+}
--- a/parser/tst/simple_tests/network/network_bad_88.sd
+++ b/parser/tst/simple_tests/network/network_bad_88.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION network port range conditional test - spaces in range not allowed
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network port=22 - 443,
+
+}
--- a/parser/tst/simple_tests/network/network_bad_89.sd
+++ b/parser/tst/simple_tests/network/network_bad_89.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION network port range conditional test - spaces in range not allowed
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(port=22 - 443),
+
+}
--- a/parser/tst/simple_tests/network/network_bad_90.sd
+++ b/parser/tst/simple_tests/network/network_bad_90.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION network port range conditional test - invalid "--"
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network port=22--443,
+
+}
--- a/parser/tst/simple_tests/network/network_bad_91.sd
+++ b/parser/tst/simple_tests/network/network_bad_91.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION network port range conditional test - invalid "--"
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(port=22--443),
+
+}
--- a/parser/tst/simple_tests/network/network_bad_92.sd
+++ b/parser/tst/simple_tests/network/network_bad_92.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION network port range conditional test - 3 items in range
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network port=22-443-1024,
+
+}
--- a/parser/tst/simple_tests/network/network_bad_93.sd
+++ b/parser/tst/simple_tests/network/network_bad_93.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION network port range conditional test - 3 items in range
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  network peer=(port=22-443-1024),
+
+}
--- a/parser/tst/simple_tests/network/network_ok_45.sd
+++ b/parser/tst/simple_tests/network/network_ok_45.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION network port range conditional test - additional spaces
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+  network port = 22-443 ,
+
+}
--- a/parser/tst/simple_tests/network/network_ok_46.sd
+++ b/parser/tst/simple_tests/network/network_ok_46.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION network port range conditional test - additional spaces
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+  network peer=( port = 22-443 ),
+
+}
--- a/parser/tst/testlib.py
+++ b/parser/tst/testlib.py
@@ -98,12 +98,11 @@ class AATestTemplate(unittest.TestCase, metaclass=AANoCleanupMetaClass):
        except OSError as e:
            return 127, str(e), ''

-        timeout_communicate = TimeoutFunction(sp.communicate, timeout)
        out, outerr = (None, None)
        try:
-            out, outerr = timeout_communicate(input)
+            out, outerr = sp.communicate(input, timeout)
            rc = sp.returncode
-        except TimeoutFunctionException:
+        except subprocess.TimeoutExpired:
            sp.terminate()
            outerr = 'test timed out, killed'
            rc = TIMEOUT_ERROR_CODE
@@ -117,31 +116,6 @@ class AATestTemplate(unittest.TestCase, metaclass=AANoCleanupMetaClass):

        return rc, out, outerr

-
-# Timeout handler using alarm() from John P. Speno's Pythonic Avocado
-class TimeoutFunctionException(Exception):
-    """Exception to raise on a timeout"""
-
-
-class TimeoutFunction:
-    def __init__(self, function, timeout):
-        self.timeout = timeout
-        self.function = function
-
-    def handle_timeout(self, signum, frame):
-        raise TimeoutFunctionException()
-
-    def __call__(self, *args, **kwargs):
-        old = signal.signal(signal.SIGALRM, self.handle_timeout)
-        signal.alarm(self.timeout)
-        try:
-            result = self.function(*args, **kwargs)
-        finally:
-            signal.signal(signal.SIGALRM, old)
-        signal.alarm(0)
-        return result
-
-
 def filesystem_time_resolution():
    """detect whether the filesystem stores subsecond timestamps"""

--- a/profiles/Makefile
+++ b/profiles/Makefile
@@ -154,11 +154,12 @@ check-logprof: test-dependencies

 .PHONY: check-abstractions.d
 check-abstractions.d:
-	@echo "*** Checking if all abstractions (with a few exceptions) contain 'include if exists <abstractions/*.d>'"
+	@echo "*** Checking if all abstractions (with a few exceptions) contain 'include if exists <abstractions/*.d>' and 'abi <abi/4.0>,'"
 	$(Q)for file in $$(find ${ABSTRACTIONS_SOURCE} ${EXTRAS_ABSTRACTIONS_SOURCE} -maxdepth 1 -type f) ; do \
 		case "$${file}" in */ubuntu-browsers | */ubuntu-helpers) continue ;; esac ; \
 		include="include if exists <abstractions/$$(basename $${file}).d>" ; \
 		grep -q "^  $${include}\$$" $${file} || { echo "$${file} does not contain '$${include}'"; exit 1; } ; \
+		grep -q "^ *abi <abi/4.0>," $${file} || { echo "$${file} does not contain 'abi <abi/4.0>,'"; exit 1; } ; \
 	done

 .PHONY: check-tunables.d
@@ -172,9 +173,10 @@ check-tunables.d:

 .PHONY: check-local
 check-local:
-	@echo "*** Checking if all profiles contain 'include if exists <local/*>'"
+	@echo "*** Checking if all profiles contain 'include if exists <local/*>' and 'abi <abi/4.0>,'"
 	$(Q)for file in $$(find ${PROFILES_SOURCE} ${EXTRAS_SOURCE} -maxdepth 1 -type f) ; do \
 		case "$${file}" in */README) continue ;; esac ; \
 		include="include if exists <local/$$(basename $${file})>" ; \
 		grep -q "^  *$${include}\$$" $${file} || { echo "$${file} does not contain '$${include}'"; exit 1; } ; \
+		grep -q "^ *abi <abi/4.0>," $${file} || { echo "$${file} does not contain 'abi <abi/4.0>,'"; exit 1; } ; \
 	done
--- a/profiles/apparmor.d/abstractions/devices-usb
+++ b/profiles/apparmor.d/abstractions/devices-usb
@@ -1,22 +0,0 @@
-# ------------------------------------------------------------------
-#
-#    Copyright (C) 2021 Mikhail Morfikov
-#    Copyright (C) 2021-2025 Alexandre Pujol <alexandre@pujol.io>
-#
-#    This program is free software; you can redistribute it and/or
-#    modify it under the terms of version 2 of the GNU General Public
-#    License published by the Free Software Foundation.
-#
-# ------------------------------------------------------------------
-
-  abi <abi/4.0>,
-
-  include <abstractions/devices-usb-read>
-
-  /dev/bus/usb/@{int}/@{int} wk,
-
-  @{sys}/devices/**/usb@{int}/{,**} w,
-
-  include if exists <abstractions/devices-usb.d>
-
-# vim:syntax=apparmor
--- a/profiles/apparmor.d/abstractions/devices-usb-read
+++ b/profiles/apparmor.d/abstractions/devices-usb-read
@@ -1,35 +0,0 @@
-# ------------------------------------------------------------------
-#
-#    Copyright (C) 2021 Mikhail Morfikov
-#    Copyright (C) 2021-2025 Alexandre Pujol <alexandre@pujol.io>
-#
-#    This program is free software; you can redistribute it and/or
-#    modify it under the terms of version 2 of the GNU General Public
-#    License published by the Free Software Foundation.
-#
-# ------------------------------------------------------------------
-
-  abi <abi/4.0>,
-
-  /dev/ r,
-  /dev/bus/usb/ r,
-  /dev/bus/usb/@{int}/ r,
-  /dev/bus/usb/@{int}/@{int} r,
-
-  @{sys}/class/ r,
-  @{sys}/class/usbmisc/ r,
-
-  @{sys}/bus/ r,
-  @{sys}/bus/usb/ r,
-  @{sys}/bus/usb/devices/{,**} r,
-
-  @{sys}/devices/**/usb@{int}/{,**} r,
-
-  # Udev data about usb devices (~equal to content of lsusb -v)
-  @{run}/udev/data/+usb:* r,
-  @{run}/udev/data/c16[6,7]:@{int} r,   # USB modems
-  @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
-
-  include if exists <abstractions/devices-usb-read.d>
-
-# vim:syntax=apparmor
--- a/profiles/apparmor.d/abstractions/groff
+++ b/profiles/apparmor.d/abstractions/groff
@@ -10,6 +10,8 @@
 #
 # ------------------------------------------------------------------

+abi <abi/4.0>,
+
  # Note: executing groff and nroff themself is not included in this abstraction
  # so that you can choose to ix, Px or Cx them in your profile

--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -42,9 +42,6 @@
  # have open
  @{run}/nscd/db*  mix,

-  # make libnss-libvirt name resolution work.
-  /var/lib/libvirt/dnsmasq/*  r,
-
  # make libnss-libvirt name resolution work.
  /var/lib/libvirt/dnsmasq/  r,
  /var/lib/libvirt/dnsmasq/*.status  r,
--- a/profiles/apparmor.d/abstractions/python
+++ b/profiles/apparmor.d/abstractions/python
@@ -13,19 +13,19 @@
  abi <abi/4.0>,

  /{usr/,}bin/ r,
-  /{usr/,}bin/python{2.[4-7],3,3.[0-9],3.1[0-9]} r,
+  /{usr/,}bin/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]} r,

-  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so,so.*[0-9]} mr,
-  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth}       r,
-  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
-  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r,
-  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.dist-info/{METADATA,namespace_packages.txt} r,
-  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.VERSION r,
-  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.egg-info/PKG-INFO r,
-  /usr/{local/,}lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so            mr,
+  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{pyc,so,so.*[0-9]} mr,
+  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{egg,py,pth}       r,
+  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/ r,
+  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/**/ r,
+  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.dist-info/{METADATA,namespace_packages.txt} r,
+  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.VERSION r,
+  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.egg-info/PKG-INFO r,
+  /usr/{local/,}lib{,32,64}/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/*.so            mr,

  # Site-wide configuration
-  /etc/python{2.[4-7],3.[0-9],3.1[0-9]}/** r,
+  /etc/python{2.[4-7],3.[0-9],3.[1-9][0-9]}/** r,

  # shared python paths
  /usr/share/{pyshared,pycentral,python-support}/**      r,
@@ -38,12 +38,12 @@
  /usr/lib/wx/python/*.pth r,

  # python build configuration and headers
-  /usr/include/python{2.[4-7],3.[0-9],3.1[0-9]}*/pyconfig.h r,
+  /usr/include/python{2.[4-7],3.[0-9],3.[1-9][0-9]}*/pyconfig.h r,

-  owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so}              mr,
-  owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth}          r,
-  owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/    r,
-  owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r,
+  owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{pyc,so}              mr,
+  owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{egg,py,pth}          r,
+  owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/    r,
+  owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/**/ r,

  # Starting with Python 3.8, you can use the PYTHONPYCACHEPREFIX environment
  # variable to define a cache directory for Python.
--- a/profiles/apparmor.d/abstractions/snap_browsers
+++ b/profiles/apparmor.d/abstractions/snap_browsers
@@ -1,3 +1,5 @@
+abi <abi/4.0>,
+
 profile snap_browsers {
  include if exists <abstractions/snap_browsers.d>
  include <abstractions/base>
--- a/profiles/apparmor.d/abstractions/transmission-common
+++ b/profiles/apparmor.d/abstractions/transmission-common
@@ -2,6 +2,8 @@
 # LOGPROF-SUGGEST: no
 # Author: Daniel Richard G. <skunk@iSKUNK.ORG>

+abi <abi/4.0>,
+
  include <abstractions/base>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice>
--- a/profiles/apparmor.d/tar
+++ b/profiles/apparmor.d/tar
@@ -0,0 +1,37 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile tar /usr/bin/tar {
+  include <abstractions/base>
+
+  # used to extract user files as root
+  capability chown,
+
+  # used to compress user files as root
+  capability dac_override,
+  capability dac_read_search,
+
+  file rwl /**,
+
+  # tar can be made to filter archives through an arbitrary program
+  /{usr{/local,},}/{bin,sbin}/* ix,
+  /opt/** ix,
+
+  # tar can compress/extract files over rsh/ssh
+  network stream ip=127.0.0.1,
+  network stream ip=::1,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/tar>
+}
+
--- a/profiles/apparmor.d/tunables/global
+++ b/profiles/apparmor.d/tunables/global
@@ -17,7 +17,6 @@ include <tunables/multiarch>
 include <tunables/proc>
 include <tunables/alias>
 include <tunables/kernelvars>
-include <tunables/system>
 include <tunables/xdg-user-dirs>
 include <tunables/share>
 include <tunables/etc>
--- a/profiles/apparmor.d/tunables/system
+++ b/profiles/apparmor.d/tunables/system
@@ -1,99 +0,0 @@
-# ------------------------------------------------------------------
-#
-#    Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
-#
-#    This program is free software; you can redistribute it and/or
-#    modify it under the terms of version 2 of the GNU General Public
-#    License published by the Free Software Foundation.
-#
-# ------------------------------------------------------------------
-
-# Any digit
-@{d}=[0-9]
-
-# Any letter
-@{l}=[a-zA-Z]
-
-# Single alphanumeric character
-@{c}=[0-9a-zA-Z]
-
-# Word character: matches any letter, digit or underscore.
-@{w}=[a-zA-Z0-9_]
-
-# Single hexadecimal character
-@{h}=[0-9a-fA-F]
-
-# Integer up to 10 digits (0-9999999999)
-@{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}
-
-# hexadecimal, alphanumeric and word up to 64 characters
-@{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}
-@{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}
-@{word}=@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}
-
-# Unsigned integer over 8 bits (0...255)
-@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5]
-
-# Unsigned integer over 16 bits (0...65,535 5 digits)
-@{u16}={@{d},[1-9]@{d},[1-9][@{d}@{d},[1-9]@{d}@{d}@{d},[1-6]@{d}@{d}@{d}@{d}}
-
-# Unsigned integer over 32 bits (0...4,294,967,295 10 digits)
-@{u32}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-4]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}}
-
-# Unsigned integer over 64 bits (0...18,446,744,073,709,551,615 20 digits).
-@{u64}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},1@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}}
-
-# Any x digits characters
-@{int2}=@{d}@{d}
-@{int4}=@{int2}@{int2}
-@{int6}=@{int4}@{int2}
-@{int8}=@{int4}@{int4}
-@{int9}=@{int8}@{d}
-@{int10}=@{int8}@{int2}
-@{int12}=@{int8}@{int4}
-@{int15}=@{int8}@{int4}@{int2}@{d}
-@{int16}=@{int8}@{int8}
-@{int32}=@{int16}@{int16}
-@{int64}=@{int32}@{int32}
-
-# Any x hexadecimal characters
-@{hex2}=@{h}@{h}
-@{hex4}=@{hex2}@{hex2}
-@{hex6}=@{hex4}@{hex2}
-@{hex8}=@{hex4}@{hex4}
-@{hex9}=@{hex8}@{h}
-@{hex10}=@{hex8}@{hex2}
-@{hex12}=@{hex8}@{hex4}
-@{hex15}=@{hex8}@{hex4}@{hex2}@{h}
-@{hex16}=@{hex8}@{hex8}
-@{hex32}=@{hex16}@{hex16}
-@{hex38}=@{hex32}@{hex6}
-@{hex64}=@{hex32}@{hex32}
-
-# Any x alphanumeric characters
-@{rand2}=@{c}@{c}
-@{rand4}=@{rand2}@{rand2}
-@{rand6}=@{rand4}@{rand2}
-@{rand8}=@{rand4}@{rand4}
-@{rand9}=@{rand8}@{c}
-@{rand10}=@{rand8}@{rand2}
-@{rand12}=@{rand8}@{rand4}
-@{rand15}=@{rand8}@{rand4}@{rand2}@{c}
-@{rand16}=@{rand8}@{rand8}
-@{rand32}=@{rand16}@{rand16}
-@{rand64}=@{rand32}@{rand32}
-
-# Any x word characters
-@{word2}=@{w}@{w}
-@{word4}=@{word2}@{word2}
-@{word6}=@{word4}@{word2}
-@{word8}=@{word4}@{word4}
-@{word9}=@{word8}@{w}
-@{word10}=@{word8}@{word2}
-@{word12}=@{word8}@{word4}
-@{word15}=@{word8}@{word4}@{word2}@{w}
-@{word16}=@{word8}@{word8}
-@{word32}=@{word16}@{word16}
-@{word64}=@{word32}@{word32}
-
-include if exists <tunables/system.d>
--- a/profiles/apparmor.d/usr.lib.dovecot.director
+++ b/profiles/apparmor.d/usr.lib.dovecot.director
@@ -9,6 +9,8 @@
 # ------------------------------------------------------------------
 # vim: ft=apparmor

+abi <abi/4.0>,
+
 include <tunables/global>

 profile dovecot-director /usr/lib*/dovecot/director flags=(attach_disconnected) {
--- a/profiles/apparmor.d/usr.lib.dovecot.doveadm-server
+++ b/profiles/apparmor.d/usr.lib.dovecot.doveadm-server
@@ -9,6 +9,8 @@
 # ------------------------------------------------------------------
 # vim: ft=apparmor

+abi <abi/4.0>,
+
 include <tunables/global>

 profile dovecot-doveadm-server /usr/lib*/dovecot/doveadm-server flags=(attach_disconnected) {
--- a/profiles/apparmor.d/usr.lib.dovecot.replicator
+++ b/profiles/apparmor.d/usr.lib.dovecot.replicator
@@ -12,6 +12,8 @@
 # vim: ft=apparmor
 # for https://wiki.dovecot.org/Replication

+abi <abi/4.0>,
+
 include <tunables/dovecot>
 include <tunables/global>

--- a/profiles/apparmor/profiles/extras/unshare-userns-restrict
+++ b/profiles/apparmor/profiles/extras/unshare-userns-restrict
@@ -11,19 +11,17 @@
 #
 # disabled by default as it can break some use cases on a system that
 # doesn't have or has disable user namespace restrictions for unconfined
+# use aa-enforce to enable it

 abi <abi/4.0>,

 include <tunables/global>

-profile unshare /usr/bin/unshare flags=(attach_disconnected mediate_deleted) {
-  # not allow all, to allow for pix stack on systems that don't support
-  # rule priority.
-  #
-  # sadly we have to allow 'm' every where to allow children to work under
-  # profile stacking atm.
+profile unshare /usr/bin/unshare flags=(attach_disconnected) {
+  # not allow all, to allow for cix transition
+  # and to limit executable mapping to just unshare
  allow capability,
-  allow file rwmlk /{**,},
+  allow file rwlk /{**,},
  allow network,
  allow unix,
  allow ptrace,
@@ -35,41 +33,33 @@ profile unshare /usr/bin/unshare flags=(attach_disconnected mediate_deleted) {
  allow umount,
  allow pivot_root,
  allow dbus,
-  # This will stack a target profile against unpriv_unshare
-  # Most of the comments for the pix transition in bwrap-userns-restrict
-  # also apply here, with the exception of unshare not using no-new-privs
-  # Thus, we only need a two-layer stack instead of a three-layer stack
-  audit allow pix /** -> &unpriv_unshare,
+  audit allow cx /** -> unpriv,
+
+  allow file m /usr/lib/@{multiarch}/libc.so.6,
+  allow file m /usr/bin/unshare,

  # the local include should not be used without understanding the userns
  # restriction.
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/unshare-userns-restrict>
-}
-
-profile unpriv_unshare flags=(attach_disconnected mediate_deleted) {
-  # not allow all, to allow for pix stack
-  allow file rwlkm /{**,},
-  allow network,
-  allow unix,
-  allow ptrace,
-  allow signal,
-  allow mqueue,
-  allow io_uring,
-  allow userns,
-  allow mount,
-  allow umount,
-  allow pivot_root,
-  allow dbus,
-
-  # Maintain the stack against itself for further transitions
-  # If done recursively the stack will remove any duplicate
-  allow pix /** -> &unpriv_unshare,
-
-  audit deny capability,
-
-  # the local include should not be used without understanding the userns
-  # restriction.
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/unpriv_unshare>
+
+  profile unpriv flags=(attach_disconnected) {
+    # not allow all, to allow for pix stack
+    allow file rwlkm /{**,},
+    allow network,
+    allow unix,
+    allow ptrace,
+    allow signal,
+    allow mqueue,
+    allow io_uring,
+    allow userns,
+    allow mount,
+    allow umount,
+    allow pivot_root,
+    allow dbus,
+
+    allow pix /** -> &unshare//unpriv,
+
+    audit deny capability,
+  }
 }
--- a/profiles/apparmor/profiles/extras/usr.bin.pyzorsocket
+++ b/profiles/apparmor/profiles/extras/usr.bin.pyzorsocket
@@ -8,6 +8,8 @@
 #
 # ------------------------------------------------------------------

+abi <abi/4.0>,
+
 include <tunables/global>

 profile pyzorsocket /usr/bin/pyzorsocket {
--- a/profiles/apparmor/profiles/extras/usr.bin.razorsocket
+++ b/profiles/apparmor/profiles/extras/usr.bin.razorsocket
@@ -8,6 +8,8 @@
 #
 # ------------------------------------------------------------------

+abi <abi/4.0>,
+
 include <tunables/global>

 profile razorsocket /usr/bin/razorsocket {
--- a/profiles/apparmor/profiles/extras/usr.sbin.clamd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.clamd
@@ -8,6 +8,8 @@
 #
 # ------------------------------------------------------------------

+abi <abi/4.0>,
+
 include <tunables/global>

 profile clamd /usr/sbin/clamd {
--- a/profiles/apparmor/profiles/extras/usr.sbin.haproxy
+++ b/profiles/apparmor/profiles/extras/usr.sbin.haproxy
@@ -8,6 +8,8 @@
 #
 # ------------------------------------------------------------------

+abi <abi/4.0>,
+
 include <tunables/global>

 profile haproxy /usr/sbin/haproxy {
--- a/spread.yaml
+++ b/spread.yaml
@@ -66,6 +66,7 @@ backends:
            - ubuntu-cloud-24.04:
                  username: ubuntu
                  password: ubuntu
+                  workers: 4
                  manual: true
            - ubuntu-cloud-24.10:
                  username: ubuntu
--- a/tests/profiles/tar/task.yaml
+++ b/tests/profiles/tar/task.yaml
@@ -0,0 +1,13 @@
+summary: smoke test for the tar profile
+execute: |
+    # tar works (this is a very basic test).
+    # create a text file, archive it and delete the original file
+    echo "test" > file.txt
+    tar -czf archive.tar file.txt
+    rm file.txt
+    # extract archive, assert content is correct
+    tar -xzf archive.tar
+    test "$(cat file.txt)" = "test"
+
+    # The profile is attached based on the program path.
+    "$SPREAD_PATH"/tests/bin/actual-profile-of tar | MATCH 'tar \(enforce\)'
--- a/tests/regression/apparmor/mount.sh
+++ b/tests/regression/apparmor/mount.sh
@@ -64,7 +64,7 @@ mount_cleanup() {
 }
 do_onexit="mount_cleanup"

-fallocate -l 512K ${mount_file}
+dd if=/dev/zero of=${mount_file} bs=1024 count=512 2> /dev/null
 /sbin/mkfs -t${fstype} -F ${mount_file} > /dev/null 2> /dev/null
 /bin/mkdir ${mount_point}
 /bin/mkdir ${mount_point2}
@@ -77,8 +77,8 @@ if [ ! -b /dev/loop0 ] ; then
 fi

 # find the next free loop device and mount it
-/sbin/losetup -f ${mount_file} || fatalerror 'Unable to set up a loop device'
-loop_device="$(/sbin/losetup -n -O NAME -l -j ${mount_file})"
+loop_device=$(losetup -f) || fatalerror 'Unable to find a free loop device'
+/sbin/losetup "$loop_device" ${mount_file} > /dev/null 2> /dev/null

 options=(
 	# default and non-default options
--- a/tests/regression/apparmor/task.yaml
+++ b/tests/regression/apparmor/task.yaml
@@ -83,7 +83,7 @@ environment:
    # test is expected to fail.
    #
    # Error: unix_fd_server passed. Test 'ATTACH_DISCONNECTED (attach_disconnected.path rule at /)' was expected to 'fail'
-    XFAIL/attach_disconnected: opensuse-cloud-tumbleweed debian-cloud-12 debian-cloud-13 ubuntu-cloud-22.04
+    XFAIL/attach_disconnected: opensuse-cloud-tumbleweed debian-cloud-12 debian-cloud-13 ubuntu-cloud-22.04 ubuntu-cloud-24.04 ubuntu-cloud-24.10
    # Error: unix_fd_server failed. Test 'fd passing; unconfined client' was expected to 'pass'. Reason for failure 'FAIL - bind failed: Permission denied'
    # Error: unix_fd_server failed. Test 'fd passing; confined client w/ rw' was expected to 'pass'. Reason for failure 'FAIL - bind failed: Permission denied'
    XFAIL/deleted: opensuse-cloud-tumbleweed debian-cloud-12 debian-cloud-13
@@ -102,6 +102,21 @@ environment:
    # Error: unix_socket passed. Test 'AF_UNIX pathname socket (seqpacket); confined server w/ a missing af_unix access (create)' was expected to 'fail'
    # Error: unix_socket failed. Test 'AF_UNIX pathname socket (seqpacket); confined client w/ access (rw)' was expected to 'pass'. Reason for failure 'FAIL - setsockopt (SO_RCVTIMEO): Permission denied'
    XFAIL/unix_socket_pathname: opensuse-cloud-tumbleweed debian-cloud-12 debian-cloud-13
+    #    using ptrace v6 tests ...
+    # Error: ptrace failed. Test 'test allow all' was expected to 'pass'. Reason for failure 'FAIL: child exec failed - : Permission denied'
+    # Error: ptrace failed. Test 'test allow all -c' was expected to 'pass'. Reason for failure 'FAIL: child exec failed - : Permission denied'
+    # Error: ptrace failed. Test 'test allow all -h' was expected to 'pass'. Reason for failure 'FAIL: child exec failed - : Permission denied'
+    # Error: ptrace failed. Test 'test allow all -hc' was expected to 'pass'. Reason for failure 'FAIL: child exec failed - : Permission denied'
+    # Error: ptrace failed. Test 'test allow all -h prog' was expected to 'pass'. Reason for failure 'FAIL: child exec failed - : Permission denied'
+    # Error: ptrace failed. Test 'test allow all -hc prog' was expected to 'pass'. Reason for failure 'FAIL: child exec failed - : Permission denied'
+    XFAIL/ptrace: debian-cloud-12 debian-cloud-13 ubuntu-cloud-22.04 ubuntu-cloud-24.04 ubuntu-cloud-24.10 opensuse-cloud-tumbleweed
+    # Error: posix_mq_rcv failed. Test 'POSIX MQUEUE (confined root - allow all)' was expected to 'pass'. Reason for failure 'FAIL 0 - execlp /tmp/apparmor/tests/regression/apparmor/posix_mq_snd /queuename- Permission denied'
+    # Error: posix_mq_rcv failed. Test 'POSIX MQUEUE (confined root - allow all : mq_notify)' was expected to 'pass'. Reason for failure 'FAIL 0 - execlp /tmp/apparmor/tests/regression/apparmor/posix_mq_snd /queuename 4- Permission denied'
+    # Error: posix_mq_rcv failed. Test 'POSIX MQUEUE (confined root - allow all : select)' was expected to 'pass'. Reason for failure 'FAIL 0 - execlp /tmp/apparmor/tests/regression/apparmor/posix_mq_snd /queuename- Permission denied'
+    # Error: posix_mq_rcv failed. Test 'POSIX MQUEUE (confined root - allow all : poll)' was expected to 'pass'. Reason for failure 'FAIL 0 - execlp /tmp/apparmor/tests/regression/apparmor/posix_mq_snd /queuename- Permission denied'
+    # Error: posix_mq_rcv failed. Test 'POSIX MQUEUE (confined root - allow all : epoll)' was expected to 'pass'. Reason for failure 'FAIL 0 - execlp /tmp/apparmor/tests/regression/apparmor/posix_mq_snd /queuename- Permission denied'
+    XFAIL/mqueue: debian-cloud-12 debian-cloud-13 ubuntu-cloud-22.04 ubuntu-cloud-24.04 ubuntu-cloud-24.10 opensuse-cloud-tumbleweed
+    XFAIL/posix_ipc: ubuntu-cloud-22.04 ubuntu-cloud-24.04 ubuntu-cloud-24.10
 artifacts:
    - bash.log
    - bash.err
@@ -123,13 +138,14 @@ execute: |
      echo "Test execution logs are in the files bash.{log,err,trace} and are collected as artifacts"
      echo "Bash errors are listed below:"
      cat bash.err
-      echo "Tail of the trace is:"
-      tail bash.trace
      exit 1
    else
      for xfail in ${XFAIL:-}; do
        if [ "$SPREAD_SYSTEM" = "$xfail" ]; then
          echo "Test $SPREAD_VARIANT has unexpectedly passed"
+          echo "Test execution logs are in the files bash.{log,err,trace} and are collected as artifacts"
+          echo "Bash errors are listed below:"
+          cat bash.err
          exit 1
        fi
      done
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -39,10 +39,10 @@ all: docs
 docs: ${MANPAGES} ${HTMLMANPAGES}

 # need some better way of determining this
-DESTDIR?=/
-BINDIR?=${DESTDIR}/usr/sbin
-CONFDIR?=${DESTDIR}/etc/apparmor
-PYPREFIX?=/usr
+DESTDIR=/
+BINDIR=${DESTDIR}/usr/sbin
+CONFDIR=${DESTDIR}/etc/apparmor
+PYPREFIX=/usr


 po/${NAME}.pot: ${TOOLS} ${PYMODULES}
--- a/utils/aa-genprof
+++ b/utils/aa-genprof
@@ -139,7 +139,7 @@ ratelimit_saved = sysctl_read(ratelimit_sysctl)

 try:
    sysctl_write(ratelimit_sysctl, 0)
-except OSError:  # will fail in lxd
+except PermissionError:  # will fail in lxd
    warn("Can't set printk_ratelimit, some events might be lost")

 atexit.register(restore_ratelimit)
--- a/utils/aa-mergeprof
+++ b/utils/aa-mergeprof
@@ -1,7 +1,7 @@
 #! /usr/bin/python3
 # ----------------------------------------------------------------------
 #    Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
-#    Copyright (C) 2014-2018 Christian Boltz <apparmor@cboltz.de>
+#    Copyright (C) 2014-2024 Christian Boltz <apparmor@cboltz.de>
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -17,7 +17,6 @@ import argparse

 import apparmor.aa
 import apparmor.cleanprofile as cleanprofile
-import apparmor.severity
 import apparmor.ui as aaui
 from apparmor.fail import enable_aa_exception_handler
 from apparmor.translations import init_translation
@@ -114,12 +113,11 @@ class Merge(object):

    def ask_merge_questions(self):
        other = self.base
-        log_dict = {'merge': apparmor.aa.split_to_merged(other.aa)}
+        log_dict = {'merge': other.active_profiles.get_all_profiles()}

        apparmor.aa.loadincludes()

-        if not apparmor.aa.sev_db:
-            apparmor.aa.sev_db = apparmor.severity.Severity(apparmor.aa.CONFDIR + '/severity.db', _('unknown'))
+        apparmor.aa.load_sev_db()

        # ask about preamble rules
        apparmor.aa.ask_rule_questions(
--- a/utils/aa-notify
+++ b/utils/aa-notify
@@ -37,9 +37,11 @@ import os
 import pwd
 import re
 import sys
+import tempfile
 import time

 import subprocess
+from collections import defaultdict

 import notify2
 import psutil
@@ -54,7 +56,7 @@ from apparmor.fail import enable_aa_exception_handler
 from apparmor.notify import get_last_login_timestamp
 from apparmor.translations import init_translation
 from apparmor.logparser import ReadLog
-from apparmor.gui import UsernsGUI, ErrorGUI, ShowMoreGUI, set_interface_theme
+from apparmor.gui import UsernsGUI, ErrorGUI, ShowMoreGUI, ShowMoreGUIAggregated, set_interface_theme
 from apparmor.rule.file import FileRule

 from dbus import DBusException
@@ -121,7 +123,7 @@ def is_event_in_filter(event, filters):
    return True


-def notify_about_new_entries(logfile, filters, wait=0):
+def daemonize():
    """Run the notification daemon in the background."""
    # Kill other instances of aa-notify if already running
    for process in psutil.process_iter():
@@ -144,19 +146,9 @@ def notify_about_new_entries(logfile, filters, wait=0):
        except DBusException:
            sys.exit(_('Cannot initialize notify2. Please check that your terminal can use a graphical interface'))

-        try:
-            thread = threading.Thread(target=start_glib_loop)
-            thread.daemon = True
-            thread.start()
-
-            for event in follow_apparmor_events(logfile, wait):
-                if not is_event_in_filter(event, filters):
-                    continue
-                debug_logger.info(format_event(event, logfile))
-                yield event, format_event(event, logfile)
-        except PermissionError:
-            sys.exit(_("ERROR: Cannot read {}. Please check permissions.").format(logfile))
-
+        thread = threading.Thread(target=start_glib_loop)
+        thread.daemon = True
+        thread.start()
    else:
        print(_('Notification emitter started in the background'))
        # pids = (os.getpid(), newpid)
@@ -164,6 +156,17 @@ def notify_about_new_entries(logfile, filters, wait=0):
        os._exit(0)  # Exit child without calling exit handlers etc


+def notify_about_new_entries(logfile, filters, wait=0):
+    try:
+        for event in follow_apparmor_events(logfile, wait):
+            if not is_event_in_filter(event, filters):
+                continue
+            debug_logger.info(format_event(event, logfile))
+            yield event, format_event(event, logfile)
+    except PermissionError:
+        sys.exit(_("ERROR: Cannot read {}. Please check permissions.").format(logfile))
+
+
 def show_entries_since_epoch(logfile, epoch_since, filters):
    """Show AppArmor notifications since given timestamp."""
    count = 0
@@ -292,6 +295,22 @@ def reopen_logfile_if_needed(logfile, logdata, log_inode, log_size):
    return (logdata, log_inode, log_size)


+def get_apparmor_events_return(logfile, since=0):
+    """Read audit events from log source and return all relevant events."""
+    out = []
+    # Get logdata from file
+    # @TODO Implement more log sources in addition to just the logfile
+    try:
+        with open_file_read(logfile) as logdata:
+            for event in parse_logdata(logdata):
+                if event.epoch > since:
+                    out.append(event)
+
+        return out
+    except PermissionError:
+        sys.exit(_("ERROR: Cannot read {}. Please check permissions.".format(logfile)))
+
+
 def get_apparmor_events(logfile, since=0):
    """Read audit events from log source and yield all relevant events."""

@@ -378,6 +397,10 @@ def drop_privileges():
        os.setegid(int(next_gid))
        os.seteuid(int(next_uid))

+    # sudo does not preserve DBUS address, so we need to guess it based on UID
+    if 'DBUS_SESSION_BUS_ADDRESS' not in os.environ:
+        os.environ['DBUS_SESSION_BUS_ADDRESS'] = 'unix:path=/run/user/{}/bus'.format(os.geteuid())
+

 def raise_privileges():
    """Raise privileges of process.
@@ -477,77 +500,95 @@ def ask_for_user_ns_denied(path, name, interactive=True):
        debug_logger.debug('No action from the user for {}'.format(path))


-def prompt_userns(ev, special_profiles):
-    """If the user namespace creation denial was generated by an unconfined binary, displays a graphical notification.
-    Creates a new profile to allow userns if the user wants it. Returns whether a notification was displayed to the user
-    """
-    if not is_special_profile_userns(ev, special_profiles):
-        return False
-
+def can_leverage_userns_event(ev):
    if ev['execpath'] is None:
-        UsernsGUI.show_error_cannot_find_execpath(ev['comm'], os.path.dirname(os.path.abspath(__file__)) + '/default_unconfined.template')
-        return True
+        return 'error_cannot_find_path'

    aa.update_profiles()

    if aa.get_profile_filename_from_profile_name(ev['comm']):
+        return 'error_userns_profile_exists'
+    return 'ok'
+
+
+def prompt_userns(ev):
+    """If the user namespace creation denial was generated by an unconfined binary, displays a graphical notification.
+    Creates a new profile to allow userns if the user wants it. Returns whether a notification was displayed to the user
+    """
+    userns_event_usable = can_leverage_userns_event(ev)
+    if userns_event_usable == 'error_cannot_find_path':
+        UsernsGUI.show_error_cannot_find_execpath(ev['comm'], os.path.dirname(os.path.abspath(__file__)) + '/default_unconfined.template')
+    elif userns_event_usable == 'error_userns_profile_exists':
        # There is already a profile with this name: we show an error to the user.
        # We could use the full path as profile name like for the old profiles if we want to handle this case
        # but if execpath is not supported by the kernel it could also mean that we inferred a bad path
        # So we do nothing beyond showing this error.
        ErrorGUI(
            _('Application {profile} tried to create an user namespace, but a profile already exists with this name.\n'
-              'This is likely because there is several binaries named {profile} thus the path inferred by AppArmor ({inferred_path}) is not correct.\n'
-              'You should review your profiles (in {profile_dir}).').format(profile=ev['comm'], inferred_path=ev['execpath'], profile_dir=aa.profile_dir),
+                'This is likely because there is several binaries named {profile} thus the path inferred by AppArmor ({inferred_path}) is not correct.\n'
+                'You should review your profiles (in {profile_dir}).').format(profile=ev['comm'], inferred_path=ev['execpath'], profile_dir=aa.profile_dir),
            False).show()
-        return True
+    elif userns_event_usable == 'ok':
+        ask_for_user_ns_denied(ev['execpath'], ev['comm'])

-    ask_for_user_ns_denied(ev['execpath'], ev['comm'])

-    return True
+def get_more_info_about_event(rl, ev, special_profiles, header='', get_clean_rule=False):
+    out = header
+    clean_rule = None
+
+    for key, value in ev.items():
+        if value:
+            out += '\t{} = {}\n'.format(_(key), value)
+
+    out += _('\nThe software that declined this operation is {}\n').format(ev['profile'])
+
+    rule = rl.create_rule_from_ev(ev)
+
+    if rule:
+        if type(rule) is FileRule and rule.exec_perms == FileRule.ANY_EXEC:
+            rule.exec_perms = 'Pix'
+        aa.update_profiles()
+        if customized_message['userns']['cond'](ev, special_profiles):
+            profile_path = None
+            out += _('You may allow it through a dedicated unconfined profile for {}.').format(ev['comm'])
+            userns_event_usable = can_leverage_userns_event(ev)
+            if userns_event_usable == 'error_cannot_find_path':
+                clean_rule = _('# You may allow it through a dedicated unconfined profile for {0}. However, apparmor cannot find {0}. If you want to allow it, please create a profile for it manually.').format(ev['comm'])
+            elif userns_event_usable == 'error_userns_profile_exists':
+                clean_rule = _('# You may allow it through a dedicated unconfined profile for {} ({}). However, a profile already exists with this name. If you want to allow it, please create a profile for it manually.').format(ev['comm'], ev['execpath'])
+            elif userns_event_usable == 'ok':
+                clean_rule = _('# You may allow it through a dedicated unconfined profile for {} ({})').format(ev['comm'], ev['execpath'])
+        else:
+            profile_path = aa.get_profile_filename_from_profile_name(ev['profile'])
+            clean_rule = rule.get_clean()
+            if profile_path:
+                out += _('If you want to allow this operation you can add the line below in profile {}\n').format(profile_path)
+                out += clean_rule
+            else:
+                out += _('However {profile} is not in {profile_dir}\nIt is likely that the profile was not stored in {profile_dir} or was removed.\n').format(profile=ev['profile'], profile_dir=aa.profile_dir)
+    else:  # Should not happen
+        out += _('ERROR: Could not create rule from event.')
+        profile_path = None
+
+    if get_clean_rule:
+        return out, profile_path, clean_rule
+    else:
+        return out, profile_path


 # TODO reuse more code from aa-logprof in callbacks
 def cb_more_info(notification, action, _args):
-    (raw_ev, rl, special_profiles) = _args
+    (ev, rl, special_profiles) = _args
+    args.wait = args.min_wait
    notification.close()

-    parsed_event = rl.parse_record(raw_ev)
-    out = _('Operation denied by AppArmor\n\n')
+    out, profile_path, clean_rule = get_more_info_about_event(rl, ev, special_profiles, _('Operation denied by AppArmor\n\n'), get_clean_rule=True)

-    for key, value in parsed_event.items():
-        if value:
-            out += '\t{} = {}\n'.format(_(key), value)
-
-    out += _('\nThe software that declined this operation is {}\n').format(parsed_event['profile'])
-
-    rule = rl.create_rule_from_ev(parsed_event)
-
-    # Exec events are created with the default FileRule.ANY_EXEC. We use Pix for actual rules
-    if type(rule) is FileRule and rule.exec_perms == FileRule.ANY_EXEC:
-        rule.exec_perms = 'Pix'
-
-    if rule:
-        aa.update_profiles()
-        if customized_message['userns']['cond'](parsed_event, special_profiles):
-            profile_path = None
-            out += _('You may allow it through a dedicated unconfined profile for {}.').format(parsed_event['comm'])
-        else:
-            profile_path = aa.get_profile_filename_from_profile_name(parsed_event['profile'])
-            if profile_path:
-                out += _('If you want to allow this operation you can add the line below in profile {}\n').format(profile_path)
-                out += rule.get_clean()
-            else:
-                out += _('However {profile} is not in {profile_dir}\nIt is likely that the profile was not stored in {profile_dir} or was removed.\n').format(profile=parsed_event['profile'], profile_dir=aa.profile_dir)
-    else:  # Should not happen
-        out += _('ERROR: Could not create rule from event.')
-        return
-
-    ans = ShowMoreGUI(profile_path, out, rule.get_clean(), parsed_event['profile'], profile_path is not None).show()
+    ans = ShowMoreGUI(profile_path, out, clean_rule, ev['profile'], profile_path is not None).show()
    if ans == 'add_rule':
-        add_to_profile(rule.get_clean(), parsed_event['profile'])
+        add_to_profile(clean_rule, ev['profile'])
    elif ans in {'allow', 'deny'}:
-        create_userns_profile(parsed_event['comm'], parsed_event['execpath'], ans)
+        create_userns_profile(ev['comm'], ev['execpath'], ans)


 def add_to_profile(rule, profile_name):
@@ -573,12 +614,69 @@ def add_to_profile(rule, profile_name):
            ErrorGUI(_('Failed to add rule {rule} to {profile}\nError code = {retcode}').format(rule=rule, profile=profile_name, retcode=e.returncode), False).show()


-def cb_add_to_profile(notification, action, _args):
-    (raw_ev, rl, special_profiles) = _args
-    notification.close()
-    parsed_event = rl.parse_record(raw_ev)
+def create_from_file(file_path):
+    update_profile_path = update_profile.__file__
+    command = ['pkexec', '--keep-cwd', update_profile_path, 'from_file', file_path]
+    try:
+        subprocess.run(command, check=True)
+    except subprocess.CalledProcessError as e:
+        if e.returncode != 126:  # return code 126 means the user cancelled the request
+            ErrorGUI(_('Failed to add some rules'), False).show()

-    rule = rl.create_rule_from_ev(parsed_event)
+
+def allow_all(clean_rules):
+    local_template_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'default_unconfined.template')
+    if os.path.exists(local_template_path):  # We are using local aa-notify -> we use local template
+        template_path = local_template_path
+    else:
+        template_path = aa.CONFDIR + '/default_unconfined.template'
+
+    tmp = tempfile.NamedTemporaryFile()
+    with open(tmp.name, mode='w') as f:
+        profile = None
+        for line in clean_rules.splitlines():
+            if line == '':
+                continue
+            elif line[0] == '#':
+                profile = None
+                pass
+            elif line[0] != '\t':
+                profile = line[8:-1]  # 8:-1 is to remove 'profile ' and ':'
+            else:
+                if line[1] == '#':  # Add to userns
+                    if line[-1] == '.':  # '.' <==> There is an error: we cannot add the profile automatically
+                        continue
+                    profile_name = line.split()[-2]  # line always finishes by <profile_name>
+                    bin_path = line.split()[-1][1:-1]  # 1:-1 to remove the parenthesis
+                    profile_path = aa.get_profile_filename_from_profile_name(profile_name, True)
+                    if not profile_path:
+                        ErrorGUI(_('Cannot get profile path for {}.').format(profile_name), False).show()
+                        continue
+                    f.write('create_userns\t{}\t{}\t{}\t{}\t{}\n'.format(template_path, profile_name, bin_path, profile_path, 'allow'))
+                else:
+                    if profile is not None:
+                        f.write('add_rule\t{}\t{}\n'.format(line[1:], profile))
+                    else:
+                        print(_("Rule {} cannot be added automatically").format(line[1:]), file=sys.stdout)
+
+    create_from_file(tmp.name)
+
+
+# TODO reuse more code from aa-logprof in callbacks
+def cb_more_info_aggregated(notification, action, _args):
+    (to_display, aggregated, clean_rules) = _args
+    args.wait = args.min_wait
+    res = ShowMoreGUIAggregated(to_display, aggregated, clean_rules).show()
+    if res == 'allow_all':
+        allow_all(clean_rules)
+
+
+def cb_add_to_profile(notification, action, _args):
+    (ev, rl, special_profiles) = _args
+    args.wait = args.min_wait
+    notification.close()
+
+    rule = rl.create_rule_from_ev(ev)

    # Exec events are created with the default FileRule.ANY_EXEC. We use Pix for actual rules
    if type(rule) is FileRule and rule.exec_perms == FileRule.ANY_EXEC:
@@ -590,10 +688,10 @@ def cb_add_to_profile(notification, action, _args):

    aa.update_profiles()

-    if customized_message['userns']['cond'](parsed_event, special_profiles):
-        ask_for_user_ns_denied(parsed_event['execpath'], parsed_event['comm'], False)
+    if customized_message['userns']['cond'](ev, special_profiles):
+        ask_for_user_ns_denied(ev['execpath'], ev['comm'], False)
    else:
-        add_to_profile(rule.get_clean(), parsed_event['profile'])
+        add_to_profile(rule.get_clean(), ev['profile'])


 customized_message = {
@@ -616,6 +714,83 @@ def start_glib_loop():
    loop.run()


+def aggregate_event(agg, ev, keys_to_aggregate):
+    profile = ev['profile']
+    agg[profile]['count'] += 1
+    agg[profile]['events'].append(ev)
+
+    for key in keys_to_aggregate:
+        if key in ev:
+            value = ev[key]
+            agg[profile]['values'][key][value] += 1
+
+    return agg
+
+
+def get_aggregated(rl, agg, max_nb_profiles, keys_to_aggregate, special_profiles):
+    notification = ''
+    summary = ''
+    more_info = ''
+    clean_rules = ''
+    summary = _('Notifications were raised for profiles: {}\n').format(', '.join(list(agg.keys())))
+
+    sorted_profiles = sorted(agg.items(), key=lambda item: item[1]['count'], reverse=True)
+    for profile, data in sorted_profiles:
+        profile_notif = _('profile: {} — {} events\n').format(profile, data['count'])
+        notification += profile_notif
+        summary += profile_notif
+        if len(agg) <= max_nb_profiles:
+            for key in keys_to_aggregate:
+                if key in data['values']:
+                    total_key_events = sum(data['values'][key].values())
+                    sorted_values = sorted(data['values'][key].items(), key=lambda item: item[1], reverse=True)
+                    for value, count in sorted_values:
+                        percent = (count / total_key_events) * 100
+                        if percent >= 20:  # We exclude rare cases for clarity. 20% is arbitrary
+                            summary += _('\t{} was {} {:.1f}% of the time\n').format(key, value, percent)
+            summary += '\n'
+
+        more_info += _('profile {}, {} events\n').format(profile, data['count'])
+        rules_for_profiles = set()
+        found_profile = True
+        for i, ev in enumerate(data['events']):
+            more_info_rule, profile_path, clean_rule = get_more_info_about_event(rl, ev, special_profiles, _(' - Event {} -\n').format(i + 1), get_clean_rule=True)
+            if i != 0:
+                more_info += '\n\n'
+            if not profile_path:
+                found_profile = False
+            more_info += more_info_rule
+            if clean_rule:
+                rules_for_profiles.add(clean_rule)
+        if rules_for_profiles != set():
+            if profile not in special_profiles:
+                if found_profile:
+                    clean_rules += _('profile {}:').format(profile)
+                else:
+                    clean_rules += _('# Unknown profile {}').format(profile)
+            else:
+                clean_rules += _('# unprivileged userns denials ({}):').format(profile)
+            clean_rules += '\n\t' + '\n\t'.join(rules_for_profiles) + '\n'
+    return notification, summary, more_info, clean_rules
+
+
+def display_notification(ev, rl, message, userns_special_profiles):
+    message = customize_notification_message(ev, message, userns_special_profiles)
+    n = notify2.Notification(_('AppArmor security notice'), message, 'gtk-dialog-warning')
+    if can_allow_rule(ev, userns_special_profiles):
+        n.add_action('clicked', 'Allow', cb_add_to_profile, (ev, rl, userns_special_profiles))
+    n.add_action('more_clicked', 'Show More', cb_more_info, (ev, rl, userns_special_profiles))
+
+    n.show()
+
+
+def display_aggregated_notification(rl, aggregated, maximum_number_notification_profiles, keys_to_aggregate, special_profiles):
+    notification, summary, more_info, clean_rules = get_aggregated(rl, aggregated, maximum_number_notification_profiles, keys_to_aggregate, special_profiles)
+    n = notify2.Notification(_('AppArmor security notice'), notification, 'gtk-dialog-warning')
+    n.add_action('more_aggregated_clicked', 'Show More Info', cb_more_info_aggregated, (summary, more_info, clean_rules))
+    n.show()
+
+
 def main():
    """Run aa-notify.

@@ -652,6 +827,7 @@ def main():
    parser.add_argument('-v', '--verbose', action='store_true', help=_('show messages with stats'))
    parser.add_argument('-u', '--user', type=str, help=_('user to drop privileges to when not using sudo'))
    parser.add_argument('-w', '--wait', type=int, metavar=('NUM'), help=_('wait NUM seconds before displaying notifications (with -p)'))
+    parser.add_argument('-m', '--merge-notifications', action='store_true', help=_('Merge notification for improved readability (with -p)'))
    parser.add_argument('--prompt-filter', type=str, metavar=('PF'), help=_('kind of operations which display a popup prompt'))
    parser.add_argument('--debug', action='store_true', help=_('debug mode'))
    parser.add_argument('--configdir', type=str, help=argparse.SUPPRESS)
@@ -736,6 +912,8 @@ def main():
    - ignore_denied_capability
    - interface_theme
    - prompt_filter
+    - maximum_number_notification_profiles
+    - keys_to_aggregate
    - filter.profile,
    - filter.operation,
    - filter.name,
@@ -756,6 +934,8 @@ def main():
        'show_notifications',
        'message_body',
        'message_footer',
+        'maximum_number_notification_profiles',
+        'keys_to_aggregate',
        'filter.profile',
        'filter.operation',
        'filter.name',
@@ -852,6 +1032,16 @@ def main():
        if unsupported:
            sys.exit(_('ERROR: using an unsupported prompt filter: {}\nSupported values: {}').format(', '.join(unsupported), ', '.join(supported_prompt_filter)))

+    if 'maximum_number_notification_profiles' in config['']:
+        maximum_number_notification_profiles = int(config['']['maximum_number_notification_profiles'].strip())
+    else:
+        maximum_number_notification_profiles = 2
+
+    if 'keys_to_aggregate' in config['']:
+        keys_to_aggregate = config['']['keys_to_aggregate'].strip().split(',')
+    else:
+        keys_to_aggregate = {'operation', 'class', 'name', 'denied', 'target'}
+
    if args.file:
        logfile = args.file
    elif os.path.isfile('/var/run/auditd.pid') and os.path.isfile('/var/log/audit/audit.log'):
@@ -888,49 +1078,76 @@ def main():
        # Initialize the list of profiles for can_allow_rule
        aa.read_profiles()

-        # At this point this script needs to be able to read 'logfile' but once
-        # the for loop starts, privileges can be dropped since the file descriptor
-        # has been opened and access granted. Further reads of the file will not
-        # trigger any new permission checks.
-        # @TODO Plan to catch PermissionError here or..?
-        for (event, message) in notify_about_new_entries(logfile, filters, args.wait):
-            ev = rl.parse_record(event)
+        drop_privileges()
+        daemonize()
+        raise_privileges()

-            # @TODO redo special behaviours with a more regular function
-            # We ignore capability denials for binaries in ignore_denied_capability
-            if ev['operation'] == 'capable' and ev['comm'] in ignore_denied_capability:
-                continue
+        if args.merge_notifications:
+            if not args.wait or args.wait == 0:
+                # args.wait now uses an exponential backoff.
+                # If there is several notifications on a time period, the time period doubles to avoid flooding.
+                # If there is no notification on a time period, the time period is divided by two.
+                args.wait = 5
+            args.min_wait = args.wait
+            args.max_wait = args.wait * 2**5  # Arbitrary power of two (2 minutes 40 if args.wait is 5 seconds)

-            # Special behaivor for userns:
-            if args.prompt_filter and 'userns' in args.prompt_filter and customized_message['userns']['cond'](ev, userns_special_profiles):
-                if prompt_userns(ev, userns_special_profiles):
+            old_time = int(time.time())
+            while True:
+
+                raw_evs = get_apparmor_events_return(logfile, old_time)
+                drop_privileges()
+
+                if len(raw_evs) == 1:  # Single event: we handle it without aggregation
+                    raw_ev = raw_evs[0]
+                    ev = rl.parse_record(raw_ev)
+                    display_notification(ev, rl, format_event(raw_ev, logfile), userns_special_profiles)
+                elif len(raw_evs) > 1:
+                    if args.wait < args.max_wait:
+                        args.wait *= 2
+                    aggregated = defaultdict(lambda: {'count': 0, 'values': defaultdict(lambda: defaultdict(int)), 'events': []})
+                    for raw_ev in raw_evs:
+                        ev = rl.parse_record(raw_ev)
+                        aggregate_event(aggregated, ev, keys_to_aggregate)
+                    display_aggregated_notification(rl, aggregated, maximum_number_notification_profiles, keys_to_aggregate, userns_special_profiles)
+                else:
+                    if args.wait > args.min_wait:
+                        args.wait /= 2
+
+                old_time = int(time.time())
+
+                # When notification is sent, raise privileged back to root if the
+                # original effective user id was zero (to be able to read AppArmor logs)
+                raise_privileges()
+                time.sleep(args.wait)
+        else:
+            args.min_wait = args.wait
+            # At this point this script needs to be able to read 'logfile' but once
+            # the for loop starts, privileges can be dropped since the file descriptor
+            # has been opened and access granted. Further reads of the file will not
+            # trigger any new permission checks.
+            # @TODO Plan to catch PermissionError here or..?
+            for (event, message) in notify_about_new_entries(logfile, filters, args.wait):
+                ev = rl.parse_record(event)
+
+                # @TODO redo special behaviours with a more regular function
+                # We ignore capability denials for binaries in ignore_denied_capability
+                if ev['operation'] == 'capable' and ev['comm'] in ignore_denied_capability:
+                    continue
+
+                # Special behaivor for userns:
+                if args.prompt_filter and 'userns' in args.prompt_filter and customized_message['userns']['cond'](ev, userns_special_profiles):
+                    prompt_userns(ev)
                    continue  # Notification already displayed for this event, we go to the next one.

-            # Notifications should not be run as root, since root probably is
-            # the wrong desktop user and not the one getting the notifications.
-            drop_privileges()
+                # Notifications should not be run as root, since root probably is
+                # the wrong desktop user and not the one getting the notifications.
+                drop_privileges()

-            # sudo does not preserve DBUS address, so we need to guess it based on UID
-            if 'DBUS_SESSION_BUS_ADDRESS' not in os.environ:
-                os.environ['DBUS_SESSION_BUS_ADDRESS'] = 'unix:path=/run/user/{}/bus'.format(os.geteuid())
+                display_notification(ev, rl, message, userns_special_profiles)

-            message = customize_notification_message(ev, message, userns_special_profiles)
-
-            n = notify2.Notification(
-                _('AppArmor security notice'),
-                message,
-                'gtk-dialog-warning'
-            )
-
-            if can_allow_rule(ev, userns_special_profiles):
-                n.add_action('clicked', 'Allow', cb_add_to_profile, (event, rl, userns_special_profiles))
-            n.add_action('more_clicked', 'Show More', cb_more_info, (event, rl, userns_special_profiles))
-
-            n.show()
-
-            # When notification is sent, raise privileged back to root if the
-            # original effective user id was zero (to be able to read AppArmor logs)
-            raise_privileges()
+                # When notification is sent, raise privileged back to root if the
+                # original effective user id was zero (to be able to read AppArmor logs)
+                raise_privileges()

    elif args.since_last:
        show_entries_since_last_login(logfile, filters)
--- a/utils/aa-notify.desktop
+++ b/utils/aa-notify.desktop
@@ -3,7 +3,7 @@ Type=Application
 Name=AppArmor Notify
 Comment=Receive on screen notifications of AppArmor denials
 TryExec=/usr/bin/aa-notify
-Exec=/usr/bin/aa-notify -p -s 1 -w 60
+Exec=/usr/bin/aa-notify --poll --merge-notifictions --since-days 1 --wait 5
 StartupNotify=false
 NoDisplay=true
 X-Ubuntu-Gettext-Domain=aa-notify
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -1,6 +1,6 @@
 # ----------------------------------------------------------------------
 #    Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
-#    Copyright (C) 2014-2021 Christian Boltz <apparmor@cboltz.de>
+#    Copyright (C) 2014-2024 Christian Boltz <apparmor@cboltz.de>
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -69,6 +69,7 @@ use_abstractions = True
 include = dict()

 active_profiles = ProfileList()
+original_profiles = ProfileList()
 extra_profiles = ProfileList()

 # To store the globs entered by users so they can be provided again
@@ -78,9 +79,6 @@ user_globs = {}
 # let ask_addhat() remember answers for already-seen change_hat events
 transitions = {}

-aa = {}  # Profiles originally in sd, replace by aa
-original_aa = hasher()
-
 changed = dict()
 created = []
 helpers = dict()  # Preserve this between passes # was our
@@ -92,12 +90,11 @@ def reset_aa():
       Used by aa-mergeprof and some tests.
    """

-    global aa, include, active_profiles, original_aa
+    global include, active_profiles, original_profiles

-    aa = {}
    include = dict()
    active_profiles = ProfileList()
-    original_aa = hasher()
+    original_profiles = ProfileList()


 def on_exit():
@@ -417,6 +414,7 @@ def create_new_profile(localfile, is_stub=False):
                full_hat = combine_profname((localfile, hat))
                if not local_profile.get(full_hat, False):
                    local_profile[full_hat] = ProfileStorage('NEW', hat, 'create_new_profile() required_hats')
+                    local_profile[full_hat]['parent'] = localfile
                    local_profile[full_hat]['is_hat'] = True
                local_profile[full_hat]['flags'] = 'complain'

@@ -428,30 +426,10 @@ def create_new_profile(localfile, is_stub=False):
    return local_profile


-def delete_profile(local_prof):
-    """Deletes the specified file from the disk and remove it from our list"""
-    profile_file = get_profile_filename_from_profile_name(local_prof, True)
-    if os.path.isfile(profile_file):
-        os.remove(profile_file)
-    if aa.get(local_prof, False):
-        aa.pop(local_prof)
-
-    # prof_unload(local_prof)
-
-
-def confirm_and_abort():
-    ans = aaui.UI_YesNo(_('Are you sure you want to abandon this set of profile changes and exit?'), 'n')
-    if ans == 'y':
-        aaui.UI_Info(_('Abandoning all changes.'))
-        for prof in created:
-            delete_profile(prof)
-        sys.exit(0)
-
-
 def get_profile(prof_name):
    """search for inactive/extra profile, and ask if it should be used"""

-    if not extra_profiles.profiles.get(prof_name, False):
+    if not extra_profiles.profile_exists(prof_name):
        return None  # no inactive profile found

    # TODO: search based on the attachment, not (only?) based on the profile name
@@ -524,14 +502,14 @@ def autodep(bin_name, pname=''):
    file = get_profile_filename_from_profile_name(pname, True)
    profile_data[pname]['filename'] = file  # change filename from extra_profile_dir to /etc/apparmor.d/

-    attach_profile_data(aa, profile_data)
-    attach_profile_data(original_aa, profile_data)
+    for p in profile_data.keys():
+        original_profiles.add_profile(file, p, profile_data[p]['attachment'], deepcopy(profile_data[p]))

    attachment = profile_data[pname]['attachment']
    if not attachment and pname.startswith('/'):
        attachment = pname  # use name as name and attachment

-    active_profiles.add_profile(file, pname, attachment)
+    active_profiles.add_profile(file, pname, attachment, profile_data[pname])

    if os.path.isfile(profile_dir + '/abi/4.0'):
        active_profiles.add_abi(file, AbiRule('abi/4.0', False, True))
@@ -581,6 +559,8 @@ def change_profile_flags(prof_filename, program, flag, set_flag):
            for lineno, line in enumerate(f_in):
                if RE_PROFILE_START.search(line):
                    depth += 1
+                    # TODO: hand over profile and hat (= parent profile)
+                    #       (and find out why it breaks test-aa.py with several "a child profile inside another child profile is not allowed" errors when doing so)
                    (profile, hat, prof_storage) = ProfileStorage.parse(line, prof_filename, lineno, '', '')
                    old_flags = prof_storage['flags']
                    newflags = ', '.join(add_or_remove_flag(old_flags, flag, set_flag))
@@ -601,6 +581,7 @@ def change_profile_flags(prof_filename, program, flag, set_flag):
                        line = '%s\n' % line[0]
                elif RE_PROFILE_HAT_DEF.search(line):
                    depth += 1
+                    # TODO: hand over profile and hat (= parent profile)
                    (profile, hat, prof_storage) = ProfileStorage.parse(line, prof_filename, lineno, '', '')
                    old_flags = prof_storage['flags']
                    newflags = ', '.join(add_or_remove_flag(old_flags, flag, set_flag))
@@ -610,6 +591,7 @@ def change_profile_flags(prof_filename, program, flag, set_flag):
                    line = '%s\n' % line[0]
                elif RE_PROFILE_END.search(line):
                    depth -= 1
+                    # TODO: restore 'profile' and 'hat' to previous values (not really needed/used for aa-complain etc., but can't hurt)

                f_out.write(line)
    os.rename(temp_file.name, prof_filename)
@@ -621,23 +603,6 @@ def change_profile_flags(prof_filename, program, flag, set_flag):
            raise AppArmorException("%(file)s doesn't contain a valid profile for %(profile)s (syntax error?)" % {'file': prof_filename, 'profile': program})


-def profile_exists(program):
-    """Returns True if profile exists, False otherwise"""
-    # Check cache of profiles
-
-    if active_profiles.filename_from_attachment(program):
-        return True
-    # Check the disk for profile
-    prof_path = get_profile_filename_from_attachment(program, True)
-    # print(prof_path)
-    if os.path.isfile(prof_path):
-        # Add to cache of profile
-        raise AppArmorBug('Reached strange condition in profile_exists(), please open a bugreport!')
-        # active_profiles[program] = prof_path
-        # return True
-    return False
-
-
 def build_x_functions(default, options, exec_toggle):
    ret_list = []
    fallback_toggle = False
@@ -692,7 +657,7 @@ def ask_addhat(hashlog):
            for full_hat in hashlog[aamode][profile]['change_hat']:
                hat = full_hat.split('//')[-1]

-                if aa[profile].get(hat, False):
+                if active_profiles.profile_exists(full_hat):
                    continue  # no need to ask if the hat already exists

                default_hat = None
@@ -729,18 +694,26 @@ def ask_addhat(hashlog):

                transitions[context] = ans

+                filename = active_profiles.filename_from_profile_name(profile)  # filename of parent profile, will be used for new hats
+
                if ans == 'CMD_ADDHAT':
-                    aa[profile][hat] = ProfileStorage(profile, hat, 'ask_addhat addhat')
-                    aa[profile][hat]['flags'] = aa[profile][profile]['flags']
-                    hashlog[aamode][full_hat]['final_name'] = '%s//%s' % (profile, hat)
+                    hat_obj = ProfileStorage(profile, hat, 'ask_addhat addhat')
+                    hat_obj['parent'] = profile
+                    hat_obj['flags'] = active_profiles[profile]['flags']
+                    new_full_hat = combine_profname([profile, hat])
+                    active_profiles.add_profile(filename, new_full_hat, hat, hat_obj)
+                    hashlog[aamode][full_hat]['final_name'] = new_full_hat
                    changed[profile] = True
                elif ans == 'CMD_USEDEFAULT':
                    hat = default_hat
-                    hashlog[aamode][full_hat]['final_name'] = '%s//%s' % (profile, default_hat)
-                    if not aa[profile].get(hat, False):
+                    new_full_hat = combine_profname([profile, hat])
+                    hashlog[aamode][full_hat]['final_name'] = new_full_hat
+                    if not active_profiles.profile_exists(full_hat):
                        # create default hat if it doesn't exist yet
-                        aa[profile][hat] = ProfileStorage(profile, hat, 'ask_addhat default hat')
-                        aa[profile][hat]['flags'] = aa[profile][profile]['flags']
+                        hat_obj = ProfileStorage(profile, hat, 'ask_addhat default hat')
+                        hat_obj['parent'] = profile
+                        hat_obj['flags'] = active_profiles[profile]['flags']
+                        active_profiles.add_profile(filename, new_full_hat, hat, hat_obj)
                        changed[profile] = True
                elif ans == 'CMD_DENY':
                    # As unknown hat is denied no entry for it should be made
@@ -748,7 +721,7 @@ def ask_addhat(hashlog):
                    continue


-def ask_exec(hashlog):
+def ask_exec(hashlog, default_ans=''):
    """ask the user about exec events (requests to execute another program) and which exec mode to use"""

    for aamode in hashlog:
@@ -763,14 +736,14 @@ def ask_exec(hashlog):
                        raise AppArmorBug(
                            'exec permissions requested for directory %s (profile %s). This should not happen - please open a bugreport!' % (exec_target, full_profile))

-                    if not aa.get(profile):
+                    if not active_profiles.profile_exists(profile):
                        continue  # ignore log entries for non-existing profiles

-                    if not aa[profile].get(hat):
+                    if not active_profiles.profile_exists(full_profile):
                        continue  # ignore log entries for non-existing hats

                    exec_event = FileRule(exec_target, None, FileRule.ANY_EXEC, FileRule.ALL, owner=False, log_event=True)
-                    if is_known_rule(aa[profile][hat], 'file', exec_event):
+                    if is_known_rule(active_profiles[full_profile], 'file', exec_event):
                        continue

                    # nx is not used in profiles but in log files.
@@ -836,7 +809,10 @@ def ask_exec(hashlog):
                    # ask user about the exec mode to use
                    ans = ''
                    while ans not in ('CMD_ix', 'CMD_px', 'CMD_cx', 'CMD_nx', 'CMD_pix', 'CMD_cix', 'CMD_nix', 'CMD_ux', 'CMD_DENY'):  # add '(I)gnore'? (hotkey conflict with '(i)x'!)
-                        ans = q.promptUser()[0]
+                        if default_ans:
+                            ans = default_ans
+                        else:
+                            ans = q.promptUser()[0]

                        if ans.startswith('CMD_EXEC_IX_'):
                            exec_toggle = not exec_toggle
@@ -871,20 +847,22 @@ def ask_exec(hashlog):
                        elif ans in ('CMD_px', 'CMD_cx', 'CMD_pix', 'CMD_cix'):
                            exec_mode = ans.replace('CMD_', '')
                            px_msg = _(
-                                "Should AppArmor sanitise the environment when\n"
-                                "switching profiles?\n"
+                                "Should AppArmor enable secure-execution mode\n"
+                                "when switching profiles?\n"
                                "\n"
-                                "Sanitising environment is more secure,\n"
-                                "but some applications depend on the presence\n"
-                                "of LD_PRELOAD or LD_LIBRARY_PATH.")
+                                "Doing so is more secure, but some applications\n"
+                                "depend on the presence of LD_PRELOAD or\n"
+                                "LD_LIBRARY_PATH, which would be sanitized by\n"
+                                "enabling secure-execution mode.")
                            if parent_uses_ld_xxx:
                                px_msg = _(
-                                    "Should AppArmor sanitise the environment when\n"
-                                    "switching profiles?\n"
+                                    "Should AppArmor enable secure-execution mode\n"
+                                    "when switching profiles?\n"
                                    "\n"
-                                    "Sanitising environment is more secure,\n"
+                                    "Doing so is more secure,\n"
                                    "but this application appears to be using LD_PRELOAD\n"
-                                    "or LD_LIBRARY_PATH and sanitising the environment\n"
+                                    "or LD_LIBRARY_PATH, and sanitising those environment\n"
+                                    "variables by enabling secure-execution mode\n"
                                    "could cause functionality problems.")

                            ynans = aaui.UI_YesNo(px_msg, 'y')
@@ -918,7 +896,7 @@ def ask_exec(hashlog):
                        file_perm = 'mr'
                    else:
                        if ans == 'CMD_DENY':
-                            aa[profile][hat]['file'].add(FileRule(exec_target, None, 'x', FileRule.ALL, owner=False, log_event=True, deny=True))
+                            active_profiles[full_profile]['file'].add(FileRule(exec_target, None, 'x', FileRule.ALL, owner=False, log_event=True, deny=True))
                            changed[profile] = True
                            if target_profile and hashlog[aamode].get(target_profile):
                                hashlog[aamode][target_profile]['final_name'] = ''
@@ -931,7 +909,7 @@ def ask_exec(hashlog):
                        else:
                            rule_to_name = FileRule.ALL

-                        aa[profile][hat]['file'].add(FileRule(exec_target, file_perm, exec_mode, rule_to_name, owner=False, log_event=True))
+                        active_profiles[full_profile]['file'].add(FileRule(exec_target, file_perm, exec_mode, rule_to_name, owner=False, log_event=True))

                        changed[profile] = True

@@ -942,16 +920,16 @@ def ask_exec(hashlog):
                                exec_target_rule = FileRule(exec_target,      'r',  None, FileRule.ALL, owner=False)
                                interpreter_rule = FileRule(interpreter_path, None, 'ix', FileRule.ALL, owner=False)

-                                if not is_known_rule(aa[profile][hat], 'file', exec_target_rule):
-                                    aa[profile][hat]['file'].add(exec_target_rule)
-                                if not is_known_rule(aa[profile][hat], 'file', interpreter_rule):
-                                    aa[profile][hat]['file'].add(interpreter_rule)
+                                if not is_known_rule(active_profiles[full_profile], 'file', exec_target_rule):
+                                    active_profiles[full_profile]['file'].add(exec_target_rule)
+                                if not is_known_rule(active_profiles[full_profile], 'file', interpreter_rule):
+                                    active_profiles[full_profile]['file'].add(interpreter_rule)

                                if abstraction:
                                    abstraction_rule = IncludeRule(abstraction, False, True)

-                                    if not aa[profile][hat]['inc_ie'].is_covered(abstraction_rule):
-                                        aa[profile][hat]['inc_ie'].add(abstraction_rule)
+                                    if not active_profiles[full_profile]['inc_ie'].is_covered(abstraction_rule):
+                                        active_profiles[full_profile]['inc_ie'].add(abstraction_rule)

                    # Update tracking info based on kind of change

@@ -991,19 +969,21 @@ def ask_exec(hashlog):
                        if to_name:
                            exec_target = to_name

-                        if not aa[profile].get(exec_target, False):
+                        full_exec_target = combine_profname([profile, exec_target])
+                        if not active_profiles.profile_exists(full_exec_target):
                            ynans = 'y'
                            if 'i' in exec_mode:
                                ynans = aaui.UI_YesNo(_('A profile for %s does not exist.\nDo you want to create one?') % exec_target, 'n')
                            if ynans == 'y':
-                                if not aa[profile].get(exec_target, False):
-                                    stub_profile = merged_to_split(create_new_profile(exec_target, True))
-                                    aa[profile][exec_target] = stub_profile[exec_target][exec_target]
+                                if not active_profiles.profile_exists(full_exec_target):
+                                    stub_profile = create_new_profile(exec_target, True)
+                                    for p in stub_profile:
+                                        active_profiles.add_profile(prof_filename, p, stub_profile[p]['attachment'], stub_profile[p])

                                if profile != exec_target:
-                                    aa[profile][exec_target]['flags'] = aa[profile][profile]['flags']
+                                    active_profiles[full_exec_target]['flags'] = active_profiles[profile]['flags']

-                                aa[profile][exec_target]['flags'] = 'complain'
+                                active_profiles[full_exec_target]['flags'] = 'complain'

                                if target_profile and hashlog[aamode].get(target_profile):
                                    hashlog[aamode][target_profile]['final_name'] = '%s//%s' % (profile, exec_target)
@@ -1056,8 +1036,8 @@ def ask_the_questions(log_dict):
            else:
                sev_db.set_variables({})

-            if aa.get(profile):  # only continue/ask if the parent profile exists
-                if not aa[profile].get(hat, {}).get('file'):
+            if active_profiles.profile_exists(profile):  # only continue/ask if the parent profile exists  # XXX check direct parent or top-level? Also, get rid of using "profile" here!
+                if not active_profiles.profile_exists(full_profile):
                    if aamode != 'merge':
                        # Ignore log events for a non-existing profile or child profile. Such events can occur
                        # after deleting a profile or hat manually, or when processing a foreign log.
@@ -1090,18 +1070,21 @@ def ask_the_questions(log_dict):
                        continue  # don't ask about individual rules if the user doesn't want the additional subprofile/hat

                    if log_dict[aamode][full_profile]['is_hat']:
-                        aa[profile][hat] = ProfileStorage(profile, hat, 'mergeprof ask_the_questions() - missing hat')
-                        aa[profile][hat]['is_hat'] = True
+                        prof_obj = ProfileStorage(profile, hat, 'mergeprof ask_the_questions() - missing hat')
+                        prof_obj['is_hat'] = True
                    else:
-                        aa[profile][hat] = ProfileStorage(profile, hat, 'mergeprof ask_the_questions() - missing subprofile')
-                        aa[profile][hat]['is_hat'] = False
+                        prof_obj = ProfileStorage(profile, hat, 'mergeprof ask_the_questions() - missing subprofile')
+                        prof_obj['is_hat'] = False
+
+                    prof_obj['parent'] = profile
+                    active_profiles.add_profile(prof_filename, full_profile, hat, prof_obj)

                # check for and ask about conflicting exec modes
-                ask_conflict_mode(aa[profile][hat], log_dict[aamode][full_profile])
+                ask_conflict_mode(active_profiles[full_profile], log_dict[aamode][full_profile])

                prof_changed, end_profiling = ask_rule_questions(
-                    log_dict[aamode][full_profile], combine_name(profile, hat),
-                    aa[profile][hat], ruletypes)
+                    log_dict[aamode][full_profile], full_profile,
+                    active_profiles[full_profile], ruletypes)
                if prof_changed:
                    changed[profile] = True
                if end_profiling:
@@ -1114,7 +1097,7 @@ def ask_rule_questions(prof_events, profile_name, the_profile, r_types):
       parameter       typical value
       prof_events     log_dict[aamode][full_profile]
       profile_name    profile name (possible profile//hat)
-       the_profile     aa[profile][hat] -- will be modified
+       the_profile     active_profiles[full_profile] -- will be modified
       r_types         ruletypes

       returns:
@@ -1481,14 +1464,11 @@ def set_logfile(filename):
 def do_logprof_pass(logmark='', out_dir=None):
    # set up variables for this pass
    global active_profiles
-    global sev_db
-#    aa = hasher()
 #     changed = dict()

    aaui.UI_Info(_('Reading log entries from %s.') % logfile)

-    if not sev_db:
-        sev_db = apparmor.severity.Severity(CONFDIR + '/severity.db', _('unknown'))
+    load_sev_db()
    # print(pid)
    # print(active_profiles)

@@ -1508,7 +1488,7 @@ def do_logprof_pass(logmark='', out_dir=None):
 def save_profiles(is_mergeprof=False, out_dir=None):
    # Ensure the changed profiles are actual active profiles
    for prof_name in changed.keys():
-        if not aa.get(prof_name, False):
+        if not active_profiles.profile_exists(prof_name):
            print("*** save_profiles(): removing %s" % prof_name)
            print('*** This should not happen. Please open a bugreport!')
            changed.pop(prof_name)
@@ -1545,19 +1525,19 @@ def save_profiles(is_mergeprof=False, out_dir=None):

            elif ans == 'CMD_VIEW_CHANGES':
                oldprofile = None
-                if aa[profile_name][profile_name].get('filename', False):
-                    oldprofile = aa[profile_name][profile_name]['filename']
+                if active_profiles[profile_name].get('filename', False):
+                    oldprofile = active_profiles[profile_name]['filename']
                else:
                    oldprofile = get_profile_filename_from_attachment(profile_name, True)

                serialize_options = {'METADATA': True}
-                newprofile = serialize_profile(split_to_merged(aa), profile_name, serialize_options)
+                newprofile = serialize_profile(active_profiles, profile_name, serialize_options)

                aaui.UI_Changes(oldprofile, newprofile, comments=True)

            elif ans == 'CMD_VIEW_CHANGES_CLEAN':
-                oldprofile = serialize_profile(split_to_merged(original_aa), profile_name, {})
-                newprofile = serialize_profile(split_to_merged(aa), profile_name, {})
+                oldprofile = serialize_profile(original_profiles, profile_name, {})
+                newprofile = serialize_profile(active_profiles, profile_name, {})

                aaui.UI_Changes(oldprofile, newprofile)

@@ -1590,9 +1570,9 @@ def collapse_log(hashlog, ignore_null_profiles=True):
            profile, hat = split_name(final_name)  # XXX limited to two levels to avoid an Exception on nested child profiles or nested null-*
            # TODO: support nested child profiles

-            # used to avoid to accidentally initialize aa[profile][hat] or calling is_known_rule() on events for a non-existing profile
+            # used to avoid calling is_known_rule() on events for a non-existing profile
            hat_exists = False
-            if aa.get(profile) and aa[profile].get(hat):
+            if active_profiles.profile_exists(profile) and active_profiles.profile_exists(final_name):  # we need to check for the target profile here
                hat_exists = True

            if not log_dict[aamode].get(final_name):
@@ -1601,7 +1581,7 @@ def collapse_log(hashlog, ignore_null_profiles=True):

            for ev_type, ev_class in ReadLog.ruletypes.items():
                for rule in ev_class.from_hashlog(hashlog[aamode][full_profile][ev_type]):
-                    if not hat_exists or not is_known_rule(aa[profile][hat], ev_type, rule):
+                    if not hat_exists or not is_known_rule(active_profiles[full_profile], ev_type, rule):
                        log_dict[aamode][final_name][ev_type].add(rule)

    return log_dict
@@ -1621,9 +1601,8 @@ def read_profiles(ui_msg=False, skip_profiles=()):
    #
    # The skip_profiles parameter should only be specified by tests.

-    global aa, original_aa
-    aa = {}
-    original_aa = hasher()
+    global original_profiles
+    original_profiles = ProfileList()

    if ui_msg:
        aaui.UI_Info(_('Updating AppArmor profiles in %s.') % profile_dir)
@@ -1677,7 +1656,7 @@ def read_inactive_profiles(skip_profiles=()):
                read_profile(full_file, False)


-def read_profile(file, active_profile, read_error_fatal=False):
+def read_profile(file, is_active_profile, read_error_fatal=False):
    data = None
    try:
        with open_file_read(file) as f_in:
@@ -1695,30 +1674,17 @@ def read_profile(file, active_profile, read_error_fatal=False):
    if not profile_data:
        return

-    if active_profile:
-        attach_profile_data(aa, profile_data)
-        attach_profile_data(original_aa, profile_data)
+    for profile in profile_data:
+        attachment = profile_data[profile]['attachment']
+        filename = profile_data[profile]['filename']

-        for profile in profile_data:
-            if '//' in profile:
-                continue  # TODO: handle hats/child profiles independent of main profiles
-
-            attachment = profile_data[profile]['attachment']
-            filename = profile_data[profile]['filename']
-
-            if not attachment and profile.startswith('/'):
-                attachment = profile  # use profile as name and attachment
-
-            active_profiles.add_profile(filename, profile, attachment)
-
-    else:
-        for profile in profile_data:
-            attachment = profile_data[profile]['attachment']
-            filename = profile_data[profile]['filename']
-
-            if not attachment and profile.startswith('/'):
-                attachment = profile  # use profile as name and attachment
+        if not attachment and profile.startswith('/'):
+            attachment = profile  # use profile as name and attachment

+        if is_active_profile:
+            active_profiles.add_profile(filename, profile, attachment, profile_data[profile])
+            original_profiles.add_profile(filename, profile, attachment, deepcopy(profile_data[profile]))
+        else:
            extra_profiles.add_profile(filename, profile, attachment, profile_data[profile])


@@ -1896,6 +1862,7 @@ def parse_profile_data(data, file, do_include, in_preamble):
                        profname = combine_profname((parsed_prof, hat))
                        if not profile_data.get(profname, False):
                            profile_data[profname] = ProfileStorage(parsed_prof, hat, 'parse_profile_data() required_hats')
+                            profile_data[profname]['parent'] = parsed_prof
                            profile_data[profname]['is_hat'] = True

    # End of file reached but we're stuck in a profile
@@ -1965,23 +1932,6 @@ def merged_to_split(profile_data):
    return compat


-def split_to_merged(profile_data):
-    """(temporary) helper function to convert a traditional compat['foo']['bar'] to a profile['foo//bar'] list"""
-
-    merged = {}
-
-    for profile in profile_data:
-        for hat in profile_data[profile]:
-            if profile == hat:
-                merged_name = profile
-            else:
-                merged_name = combine_profname((profile, hat))
-
-            merged[merged_name] = profile_data[profile][hat]
-
-    return merged
-
-
 def write_piece(profile_data, depth, name, nhat):
    pre = '  ' * depth
    data = []
@@ -2030,7 +1980,8 @@ def write_piece(profile_data, depth, name, nhat):


 def serialize_profile(profile_data, name, options):
-    string = ''
+    ''' combine the preamble and profiles in a file to a string (to be written to the profile file) '''
+
    data = []

    if not isinstance(options, dict):
@@ -2039,12 +1990,11 @@ def serialize_profile(profile_data, name, options):
    include_metadata = options.get('METADATA', False)

    if include_metadata:
-        string = '# Last Modified: %s\n' % time.asctime()
+        data.extend(['# Last Modified: %s' % time.asctime()])

 #     if profile_data[name].get('initial_comment', False):
 #         comment = profile_data[name]['initial_comment']
-#         comment.replace('\\n', '\n')
-#         string += comment + '\n'
+#         data.append(comment)

    if options.get('is_attachment'):
        prof_filename = get_profile_filename_from_attachment(name, True)
@@ -2055,23 +2005,29 @@ def serialize_profile(profile_data, name, options):

    # Here should be all the profiles from the files added write after global/common stuff
    for prof in sorted(active_profiles.profiles_in_file(prof_filename)):
+        if active_profiles.profiles[prof]['parent']:
+            continue  # child profile or hat, already part of its parent profile
+
+        # aa-logprof asks to save each file separately. Therefore only update the given profile, and keep the original version of other profiles in the file
        if prof != name:
-            if original_aa[prof][prof].get('initial_comment', False):
-                comment = original_aa[prof][prof]['initial_comment']
-                comment.replace('\\n', '\n')
-                data.append(comment + '\n')
-            data.extend(write_piece(split_to_merged(original_aa), 0, prof, prof))
+            if original_profiles.profile_exists(prof) and original_profiles[prof].get('initial_comment'):
+                comment = original_profiles[prof]['initial_comment']
+                data.extend([comment, ''])
+
+            data.extend(write_piece(original_profiles.get_profile_and_childs(prof), 0, prof, prof))
+
        else:
            if profile_data[name].get('initial_comment', False):
                comment = profile_data[name]['initial_comment']
-                comment.replace('\\n', '\n')
-                data.append(comment + '\n')
+                data.extend([comment, ''])

-            data.extend(write_piece(profile_data, 0, name, name))
+            # write_piece() expects a dict, not a ProfileList - TODO: change write_piece()?
+            if type(profile_data) is dict:
+                data.extend(write_piece(profile_data, 0, name, name))
+            else:
+                data.extend(write_piece(profile_data.get_profile_and_childs(name), 0, name, name))

-    string += '\n'.join(data)
-
-    return string + '\n'
+    return '\n'.join(data) + '\n'


 def write_profile_ui_feedback(profile, is_attachment=False, out_dir=None):
@@ -2080,15 +2036,15 @@ def write_profile_ui_feedback(profile, is_attachment=False, out_dir=None):


 def write_profile(profile, is_attachment=False, out_dir=None):
-    if aa[profile][profile].get('filename', False):
-        prof_filename = aa[profile][profile]['filename']
+    if active_profiles[profile]['filename']:
+        prof_filename = active_profiles[profile]['filename']
    elif is_attachment:
        prof_filename = get_profile_filename_from_attachment(profile, True)
    else:
        prof_filename = get_profile_filename_from_profile_name(profile, True)

    serialize_options = {'METADATA': True, 'is_attachment': is_attachment}
-    profile_string = serialize_profile(split_to_merged(aa), profile, serialize_options)
+    profile_string = serialize_profile(active_profiles, profile, serialize_options)

    try:
        with NamedTemporaryFile('w', suffix='~', delete=False, dir=out_dir or profile_dir) as newprof:
@@ -2113,7 +2069,9 @@ def write_profile(profile, is_attachment=False, out_dir=None):
    else:
        debug_logger.info("Unchanged profile written: %s (not listed in 'changed' list)", profile)

-    original_aa[profile] = deepcopy(aa[profile])
+    for full_profile in active_profiles.get_profile_and_childs(profile):
+        if profile == full_profile or active_profiles[full_profile]['parent']:  # copy main profile and childs, but skip external hats
+            original_profiles.replace_profile(full_profile, deepcopy(active_profiles[full_profile]))


 def include_list_recursive(profile, in_preamble=False):
@@ -2143,10 +2101,8 @@ def include_list_recursive(profile, in_preamble=False):


 def is_known_rule(profile, rule_type, rule_obj):
-    # XXX get rid of get() checks after we have a proper function to initialize a profile
-    if profile.get(rule_type, False):
-        if profile[rule_type].is_covered(rule_obj, False):
-            return True
+    if profile[rule_type].is_covered(rule_obj, False):
+        return True

    includelist = include_list_recursive(profile)

@@ -2415,3 +2371,10 @@ def init_aa(confdir=None, profiledir=None):
    parser = conf.find_first_file(cfg['settings'].get('parser')) or '/sbin/apparmor_parser'
    if not os.path.isfile(parser) or not os.access(parser, os.EX_OK):
        raise AppArmorException("Can't find apparmor_parser at %s" % (parser))
+
+
+def load_sev_db():
+    global sev_db
+
+    if not sev_db:
+        sev_db = apparmor.severity.Severity(CONFDIR + '/severity.db', _('unknown'))
--- a/utils/apparmor/cleanprofile.py
+++ b/utils/apparmor/cleanprofile.py
@@ -1,6 +1,6 @@
 # ----------------------------------------------------------------------
 #    Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
-#    Copyright (C) 2014-2015 Christian Boltz <apparmor@cboltz.de>
+#    Copyright (C) 2014-2024 Christian Boltz <apparmor@cboltz.de>
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -18,7 +18,6 @@ import apparmor.aa as apparmor
 class Prof:
    def __init__(self, filename):
        apparmor.init_aa()
-        self.aa = apparmor.aa
        self.active_profiles = apparmor.active_profiles
        self.include = apparmor.include
        self.filename = filename
@@ -36,7 +35,7 @@ class CleanProf:

        deleted += self.other.active_profiles.delete_preamble_duplicates(self.other.filename)

-        for profile in self.profile.aa.keys():
+        for profile in self.profile.active_profiles.get_all_profiles():
            deleted += self.remove_duplicate_rules(profile)

        return deleted
@@ -50,22 +49,22 @@ class CleanProf:
        deleted += self.profile.active_profiles.delete_preamble_duplicates(self.profile.filename)

        # Process every hat in the profile individually
-        for hat in sorted(self.profile.aa[program].keys()):
-            includes = self.profile.aa[program][hat]['inc_ie'].get_all_full_paths(apparmor.profile_dir)
+        for full_profile in sorted(self.profile.active_profiles.get_profile_and_childs(program)):
+            includes = self.profile.active_profiles[full_profile]['inc_ie'].get_all_full_paths(apparmor.profile_dir)

            # Clean up superfluous rules from includes in the other profile
            for inc in includes:
                if not self.profile.include.get(inc, {}).get(inc, False):
                    apparmor.load_include(inc)
-                if self.other.aa[program].get(hat):  # carefully avoid to accidentally initialize self.other.aa[program][hat]
-                    deleted += apparmor.delete_all_duplicates(self.other.aa[program][hat], inc, apparmor.ruletypes)
+                if self.other.active_profiles.profile_exists(full_profile):
+                    deleted += apparmor.delete_all_duplicates(self.other.active_profiles[full_profile], inc, apparmor.ruletypes)

            # Clean duplicate rules in other profile
            for ruletype in apparmor.ruletypes:
                if not self.same_file:
-                    if self.other.aa[program].get(hat):  # carefully avoid to accidentally initialize self.other.aa[program][hat]
-                        deleted += self.other.aa[program][hat][ruletype].delete_duplicates(self.profile.aa[program][hat][ruletype])
+                    if self.other.active_profiles.profile_exists(full_profile):
+                        deleted += self.other.active_profiles[full_profile][ruletype].delete_duplicates(self.profile.active_profiles[full_profile][ruletype])
                else:
-                    deleted += self.other.aa[program][hat][ruletype].delete_duplicates(None)
+                    deleted += self.other.active_profiles[full_profile][ruletype].delete_duplicates(None)

        return deleted
--- a/utils/apparmor/gui.py
+++ b/utils/apparmor/gui.py
@@ -40,8 +40,8 @@ class GUI:
        self.label_frame = ttk.Frame(self.master, padding=(20, 10))
        self.label_frame.pack()

-        self.button_frame = ttk.Frame(self.master, padding=(0, 10))
-        self.button_frame.pack()
+        self.button_frame = ttk.Frame(self.master, padding=(10, 10))
+        self.button_frame.pack(fill='x', expand=True)

    def show(self):
        self.master.mainloop()
@@ -86,6 +86,75 @@ class ShowMoreGUI(GUI):
            self.do_nothing_button.pack(side=tk.LEFT, fill=tk.BOTH, expand=True, padx=5, pady=5)


+class ShowMoreGUIAggregated(GUI):
+    def __init__(self, summary, detailed_text, clean_rules):
+        self.summary = summary
+        self.detailed_text = detailed_text
+        self.clean_rules = clean_rules
+
+        self.states = {
+            'summary': {
+                'msg': self.summary,
+                'btn_left': _('Show more details'),
+                'btn_right': _('Show rules only')
+            },
+            'detailed': {
+                'msg': self.detailed_text,
+                'btn_left': _('Show summary'),
+                'btn_right': _('Show rules only')
+            },
+            'rules_only': {
+                'msg': self.clean_rules,
+                'btn_left': _('Show more details'),
+                'btn_right': _('Show summary')
+            }
+        }
+
+        self.state = 'rules_only'
+
+        super().__init__()
+
+        self.master.title(_('AppArmor - More info'))
+
+        self.text_display = tk.Text(self.label_frame, height=40, width=100, wrap='word')
+        if ttkthemes:
+            self.text_display.configure(background=self.bg_color, foreground=self.fg_color)
+        self.text_display.insert('1.0', self.states[self.state]['msg'])
+        self.text_display['state'] = 'disabled'
+
+        self.scrollbar = ttk.Scrollbar(self.label_frame, command=self.text_display.yview)
+        self.text_display['yscrollcommand'] = self.scrollbar.set
+
+        self.scrollbar.pack(side='right', fill='y')
+        self.text_display.pack(side='left', fill='both', expand=True)
+
+        self.btn_left = ttk.Button(self.button_frame, text=self.states[self.state]['btn_left'], width=1, command=lambda: self.change_view('btn_left'))
+        self.btn_left.grid(row=0, column=0, padx=5, pady=5, sticky="ew")
+
+        self.btn_right = ttk.Button(self.button_frame, text=self.states[self.state]['btn_right'], width=1, command=lambda: self.change_view('btn_right'))
+        self.btn_right.grid(row=0, column=1, padx=5, pady=5, sticky="ew")
+
+        self.btn_allow_all = ttk.Button(self.button_frame, text="Allow All", width=1, command=lambda: self.set_result('allow_all'))
+        self.btn_allow_all.grid(row=0, column=2, padx=5, pady=5, sticky="ew")
+
+        for i in range(3):
+            self.button_frame.grid_columnconfigure(i, weight=1)
+
+    def change_view(self, action):
+
+        if action == 'btn_left':
+            self.state = 'detailed' if self.state != 'detailed' else 'summary'
+        elif action == 'btn_right':
+            self.state = 'rules_only' if self.state != 'rules_only' else 'summary'
+
+        self.btn_left['text'] = self.states[self.state]['btn_left']
+        self.btn_right['text'] = self.states[self.state]['btn_right']
+        self.text_display['state'] = 'normal'
+        self.text_display.delete('1.0', 'end')
+        self.text_display.insert('1.0', self.states[self.state]['msg'])
+        self.text_display['state'] = 'disabled'
+
+
 class UsernsGUI(GUI):
    def __init__(self, name, path):
        self.name = name
--- a/utils/apparmor/profile_list.py
+++ b/utils/apparmor/profile_list.py
@@ -1,5 +1,5 @@
 # ----------------------------------------------------------------------
-#    Copyright (C) 2018-2020 Christian Boltz <apparmor@cboltz.de>
+#    Copyright (C) 2018-2024 Christian Boltz <apparmor@cboltz.de>
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -52,6 +52,12 @@ class ProfileList:
        name = type(self).__name__
        return '\n<%s>\n%s\n</%s>\n' % (name, '\n'.join(self.files), name)

+    def __getitem__(self, key):
+        if key in self.profiles:
+            return self.profiles[key]
+        else:
+            raise AppArmorBug('attempt to read unknown profile %s' % key)
+
    def init_file(self, filename):
        if self.files.get(filename):
            return  # don't re-initialize / overwrite existing data
@@ -63,7 +69,7 @@ class ProfileList:
        for rule in preamble_ruletypes:
            self.files[filename][rule] = preamble_ruletypes[rule]['ruleset']()

-    def add_profile(self, filename, profile_name, attachment, prof_storage=None):
+    def add_profile(self, filename, profile_name, attachment, prof_storage):
        """Add the given profile and attachment to the list"""

        if not filename:
@@ -72,7 +78,7 @@ class ProfileList:
        if not profile_name and not attachment:
            raise AppArmorBug('Neither profile name or attachment given')

-        if type(prof_storage) is not ProfileStorage and prof_storage is not None:
+        if type(prof_storage) is not ProfileStorage:
            raise AppArmorBug('Invalid profile type: %s' % type(prof_storage))

        if profile_name in self.profile_names:
@@ -101,6 +107,21 @@ class ProfileList:
            self.files[filename]['profiles'].append(attachment)
            self.profiles[attachment] = prof_storage

+    def replace_profile(self, profile_name, prof_storage):
+        """Replace the given profile in the profile list"""
+
+        if profile_name not in self.profiles:
+            raise AppArmorBug('Attempt to replace non-existing profile %s' % profile_name)
+
+        if type(prof_storage) is not ProfileStorage:
+            raise AppArmorBug('Invalid profile type: %s' % type(prof_storage))
+
+        # we might lift this restriction later, but for now, forbid changing the attachment instead of updating self.attachments
+        if self.profiles[profile_name]['attachment'] != prof_storage['attachment']:
+            raise AppArmorBug('Attempt to change atttachment while replacing profile %s - original: %s, new: %s' % (profile_name, self.profiles[profile_name]['attachment'], prof_storage['attachment']))
+
+        self.profiles[profile_name] = prof_storage
+
    def add_rule(self, filename, ruletype, rule):
        """Store the given rule for the given profile filename preamble"""

@@ -168,6 +189,9 @@ class ProfileList:

        return deleted

+    def get_all_profiles(self):
+        return self.profiles
+
    def get_profile_and_childs(self, profile_name):
        found = {}
        for prof in self.profiles:
@@ -283,6 +307,9 @@ class ProfileList:

        return merged_variables

+    def profile_exists(self, profile_name):
+        return profile_name in self.profiles
+
    def profiles_in_file(self, filename):
        """Return list of profiles in the given file"""
        if not self.files.get(filename):
--- a/utils/apparmor/profile_storage.py
+++ b/utils/apparmor/profile_storage.py
@@ -1,6 +1,6 @@
 # ----------------------------------------------------------------------
 #    Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
-#    Copyright (C) 2014-2021 Christian Boltz <apparmor@cboltz.de>
+#    Copyright (C) 2014-2024 Christian Boltz <apparmor@cboltz.de>
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -77,6 +77,7 @@ class ProfileStorage:

        data['filename'] = ''
        data['logprof_suggest'] = ''  # set in abstractions that should be suggested by aa-logprof
+        data['parent'] = ''  # parent profile, or '' for top-level profiles and external hats
        data['name'] = ''
        data['attachment'] = ''
        data['xattrs'] = ''
@@ -221,11 +222,13 @@ class ProfileStorage:
                    _('%(profile)s profile in %(file)s contains syntax errors in line %(line)s: a child profile inside another child profile is not allowed.')
                    % {'profile': profile, 'file': file, 'line': lineno + 1})

+            parent = profile
            hat = matches['profile']
            prof_or_hat_name = hat
            pps_set_hat_external = False

        else:  # stand-alone profile
+            parent = ''
            profile = matches['profile']
            prof_or_hat_name = profile
            if len(profile.split('//')) > 2:
@@ -241,6 +244,7 @@ class ProfileStorage:

        prof_storage = cls(profile, hat, cls.__name__ + '.parse()')

+        prof_storage['parent'] = parent
        prof_storage['name'] = prof_or_hat_name
        prof_storage['filename'] = file
        prof_storage['external'] = pps_set_hat_external
--- a/utils/apparmor/tools.py
+++ b/utils/apparmor/tools.py
@@ -1,6 +1,6 @@
 # ----------------------------------------------------------------------
 #    Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
-#    Copyright (C) 2015-2023 Christian Boltz <apparmor@cboltz.de>
+#    Copyright (C) 2015-2024 Christian Boltz <apparmor@cboltz.de>
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -64,7 +64,7 @@ class aa_tools:
                    prof_filename = apparmor.get_profile_filename_from_attachment(fq_path, True)
            else:
                which_ = which(p)
-                if self.name == 'cleanprof' and p in apparmor.aa:
+                if self.name == 'cleanprof' and apparmor.active_profiles.profile_exists(p):
                    program = p  # not really correct, but works
                    profile = p
                    prof_filename = apparmor.get_profile_filename_from_profile_name(profile)
@@ -104,14 +104,14 @@ class aa_tools:
            if program is None:
                program = profile

-            if not program or not (os.path.exists(program) or profile in apparmor.aa):
+            if not program or not (os.path.exists(program) or apparmor.active_profiles.profile_exists(profile)):
                if program and not program.startswith('/'):
                    program = aaui.UI_GetString(_('The given program cannot be found, please try with the fully qualified path name of the program: '), '')
                else:
                    aaui.UI_Info(_("%s does not exist, please double-check the path.") % program)
                    sys.exit(1)

-            if program and profile in apparmor.aa:
+            if program and apparmor.active_profiles.profile_exists(profile):
                self.clean_profile(program, profile, prof_filename)

            else:
@@ -207,8 +207,8 @@ class aa_tools:
                    apparmor.write_profile_ui_feedback(profile)
                    self.reload_profile(prof_filename)
                elif ans == 'CMD_VIEW_CHANGES':
-                    # oldprofile = apparmor.serialize_profile(apparmor.split_to_merged(apparmor.original_aa), profile, {})
-                    newprofile = apparmor.serialize_profile(apparmor.split_to_merged(apparmor.aa), profile, {})  # , {'is_attachment': True})
+                    # oldprofile = apparmor.serialize_profile(apparmor.original_profiles, profile, {})
+                    newprofile = apparmor.serialize_profile(apparmor.active_profiles, profile, {})  # , {'is_attachment': True})
                    aaui.UI_Changes(prof_filename, newprofile, comments=True)

    def unload_profile(self, prof_filename):
--- a/utils/apparmor/update_profile.py
+++ b/utils/apparmor/update_profile.py
@@ -29,15 +29,15 @@ def create_userns(template_path, name, bin_path, profile_path, decision):

 def add_to_profile(rule, profile_name):
    aa.init_aa()
-    aa.read_profiles()
+    aa.update_profiles()

    rule_type, rule_class = ReadLog('', '', '').get_rule_type(rule)

    rule_obj = rule_class.create_instance(rule)

-    if profile_name not in aa.aa or profile_name not in aa.aa[profile_name]:
+    if not aa.active_profiles.profile_exists(profile_name):
        exit(_('Cannot find {} in profiles').format(profile_name))
-    aa.aa[profile_name][profile_name][rule_type].add(rule_obj, cleanup=True)
+    aa.active_profiles[profile_name][rule_type].add(rule_obj, cleanup=True)

    # Save changes
    aa.write_profile_ui_feedback(profile_name)
@@ -48,31 +48,50 @@ def usage(is_help):
    print('This tool is a low level tool - do not use it directly')
    print('{} create_userns <template_path> <name> <bin_path> <profile_path> <decision>'.format(sys.argv[0]))
    print('{} add_rule <rule> <profile_name>'.format(sys.argv[0]))
-
+    print('{} from_file <file>'.format(sys.argv[0]))
    if is_help:
        exit(0)
    else:
        exit(1)


+def create_from_file(file_path):
+    with open(file_path) as file:
+        for line in file:
+            args = line[:-1].split('\t')
+            if len(args) > 1:
+                command = args[0]
+            else:
+                command = None  # Handle the case where no command is provided
+            do_command(command, args)
+
+
+def do_command(command, args):
+    if command == 'from_file':
+        if not len(args) == 2:
+            usage(False)
+        create_from_file(args[1])
+    elif command == 'create_userns':
+        if not len(args) == 6:
+            usage(False)
+        create_userns(args[1], args[2], args[3], args[4], args[5])
+    elif command == 'add_rule':
+        if not len(args) == 3:
+            usage(False)
+        add_to_profile(args[1], args[2])
+    elif command == 'help':
+        usage(True)
+    else:
+        usage(False)
+
+
 def main():
    if len(sys.argv) > 1:
        command = sys.argv[1]
    else:
        command = None  # Handle the case where no command is provided

-    if command == 'create_userns':
-        if not len(sys.argv) == 7:
-            usage(False)
-        create_userns(sys.argv[2], sys.argv[3], sys.argv[4], sys.argv[5], sys.argv[6])
-    elif command == 'add_rule':
-        if not len(sys.argv) == 4:
-            usage(False)
-        add_to_profile(sys.argv[2], sys.argv[3])
-    elif command == 'help':
-        usage(True)
-    else:
-        usage(False)
+    do_command(command, sys.argv[1:])


 if __name__ == '__main__':
--- a/utils/net.apparmor.pkexec.aa-notify.policy
+++ b/utils/net.apparmor.pkexec.aa-notify.policy
@@ -4,7 +4,7 @@
  "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
 <policyconfig>

-  <action id="net.apparmor.pkexec.aa-notify.modify_profile">
+  <action id="com.ubuntu.pkexec.aa-notify.modify_profile">
    <description>AppArmor: modifying security profile</description>
    <message>To modify an AppArmor security profile, you need to authenticate.</message>
    <defaults>
@@ -15,7 +15,7 @@
    <annotate key="org.freedesktop.policykit.exec.path">{LIB_PATH}apparmor/update_profile.py</annotate>
    <annotate key="org.freedesktop.policykit.exec.argv1">add_rule</annotate>
  </action>
-  <action id="net.apparmor.pkexec.aa-notify.create_userns">
+  <action id="com.ubuntu.pkexec.aa-notify.create_userns">
    <description>AppArmor: adding userns profile</description>
    <message>To allow a program to use unprivileged user namespaces, you need to authenticate.</message>
    <defaults>
@@ -26,5 +26,16 @@
    <annotate key="org.freedesktop.policykit.exec.path">{LIB_PATH}apparmor/update_profile.py</annotate>
    <annotate key="org.freedesktop.policykit.exec.argv1">create_userns</annotate>
  </action>
+  <action id="com.ubuntu.pkexec.aa-notify.from_file">
+    <description>AppArmor: Modifying profile from file</description>
+    <message>To modify an AppArmor security profile from file, you need to authenticate.</message>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin</allow_active>
+    </defaults>
+    <annotate key="org.freedesktop.policykit.exec.path">{LIB_PATH}apparmor/update_profile.py</annotate>
+    <annotate key="org.freedesktop.policykit.exec.argv1">from_file</annotate>
+  </action>

 </policyconfig>
--- a/utils/emacs/apparmor-mode.el
+++ b/utils/emacs/apparmor-mode.el
@@ -1,424 +0,0 @@
-;;; apparmor-mode.el --- Major mode for editing AppArmor policy files         -*- lexical-binding: t; -*-
-
-;; Copyright (c) 2018 Alex Murray
-
-;; Author: Alex Murray <murray.alex@gmail.com>
-;; Maintainer: Alex Murray <murray.alex@gmail.com>
-;; URL: https://gitlab.com/apparmor/apparmor
-;; Version: 0.8.2
-;; Package-Requires: ((emacs "26.1"))
-
-;; This file is not part of GNU Emacs.
-
-;; This program is free software: you can redistribute it and/or modify
-;; it under the terms of the GNU General Public License as published by
-;; the Free Software Foundation, either version 3 of the License, or
-;; (at your option) any later version.
-
-;; This program is distributed in the hope that it will be useful,
-;; but WITHOUT ANY WARRANTY; without even the implied warranty of
-;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-;; GNU General Public License for more details.
-
-;; You should have received a copy of the GNU General Public License
-;; along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-;;; Commentary:
-
-;; The following documentation sources were used:
-;; https://gitlab.com/apparmor/apparmor/wikis/QuickProfileLanguage
-;; https://gitlab.com/apparmor/apparmor/wikis/ProfileLanguage
-
-;; TODO:
-;; - do smarter completion syntactically via regexps
-;; - decide if to use entire line regexp for statements or
-;;   - not (ie just a subset?)  if we use regexps above then
-;;   - should probably keep full regexps here so can reuse
-;; - expand highlighting of mount rules (options=...) similar to dbus
-;; - add tests via ert etc
-
-;;;; Setup
-
-;; (require 'apparmor-mode)
-
-;;; Code:
-
-;; for flycheck integration
-(declare-function flycheck-define-command-checker "ext:flycheck.el"
-                  (symbol docstring &rest properties))
-(declare-function flycheck-valid-checker-p "ext:flycheck.el")
-(defvar flycheck-checkers)
-
-(defgroup apparmor nil
-  "Major mode for editing AppArmor policies."
-  :group 'tools)
-
-(defcustom apparmor-mode-indent-offset 2
-  "Indentation offset in `apparmor-mode' buffers."
-  :type 'integer
-  :group 'apparmor)
-
-(defvar apparmor-mode-keywords '("all" "audit" "capability" "chmod" "delegate"
-                                 "dbus" "deny" "file" "flags" "io_uring" "include"
-                                 "include if exists" "link" "mount" "mqueue"
-                                 "network" "on" "owner" "pivot_root" "profile"
-                                 "quiet" "remount" "rlimit" "safe" "subset" "to"
-                                 "umount" "unsafe" "userns"))
-
-(defvar apparmor-mode-profile-flags '("enforce" "complain" "debug" "kill"
-                                      "chroot_relative" "namespace_relative"
-                                      "attach_disconnected" "no_attach_disconnected"
-                                      "chroot_attach" "chroot_no_attach"
-                                      "unconfined"))
-
-(defvar apparmor-mode-capabilities '("audit_control" "audit_write" "chown"
-                                     "dac_override" "dac_read_search" "fowner"
-                                     "fsetid" "ipc_lock" "ipc_owner" "kill"
-                                     "lease" "linux_immutable" "mac_admin"
-                                     "mac_override" "mknod" "net_admin"
-                                     "net_bind_service" "net_broadcast"
-                                     "net_raw" "setfcap" "setgid" "setpcap"
-                                     "setuid" "syslog" "sys_admin" "sys_boot"
-                                     "sys_chroot" "sys_module" "sys_nice"
-                                     "sys_pacct" "sys_ptrace" "sys_rawio"
-                                     "sys_resource" "sys_time"
-                                     "sys_tty_config"))
-
-(defvar apparmor-mode-network-permissions '("create" "accept" "bind" "connect"
-                                            "listen" "read" "write" "send"
-                                            "receive" "getsockname" "getpeername"
-                                            "getsockopt" "setsockopt" "fcntl"
-                                            "ioctl" "shutdown" "getpeersec"
-                                            "sqpoll" "override_creds"))
-
-(defvar apparmor-mode-network-domains '("inet" "ax25" "ipx" "appletalk" "netrom"
-                                        "bridge" "atmpvc" "x25" "inet6" "rose"
-                                        "netbeui" "security" "key" "packet"
-                                        "ash" "econet" "atmsvc" "sna" "irda"
-                                        "pppox" "wanpipe" "bluetooth" "unix"))
-
-(defvar apparmor-mode-network-types '("stream" "dgram" "seqpacket" "raw" "rdm"
-                                      "packet" "dccp"))
-
-;; TODO: this is not complete since is not fully documented
-(defvar apparmor-mode-network-protocols '("tcp" "udp" "icmp"))
-
-(defvar apparmor-mode-dbus-permissions '("r" "w" "rw" "send" "receive"
-                                         "acquire" "bind" "read" "write"))
-
-(defvar apparmor-mode-rlimit-types '("fsize" "data" "stack" "core" "rss" "as"
-                                     "memlock" "msgqueue" "nofile" "locks"
-                                     "sigpending" "nproc" "rtprio" "cpu"
-                                     "nice"))
-
-(defvar apparmor-mode-abi-regexp "^\\s-*\\(#?abi\\)\\s-+\\([<\"][[:graph:]]+[\">]\\)")
-
-(defvar apparmor-mode-include-regexp "^\\s-*\\(#?include\\( if exists\\)?\\)\\s-+\\([<\"][[:graph:]]+[\">]\\)")
-
-(defvar apparmor-mode-capability-regexp (concat  "^\\s-*\\(capability\\)\\s-+\\("
-                                                 (regexp-opt apparmor-mode-capabilities)
-                                                 "\\s-*\\)*"))
-
-(defvar apparmor-mode-variable-name-regexp "@{[[:alpha:]_]+}")
-
-(defvar apparmor-mode-variable-regexp
-  (concat "^\\s-*\\(" apparmor-mode-variable-name-regexp "\\)\\s-*\\(\\+?=\\)\\s-*\\([[:graph:]]+\\)\\(\\s-+\\([[:graph:]]+\\)\\)?\\s-*\\(#.*\\)?$"))
-
-(defvar apparmor-mode-profile-name-regexp "[[:alnum:]]+")
-
-(defvar apparmor-mode-profile-attachment-regexp "[][[:alnum:]*@/_{},-.?]+")
-
-(defvar apparmor-mode-profile-flags-regexp
-  (concat  "\\(flags\\)=(\\(" (regexp-opt apparmor-mode-profile-flags) "\\s-*\\)*)") )
-
-(defvar apparmor-mode-profile-regexp
-  (concat "^\\s-*\\(\\(profile\\)\\s-+\\(\\(" apparmor-mode-profile-name-regexp "\\)\\s-+\\)?\\)?\\(\\^?" apparmor-mode-profile-attachment-regexp "\\)\\(\\s-+" apparmor-mode-profile-flags-regexp "\\)?\\s-+{\\s-*$"))
-
-(defvar apparmor-mode-file-rule-permissions-regexp "[CPUaciklmpruwx]+")
-
-(defvar apparmor-mode-file-rule-permissions-prefix-regexp
-  (concat "^\\s-*\\(\\(audit\\|owner\\|deny\\)\\s-+\\)*\\(file\\s-+\\)?"
-          "\\(" apparmor-mode-file-rule-permissions-regexp "\\)\\s-+"
-          "\\(" apparmor-mode-profile-attachment-regexp "\\)\\s-*"
-          "\\(->\\s-+\\(" apparmor-mode-profile-attachment-regexp "\\)\\)?\\s-*"
-          ","))
-
-(defvar apparmor-mode-file-rule-permissions-suffix-regexp
-  (concat "^\\s-*\\(\\(audit\\|owner\\|deny\\)\\s-+\\)*\\(file\\s-+\\)?"
-          "\\(" apparmor-mode-profile-attachment-regexp "\\)\\s-+"
-          "\\(" apparmor-mode-file-rule-permissions-regexp "\\)\\s-*"
-          "\\(->\\s-+\\(" apparmor-mode-profile-attachment-regexp "\\)\\)?\\s-*"
-          ","))
-
-(defvar apparmor-mode-network-rule-regexp
-  (concat
-   "^\\s-*\\(\\(audit\\|quiet\\|deny\\)\\s-+\\)*network\\s-*"
-   "\\(" (regexp-opt apparmor-mode-network-permissions 'words) "\\)?\\s-*"
-   "\\(" (regexp-opt apparmor-mode-network-domains 'words) "\\)?\\s-*"
-   "\\(" (regexp-opt apparmor-mode-network-types 'words) "\\)?\\s-*"
-   "\\(" (regexp-opt apparmor-mode-network-protocols 'words) "\\)?\\s-*"
-   ;; TODO: address expression
-   "\\(delegate to\\s-+\\(" apparmor-mode-profile-attachment-regexp "\\)\\)?\\s-*"
-   ","))
-
-(defvar apparmor-mode-dbus-rule-regexp
-  (concat
-   "^\\s-*\\(\\(audit\\|deny\\)\\s-+\\)?dbus\\s-*"
-   "\\(\\(bus\\)=\\(system\\|session\\)\\)?\\s-*"
-   "\\(\\(dest\\)=\\([[:alpha:].]+\\)\\)?\\s-*"
-   "\\(\\(path\\)=\\([[:alpha:]/]+\\)\\)?\\s-*"
-   "\\(\\(interface\\)=\\([[:alpha:].]+\\)\\)?\\s-*"
-   "\\(\\(method\\)=\\([[:alpha:]_]+\\)\\)?\\s-*"
-   ;; permissions - either a single permission or multiple permissions in
-   ;; parentheses with commas and whitespace separating
-   "\\("
-   (regexp-opt apparmor-mode-dbus-permissions 'words)
-   "\\|"
-   "("
-   (regexp-opt apparmor-mode-dbus-permissions 'words)
-   "\\("
-   (regexp-opt apparmor-mode-dbus-permissions 'words) ",\\s-+"
-   "\\)"
-   "\\)?\\s-*"
-   ","))
-
-(defvar apparmor-mode-font-lock-defaults
-  `(((,(regexp-opt apparmor-mode-keywords 'symbols) . font-lock-keyword-face)
-     (,(regexp-opt apparmor-mode-rlimit-types 'symbols) . font-lock-type-face)
-     ;; comma at end-of-line
-     (",\\s-*$" . 'font-lock-builtin-face)
-     ;; TODO be more specific about where these are valid
-     ("->" . 'font-lock-builtin-face)
-     ("[=\\+()]" . 'font-lock-builtin-face)
-     ("+=" . 'font-lock-builtin-face)
-     ("<=" . 'font-lock-builtin-face) ; rlimit
-     ;; abi
-     (,apparmor-mode-abi-regexp
-      (1 font-lock-preprocessor-face t)
-      (2 font-lock-string-face t))
-     ;; includes
-     (,apparmor-mode-include-regexp
-      (1 font-lock-preprocessor-face t)
-      (3 font-lock-string-face t))
-     ;; variables
-     (,apparmor-mode-variable-name-regexp 0 font-lock-variable-name-face t)
-     ;; profiles
-     (,apparmor-mode-profile-regexp
-      (4 font-lock-function-name-face t nil)
-      (5 font-lock-variable-name-face t))
-     ;; capabilities
-     (,apparmor-mode-capability-regexp 2 font-lock-type-face t)
-     ;; file rules
-     (,apparmor-mode-file-rule-permissions-prefix-regexp
-      (3 font-lock-keyword-face nil t) ; class
-      (4 font-lock-constant-face t) ; permissions
-      (7 font-lock-function-name-face nil t)) ;profile
-     (,apparmor-mode-file-rule-permissions-suffix-regexp
-      (3 font-lock-keyword-face nil t) ; class
-      (5 font-lock-constant-face t) ; permissions
-      (7 font-lock-function-name-face nil t)) ;profile
-     ;; network rules
-     (,apparmor-mode-network-rule-regexp
-      (3 font-lock-constant-face t) ;permissions
-      (4 font-lock-function-name-face t) ;domain
-      (5 font-lock-variable-name-face t) ;type
-      (6 font-lock-type-face t)) ; protocol
-     ;; dbus rules
-     (,apparmor-mode-dbus-rule-regexp
-      (4 font-lock-variable-name-face t) ;bus
-      (5 font-lock-constant-face t) ;system/session
-      (7 font-lock-variable-name-face t) ;dest
-      (10 font-lock-variable-name-face t)
-      (13 font-lock-variable-name-face t)
-      (16 font-lock-variable-name-face t)))))
-
-(defvar apparmor-mode-syntax-table
-  (let ((table (make-syntax-table)))
-    ;; # is comment start
-    (modify-syntax-entry ?# "<" table)
-    ;; newline finishes comment line
-    (modify-syntax-entry ?\n ">" table)
-    ;; / and + is used in path names which we want to treat as an entire word
-    (modify-syntax-entry ?/ "w" table)
-    (modify-syntax-entry ?+ "w" table)
-    table))
-
-(defun apparmor-mode-complete-include (prefix &optional local)
-  "Return list of completions of include for PREFIX which could be LOCAL."
-  (let* ((file-name (file-name-base prefix))
-         (parent (file-name-directory prefix))
-         (directory (concat (if local default-directory "/etc/apparmor.d") "/"
-                            parent)))
-    ;; need to prepend all of directory part of prefix
-    (mapcar (lambda (f) (concat parent f))
-            (file-name-all-completions file-name directory))))
-
-;; TODO - make a lot smarter than just keywords - complete paths from the
-;; system if we look like a path, do sub-completion based on the current lines
-;; keyword etc - ie match against syntax highlighting regexes and use those to
-;; further complete etc
-(defun apparmor-mode-completion-at-point ()
-  "`completion-at-point' function for `apparmor-mode'."
-  (let ((prefix (or (thing-at-point 'word t) ""))
-        (bounds (bounds-of-thing-at-point 'word))
-        (bol (save-excursion (beginning-of-line) (point)))
-        (candidates nil))
-    (setq candidates
-          (cond ((looking-back "#?include\\s-+\\([<\"]\\)[[:graph:]]*" bol)
-                 (apparmor-mode-complete-include
-                  prefix (string= (match-string 1) "\"")))
-                (t apparmor-mode-keywords)))
-    (list (car bounds) ; start
-          (cdr bounds) ; end
-          candidates
-          :company-docsig #'identity)))
-
-(defun apparmor-mode-indent-line ()
-  "Indent current line in `apparmor-mode'."
-  (interactive)
-  (if (bolp)
-      (apparmor-mode--indent-line)
-    (save-excursion
-      (apparmor-mode--indent-line))))
-
-(defun apparmor-mode--indent-line ()
-  "Indent current line in `apparmor-mode'."
-  (beginning-of-line)
-  (cond
-   ((bobp)
-    ;; simple case indent to 0
-    (indent-line-to 0))
-   ((looking-at "^\\s-*}\\s-*$")
-    ;; block closing, deindent relative to previous line
-    (indent-line-to (save-excursion
-                      (forward-line -1)
-                      (max 0 (- (current-indentation) apparmor-mode-indent-offset)))))
-    ;; other cases need to look at previous lines
-   (t
-    (indent-line-to (save-excursion
-                      (forward-line -1)
-                      ;; keep going backwards until we have a line with actual
-                      ;; content since blank lines don't count
-                      (while (and (looking-at "^\\s-*$")
-                                  (not (bobp)))
-                        (forward-line -1))
-                      (cond
-                       ((looking-at "\\(^.*{[^}]*$\\)")
-                        ;; previous line opened a block, indent to that line
-                        (+ (current-indentation) apparmor-mode-indent-offset))
-                       (t
-                        ;; default case, indent the same as previous line
-                        (current-indentation))))))))
-
-;;;###autoload
-(define-derived-mode apparmor-mode prog-mode "AppArmor"
-  "Major mode for editing AppArmor profiles."
-  :syntax-table apparmor-mode-syntax-table
-  (setq font-lock-defaults apparmor-mode-font-lock-defaults)
-  (setq-local indent-line-function #'apparmor-mode-indent-line)
-  (add-to-list 'completion-at-point-functions #'apparmor-mode-completion-at-point)
-  (setq imenu-generic-expression `(("Profiles" ,apparmor-mode-profile-regexp 5)))
-  (setq comment-start "#")
-  (setq comment-end "")
-  (when (require 'flycheck nil t)
-    (unless (flycheck-valid-checker-p 'apparmor)
-      (flycheck-define-command-checker 'apparmor
-        "A checker using apparmor_parser. "
-        :command '("apparmor_parser"
-                  "-Q" ;; skip kernel load
-                  "-K" ;; skip cache
-                  source)
-        :error-patterns '((error line-start "AppArmor parser error at line "
-                                 line ": " (message)
-                                line-end)
-                          (error line-start "AppArmor parser error for "
-                                 (one-or-more not-newline)
-                                 " in profile " (file-name)
-                                 " at line " line ": " (message)
-                                line-end))
-        :modes '(apparmor-mode)))
-    (add-to-list 'flycheck-checkers 'apparmor t)))
-
-;; flymake integration
-(defvar-local apparmor-mode--flymake-proc nil)
-
-(defun apparmor-mode-flymake (report-fn &rest _args)
-  "`flymake' backend function for `apparmor-mode' to report errors via REPORT-FN."
-  ;; disable if apparmor_parser is not available
-  (unless (executable-find "apparmor_parser")
-    (error "Cannot find apparmor_parser"))
-
-  ;; kill any existing running instance
-  (when (process-live-p apparmor-mode--flymake-proc)
-    (kill-process apparmor-mode--flymake-proc))
-
-  (let ((source (current-buffer))
-        (contents (buffer-substring (point-min) (point-max))))
-    ;; when the current buffer is an abstraction then fake a profile around it so
-    ;; we can check it
-    (when (and (buffer-file-name)
-               (string-match-p ".*/abstractions/.*" (buffer-file-name)))
-      (setq contents (format "profile %s { %s }" (buffer-name) contents)))
-    (save-restriction
-      (widen)
-      ;; Reset the `apparmor-mode--flymake-proc' process to a new process
-      ;; calling check-syntax.
-      (setq
-       apparmor-mode--flymake-proc
-       (make-process
-        :name "apparmor-mode-flymake" :noquery t :connection-type 'pipe
-        ;; Make output go to a temporary buffer.
-        :buffer (generate-new-buffer " *apparmor-mode-flymake*")
-        ;; TODO: specify the base directory so that includes resolve correctly
-        ;; rather than using the system ones
-        :command '("apparmor_parser" "-Q" "-K" "/dev/stdin")
-        :sentinel
-        (lambda (proc _event)
-          (when (memq (process-status proc) '(exit signal))
-            (unwind-protect
-                ;; Only proceed if `proc' is the same as
-                ;; `apparmor-mode--flymake-proc', which indicates that
-                ;; `proc' is not an obsolete process.
-                ;;
-                (if (with-current-buffer source (eq proc apparmor-mode--flymake-proc))
-                    (with-current-buffer (process-buffer proc)
-                      (goto-char (point-min))
-                      ;; Parse the output buffer for diagnostic's
-                      ;; messages and locations, collect them in a list
-                      ;; of objects, and call `report-fn'.
-                      ;;
-                      (cl-loop
-                       while (search-forward-regexp
-                              "^\\(AppArmor parser error \\(?:for /dev/stdin in profile .*\\)?at line \\)\\([0-9]+\\): \\(.*\\)$"
-                              nil t)
-                       for msg = (match-string 3)
-                       for (beg . end) = (flymake-diag-region
-                                          source
-                                          (string-to-number (match-string 2)))
-                       for type = :error
-                       collect (flymake-make-diagnostic source beg end type msg)
-                       into diags
-                       finally (funcall report-fn diags)))
-                  (flymake-log :warning "Cancelling obsolete check %s" proc))
-              ;; Cleanup the temporary buffer used to hold the
-              ;; check's output.
-              (kill-buffer (process-buffer proc)))))))
-      (process-send-string apparmor-mode--flymake-proc contents)
-      (process-send-eof apparmor-mode--flymake-proc))))
-
-;;;###autoload
-(defun apparmor-mode-setup-flymake-backend ()
-  "Setup the `flymake' backend for `apparmor-mode'."
-  (add-hook 'flymake-diagnostic-functions 'apparmor-mode-flymake nil t))
-
-;;;###autoload
-(add-hook 'apparmor-mode-hook 'apparmor-mode-setup-flymake-backend)
-
-;;;###autoload
-(add-to-list 'auto-mode-alist '("\\`/etc/apparmor\\.d/" . apparmor-mode))
-;;;###autoload
-(add-to-list 'auto-mode-alist '("\\`/var/lib/snapd/apparmor/profiles/" . apparmor-mode))
-
-
-(provide 'apparmor-mode)
-;;; apparmor-mode.el ends here
--- a/utils/notify.conf
+++ b/utils/notify.conf
@@ -23,6 +23,12 @@ ignore_denied_capability="sudo,su"
 # OPTIONAL - kind of operations which display a popup prompt.
 # prompt_filter="userns"

+# OPTIONAL - Maximum number of profile that can send notification before they are merged
+# maximum_number_notification_profiles=2
+
+# OPTIONAL - Keys to aggregate when merging events
+# keys_to_aggregate="operation,class,name,denied,target"
+
 # OPTIONAL - restrict using aa-notify to users in the given group
 # (if not set, everybody who has permissions to read the logfile can use it)
 # use_group="admin"
--- a/utils/po/README
+++ b/utils/po/README
@@ -1,10 +1,8 @@
 GENERATING TRANSLATION MESSAGES

-To generate the messages.pot file:
+To generate the .pot file, run the following command in the po directory:

-Run the following command in Translate.
-python pygettext.py ../apparmor/*.py ../Tools/aa*
+pygettext3 -o apparmor-utils.pot ../apparmor/*.py $(find .. -executable -name 'aa-*')

-It will generate the messages.pot file in the Translate directory.
+It will generate the apparmor-utils.pot file in the po directory.

-You might need to provide the full path to pygettext.py from your python installation. It will typically be in the /path/to/python/libs/Tools/i18n/pygettext.py
--- a/utils/po/apparmor-utils.pot
+++ b/utils/po/apparmor-utils.pot
--- a/Show More
+++ b/Show More