Accepting request 710683 from security:apparmor

- update to 2.13.3 - profile updates for dnsmasq, dovecot, identd, syslog-ng - new "lsb_release" profile (only used when using "Px -> lsb_release") - fix buggy syntax in tunables/share - several abstraction updates - parser: fix "Px -> foo-bar" (the "-" was rejected before) - several bugfixes in aa-genprof and aa-logprof - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.3 for the detailed upstream changelog - drop upstream(ed) patches: - apparmor-nameservice-resolv-conf-link.patch - profile_filename_cornercase.diff - dnsmasq-libvirtd.diff - dnsmasq-revert-alternation.diff - usrmerge-fixes.diff - libapparmor-swig-4.diff - re-number remaining patches libapparmor: - update to AppArmor 2.13.1 - some fixes in cache handling - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.3 for the detailed upstream changelog OBS-URL: https://build.opensuse.org/request/show/710683 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=129
2019-06-22 09:04:46 +00:00 · 2019-06-22 09:04:46 +00:00 · 905c5d44d8
commit 905c5d44d8
parent fa1219e441 c2744d57c4
14 changed files with 58 additions and 1145 deletions
--- a/apparmor-2.13.2.tar.gz
+++ b/apparmor-2.13.2.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:844def9926dfda5c7858428d06e44afc80573f9706458b6e7282edbb40b11a30
-size 7369240
--- a/apparmor-2.13.2.tar.gz.asc
+++ b/apparmor-2.13.2.tar.gz.asc
@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAlwczB8aHGFwcGFybW9y
-QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLtQ7BAAkhe2XlK/VUYTLHDYp9Ku
-v7F8fNsUAl+fAnUBr8zyqHqUDhcJuknE097DO1SIqkqYwn3wm4SC9otEwodHLXpQ
-ruDPLd1id1+440toHDDD0vEJD3AOPTyxrH5Py3OwulZ5AmVdzGiiqy2u57dHucqQ
-wg6ZJqXC+HeiaGWvEeh0vWAVrg/NyLNCHV6nAvYW1QoS/86MkbPJygA2srVWME3n
-EFiTJdHuRUVqAus2a48tGnLmg0jokF8iUK27HBJVYb38md9Ve3483BfUc0eaWDqb
-2x48PK1U3qEw/p7kwhmXKCsMwpFN2+2kjxTYm0htwYwAempKfqDAqdQa3J1C6XLL
-g0x4QtXdIwjdr3/gKyYH5ZoAxSYEfRqA4jRg7jh4mNCsNvdIfhbtexJwiSBQbugw
-5WygriBvHcxeYlWzLVwKfYqsuvZH+MaL+6XKraIzSz1WhooRGXqYCsAksXFNVVeP
-+fAGSsZyC3XRKnj2EGe7vAnpc28vZa+Yg2MUiaAeqldP8/mIjw/v/flABP2BhCB6
-yAa7UrXvheG3cu/RzMGfMVs5fdhMaK49/YR4FL7i/CpLOCLTDeP+wIzQWeObY0CU
-IwhVwz90PZklvEWsUchApzjKLAuEv2avY81Ij47BkPfjcKf3Q2VPTP34uTnw0axT
-RIP58VSpAJmOYwgdcxzph2s=
-=uFF9
-----END PGP SIGNATURE-----
--- a/apparmor-2.13.3.tar.gz
+++ b/apparmor-2.13.3.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:267053234c68cdb122c5294d7c276b6e2f5fa7e75c6c2d23e3ce69f95d9a7639
+size 7384974
--- a/apparmor-2.13.3.tar.gz.asc
+++ b/apparmor-2.13.3.tar.gz.asc
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAl0IkgAaHGFwcGFybW9y
+QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLszZQ/8D1nea3CtBqCN3u2nsfVi
+DLCuE41lGgVwHamnJLcoW80+98udq1OqJfudN47bg3593C/C8AvWElthgfXCnlFc
+y6Njcc6qyJWbx0eEcIu/SlmuclqC1ukbbdj5nNEhwDGxtahrUSdWvM4suQm8dCSi
+zGAJRm4Tc7I63Vy4SDc7ibRtix6SmxwyZHlGpdiuz3ShqR45Tqyrs2gkmT2oj93E
+1VSaQrEGNVmQMXBmpw45WgVjz3DlakT4FfHqvmnPqrg1qEhdpZE+U0NzwOU987QS
+o4gdR3foumY6KpzD5BbXxl3blqeBw38hILMOq8lJ8Zsq9hrUPbcySBYyvr85yBu0
+MDDgrzexUBYbko2rIKY4CmOuswx/pYznqssErujEkEUKHMgAdJX2z7TC25AMQjF6
+ISvjZiCyHP5+vUqa7ym0CCiGNaOIENqRc4lmmwONOMSdBmvnrwiZewJA8Mmlei+G
+v5Vr2c8H8EJh3D2eWuYg/At2COhFvJpAh04qJ3btPylY3rprn98SnYlw/TmbljR
+upxaYs8I72WI8yX9Ty7fDBN92O+3zxxUM9dAeIXSFiLuQXrYcVx1d/ILTsLuogM/
+OwFOQeHzDCNwNMVwYvQ1jDhu7/fZlmJZk0c9OLK+ZppXD05Hy4bfGNx4GbgQr6aX
+IsT+gbT2AkIFO33V56KZVIo=
+=Favj
+-----END PGP SIGNATURE-----
--- a/apparmor-nameservice-resolv-conf-link.patch
+++ b/apparmor-nameservice-resolv-conf-link.patch
@ -1,11 +0,0 @@
--- apparmor-2.13/profiles/apparmor.d/abstractions/nameservice
-+++ apparmor-2.13/profiles/apparmor.d/abstractions/nameservice
-@@ -39,7 +39,7 @@
-   /etc/resolv.conf        r,
-   # On systems where /etc/resolv.conf is managed programmatically, it is
-   # a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf.
-  /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman}/resolv.conf r,
-+  /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
-   /etc/resolvconf/run/resolv.conf r,
-   /{,var/}run/systemd/resolve/stub-resolv.conf r,
- 
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Tue Jun 18 20:51:07 UTC 2019 - Christian Boltz <suse-beta@cboltz.de>
+
+- update to 2.13.3
+  - profile updates for dnsmasq, dovecot, identd, syslog-ng
+  - new "lsb_release" profile (only used when using "Px -> lsb_release")
+  - fix buggy syntax in tunables/share
+  - several abstraction updates
+  - parser: fix "Px -> foo-bar" (the "-" was rejected before)
+  - several bugfixes in aa-genprof and aa-logprof
+  - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.3
+    for the detailed upstream changelog
+- drop upstream(ed) patches:
+  - apparmor-nameservice-resolv-conf-link.patch
+  - profile_filename_cornercase.diff
+  - dnsmasq-libvirtd.diff
+  - dnsmasq-revert-alternation.diff
+  - usrmerge-fixes.diff
+  - libapparmor-swig-4.diff
+- re-number remaining patches
+
 -------------------------------------------------------------------
 Wed Jun  5 11:36:25 UTC 2019 - Christian Boltz <suse-beta@cboltz.de>

--- a/apparmor.spec
+++ b/apparmor.spec
@ -35,7 +35,7 @@
 %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)

 Name:           apparmor
-Version:        2.13.2
+Version:        2.13.3
 Release:        0
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0-or-later
@ -57,32 +57,13 @@ Patch1:         apparmor-enable-profile-cache.diff
 Patch2:         apparmor-samba-include-permissions-for-shares.diff

 # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
-Patch5:         ruby-2_0-mkmf-destdir.patch
+Patch3:         ruby-2_0-mkmf-destdir.patch

 # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
-Patch7:         apparmor-lessopen-profile.patch
-
-# fate#325872 netconfig: write resolv.conf to /run with link to /etc - submitted upstream 2018-12-22 https://gitlab.com/apparmor/apparmor/merge_requests/294
-Patch8:         apparmor-nameservice-resolv-conf-link.patch
-
-# drop check that lets aa-logprof error out in a corner-case (log event for a non-existing profile while a profile file with the default filename for that non-existing profile exists) - boo#1120472
-# submitted upstream 2019-01-02 - https://gitlab.com/apparmor/apparmor/merge_requests/296 (master + 2.13) and https://gitlab.com/apparmor/apparmor/merge_requests/297 (2.12)
-Patch9:         profile_filename_cornercase.diff
+Patch4:         apparmor-lessopen-profile.patch

 # workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix)
-Patch10:        apparmor-lessopen-nfs-workaround.diff
-
-# add peer=libvirtd to dnsmasq profile (from upstream 20fe099cede7cb5ec7dcf62a5427936766a6d4e4)
-Patch11:        dnsmasq-libvirtd.diff
-
-# revert path alternation in dnsmasq profile to avoid breaking libvirtd (boo#1127073, submitted upstream 2019-02-26 as https://gitlab.com/apparmor/apparmor/merge_requests/346)
-Patch12:        dnsmasq-revert-alternation.diff
-
-# fix usrmerge (and accidently also update-alternatives) test failures (boo#1127877, from upstream https://gitlab.com/apparmor/apparmor/merge_requests/331)
-Patch13:        usrmerge-fixes.diff
-
-# fix libapparmor tests with swig 4.0 (from upstream https://gitlab.com/apparmor/apparmor/merge_requests/384)
-Patch14:        libapparmor-swig-4.diff
+Patch5:         apparmor-lessopen-nfs-workaround.diff

 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -369,15 +350,9 @@ SubDomain.
 %setup -q
 %patch1
 %patch2
-%patch5 -p1
-%patch7
-%patch8 -p1
-%patch9 -p1
-%patch10
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
+%patch3 -p1
+%patch4
+%patch5

 %build
 %define _lto_cflags %{nil}
@ -609,6 +584,7 @@ fi
 %config(noreplace) %{_sysconfdir}/apparmor.d/bin.*
 %config(noreplace) %{_sysconfdir}/apparmor.d/sbin.*
 %config(noreplace) %{_sysconfdir}/apparmor.d/usr.*
+%config(noreplace) %{_sysconfdir}/apparmor.d/lsb_release
 %config(noreplace) %{_sysconfdir}/apparmor.d/nvidia_modprobe
 %config(noreplace) %{_sysconfdir}/apparmor.d/local/*
 %dir /usr/share/apparmor/
--- a/dnsmasq-libvirtd.diff
+++ b/dnsmasq-libvirtd.diff
@ -1,27 +0,0 @@
-commit 20fe099cede7cb5ec7dcf62a5427936766a6d4e4
-Author: Christian Boltz <apparmor@cboltz.de>
-Date:   Sun Jan 13 17:38:09 2019 +0100
-
-    dnsmasq: allow peer=libvirtd to support named profile
-    
-    The /usr/sbin/libvirtd profile will get a profile name ("libvirtd").
-    
-    This patch adjusts the dnsmasq profile to support the named profile in
-    addition to the "old" path-based profile name.
-    
-    References: https://bugzilla.opensuse.org/show_bug.cgi?id=1118952#c3
-
-diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
-index a308e3f7..2627f6d6 100644
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -28,7 +28,9 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
-   network inet6 raw,
- 
-   signal (receive) peer=/usr/{bin,sbin}/libvirtd,
-+  signal (receive) peer=libvirtd,
-   ptrace (readby) peer=/usr/{bin,sbin}/libvirtd,
-+  ptrace (readby) peer=libvirtd,
- 
-   owner /dev/tty rw,
- 
--- a/dnsmasq-revert-alternation.diff
+++ b/dnsmasq-revert-alternation.diff
@ -1,38 +0,0 @@
-commit 4b9a07eb9be98c56a622379ba2055f0f9d5dce30
-Author: Christian Boltz <apparmor@cboltz.de>
-Date:   Tue Feb 26 21:05:16 2019 +0100
-
-    Revert /usr/{bin,sbin}/ alternation in dnsmasq profile
-    
-    Even if we expected it to stay compatible with peer=/usr/sbin/dnsmasq in
-    the libvirtd profile, practise shows that we were wrong.
-    
-    This patch reverts the profile name to /usr/sbin/dnsmasq, and re-adds
-    the libvirtd peer name /usr/sbin/libvirtd to avoid breaking libvirtd.
-    
-    References: https://bugzilla.opensuse.org/show_bug.cgi?id=1127073
-
-diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
-index 3f66a17e..2dc8902e 100644
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -12,7 +12,7 @@
- @{TFTP_DIR}=/var/tftp /srv/tftpboot
- 
- #include <tunables/global>
-/usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
-+/usr/sbin/dnsmasq flags=(attach_disconnected) {
-   #include <abstractions/base>
-   #include <abstractions/dbus>
-   #include <abstractions/nameservice>
-@@ -28,8 +28,10 @@
-   network inet6 raw,
- 
-   signal (receive) peer=/usr/{bin,sbin}/libvirtd,
-+  signal (receive) peer=/usr/sbin/libvirtd,
-   signal (receive) peer=libvirtd,
-   ptrace (readby) peer=/usr/{bin,sbin}/libvirtd,
-+  ptrace (readby) peer=/usr/sbin/libvirtd,
-   ptrace (readby) peer=libvirtd,
- 
-   owner /dev/tty rw,
--- a/libapparmor-swig-4.diff
+++ b/libapparmor-swig-4.diff
@ -1,31 +0,0 @@
-commit a6ac6f4cfcc3d4fe1064087389004c3cc8b41207
-Author: John Johansen <john.johansen@canonical.com>
-Date:   Tue Jun 4 13:16:43 2019 -0700
-
-    libapparmor python: Fix 'aa_log_record' object has no attribute '__getattr__'
-    
-    When building with swig 4 we are seeing the error
-    
-    AttributeError: 'aa_log_record' object has no attribute '__getattr__'
-    
-    Which forces swig to use modern classes which do not generate __getattr__
-    methods.
-    
-    issue: https://gitlab.com/apparmor/apparmor/issues/33
-    Acked-by: Seth Arnold <seth.arnold@canonical.com>
-    Acked-by: Steve Beattie <steve@nxnw.org>
-    Signed-off-by: John Johansen <john.johansen@canonical.com>
-
-diff --git a/libraries/libapparmor/swig/python/test/test_python.py.in b/libraries/libapparmor/swig/python/test/test_python.py.in
-index 54bd70a9..75c71415 100644
--- a/libraries/libapparmor/swig/python/test/test_python.py.in
-+++ b/libraries/libapparmor/swig/python/test/test_python.py.in
-@@ -109,7 +109,7 @@ class AAPythonBindingsTests(unittest.TestCase):
- 
-         new_record = dict()
-         for key in [x for x in dir(record) if not (x.startswith('_') or x == 'this')]:
-            value = record.__getattr__(key)
-+            value = getattr(record, key)
-             if key == "event" and value in EVENT_MAP:
-                 new_record[key] = EVENT_MAP[value]
-             elif key == "version":
--- a/libapparmor.changes
+++ b/libapparmor.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Jun 18 20:50:19 UTC 2019 - Christian Boltz <suse-beta@cboltz.de>
+
+- update to AppArmor 2.13.1
+  - some fixes in cache handling
+  - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.3
+    for the detailed upstream changelog
+
 -------------------------------------------------------------------
 Tue Apr 23 11:34:08 UTC 2019 - Martin Liška <mliska@suse.cz>

--- a/libapparmor.spec
+++ b/libapparmor.spec
@ -18,7 +18,7 @@


 Name:           libapparmor
-Version:        2.13.2
+Version:        2.13.3
 Release:        0
 Summary:        Utility library for AppArmor
 License:        LGPL-2.1-or-later
--- a/profile_filename_cornercase.diff
+++ b/profile_filename_cornercase.diff
@ -1,28 +0,0 @@
-diff --git a/utils/apparmor/logparser.py b/utils/apparmor/logparser.py
-index f0961d93..50e842b2 100644
--- a/utils/apparmor/logparser.py
-+++ b/utils/apparmor/logparser.py
-@@ -13,7 +13,6 @@
- #
- # ----------------------------------------------------------------------
- import ctypes
-import os
- import re
- import sys
- import time
-@@ -449,14 +448,7 @@ class ReadLog:
-         # Check cache of profiles
-         if self.active_profiles.filename_from_profile_name(program):
-             return True
-        # Check the disk for profile
-        prof_path = self.get_profile_filename(program)
-        #print(prof_path)
-        if os.path.isfile(prof_path):
-            # Add to cache of profile
-            raise AppArmorBug('This should never happen, please open a bugreport!')
-            # self.active_profiles[program] = prof_path
-            # return True
-+
-         return False
- 
-     def get_profile_filename(self, profile):
--- a/usrmerge-fixes.diff
+++ b/usrmerge-fixes.diff
@ -1,957 +0,0 @@
-commit f75ec6fef6de26c0c9da8ecda4d28510720b52f3
-Author: Steve Beattie <gitlab@nxnw.org>
-Date:   Wed Feb 13 16:57:52 2019 +0000
-
-    usr merge fixups
-    
-    Debian and Ubuntu have releases coming out with usr-merge in place. For
-    these systems, /bin and /sbin are symlinks to their respective /usr
-    directories. This breaks a few tests in the python utils and in the
-    regression tests. This patch series fixes them, mostly by performing
-    realpath() calls when necessary. For the ptrace regression test,
-    it copies the called /bin/true binary into the created temporary
-    directory and executes it from there. (Good for other reasons, too.)
-    
-    (cherry picked from commit b4ab8476e4721b922d2de193b9203bba0c192bf9)
-    Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
-    Acked-by: John Johansen <john.johansen@canonical.com>
-    MR: https://gitlab.com/apparmor/apparmor/merge_requests/331
-
-diff --git a/tests/regression/apparmor/mkprofile.pl b/tests/regression/apparmor/mkprofile.pl
-index 7ca5ef12..6b192406 100755
--- a/tests/regression/apparmor/mkprofile.pl
-+++ b/tests/regression/apparmor/mkprofile.pl
-@@ -132,10 +132,10 @@ sub gen_binary($) {
-   my $hashbang = head($bin);
-   if ($hashbang && $hashbang =~ /^#!\s*(\S+)/) {
-     my $interpreter = $1;
-    gen_file("$interpreter:rix");
-+    gen_file(realpath($interpreter) . ":rix");
-     gen_elf_binary($interpreter);
-   } else {
-    gen_elf_binary($bin)
-+    gen_elf_binary(realpath($bin))
-   }
- }
- 
-diff --git a/tests/regression/apparmor/ptrace.sh b/tests/regression/apparmor/ptrace.sh
-index c3363479..320d65e8 100755
--- a/tests/regression/apparmor/ptrace.sh
-+++ b/tests/regression/apparmor/ptrace.sh
-@@ -30,26 +30,29 @@ bin=$pwd
- 
- helper=$pwd/ptrace_helper
- 
-+bin_true=${tmpdir}/true
-+cp -pL /bin/true ${tmpdir}/true
-+
- # -n number of syscalls to perform
- # -c have the child call ptrace_me, else parent does ptrace_attach
- # -h transition child to ptrace_helper before doing ptrace (used to test
- #  x transitions with ptrace)
- # test base line of unconfined tracing unconfined
-runchecktest "test 1" pass -n 100 /bin/true
-runchecktest "test 1 -c" pass -c -n 100 /bin/true
-+runchecktest "test 1" pass -n 100 ${bin_true}
-+runchecktest "test 1 -c" pass -c -n 100 ${bin_true}
- runchecktest "test 1 -h" pass -h -n 100 $helper
- runchecktest "test 1 -hc" pass -h -c -n 100 $helper
-runchecktest "test 1 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 1 -hc prog" pass -h -c -n 100 $helper /bin/true
-+runchecktest "test 1 -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 1 -hc prog" pass -h -c -n 100 $helper ${bin_true}
- 
- # test that unconfined can ptrace before profile attaches
-genprofile image=/bin/true signal:ALL
-runchecktest "test 2" pass -n 100 /bin/true
-runchecktest "test 2 -c" pass -c -n 100 /bin/true
-+genprofile image=${bin_true} signal:ALL
-+runchecktest "test 2" pass -n 100 ${bin_true}
-+runchecktest "test 2 -c" pass -c -n 100 ${bin_true}
- runchecktest "test 2 -h" pass -h -n 100 $helper
- runchecktest "test 2 -hc" pass -h -c -n 100 $helper
-runchecktest "test 2 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper /bin/true
-+runchecktest "test 2 -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper ${bin_true}
- 
- 
- if [ "$(kernel_features ptrace)" == "true" -a "$(parser_supports 'ptrace,')" == "true" ] ; then
-diff --git a/tests/regression/apparmor/ptrace_v5.inc b/tests/regression/apparmor/ptrace_v5.inc
-index 56833667..4a692402 100644
--- a/tests/regression/apparmor/ptrace_v5.inc
-+++ b/tests/regression/apparmor/ptrace_v5.inc
-@@ -13,133 +13,133 @@
- genprofile image=$helper
- runchecktest "test 3 -h" pass -h -n 100 $helper
- runchecktest "test 3 -hc " pass -h -c -n 100 $helper
-# can't exec /bin/true so fail
-runchecktest "test 3 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 3 -hc prog" fail -h -c -n 100 $helper /bin/true
-+# can't exec ${bin_true} so fail
-+runchecktest "test 3 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 3 -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- # lack of 'r' perm is currently not working
- genprofile image=$helper $helper:ix
- runchecktest "test 4 -h" pass -h -n 100 $helper
- runchecktest "test 4 -hc " pass -h -c -n 100 $helper
-# can't exec /bin/true so fail
-runchecktest "test 4 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 4 -hc prog" fail -h -c -n 100 $helper /bin/true
-+# can't exec ${bin_true} so fail
-+runchecktest "test 4 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 4 -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- genprofile image=$helper $helper:rix
- runchecktest "test 5 -h" pass -h -n 100 $helper
- runchecktest "test 5 -hc " pass -h -c -n 100 $helper
-# can't exec /bin/true so fail
-runchecktest "test 5 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 5 -hc prog" fail -h -c -n 100 $helper /bin/true
-+# can't exec ${bin_true} so fail
-+runchecktest "test 5 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 5 -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
-genprofile image=$helper $helper:ix /bin/true:rix
-+genprofile image=$helper $helper:ix ${bin_true}:rix
- runchecktest "test 6 -h" pass -h -n 100 $helper
- runchecktest "test 6 -hc " pass -h -c -n 100 $helper
-runchecktest "test 6 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 6 -hc prog" pass -h -c -n 100 $helper /bin/true
-+runchecktest "test 6 -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 6 -hc prog" pass -h -c -n 100 $helper ${bin_true}
- 
- #traced child can ptrace_me to unconfined have unconfined trace them
-genprofile image=/bin/true
-runchecktest "test 7" pass -n 100 /bin/true
-+genprofile image=${bin_true}
-+runchecktest "test 7" pass -n 100 ${bin_true}
- # pass - ptrace_attach is done in unconfined helper
-runchecktest "test 7 -c " pass -c -n 100 /bin/true
-+runchecktest "test 7 -c " pass -c -n 100 ${bin_true}
- runchecktest "test 7 -h" pass -h -n 100 $helper
- # pass - ptrace_attach is done in unconfined helper
- runchecktest "test 7 -hc " pass -h -c -n 100 $helper
-runchecktest "test 7 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 7 -hc prog" pass -h -c -n 100 $helper /bin/true
-+runchecktest "test 7 -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 7 -hc prog" pass -h -c -n 100 $helper ${bin_true}
- 
-genprofile image=$helper $helper:ix /bin/true:rix
-runchecktest "test 7a" pass -n 100 /bin/true
-+genprofile image=$helper $helper:ix ${bin_true}:rix
-+runchecktest "test 7a" pass -n 100 ${bin_true}
- # pass - ptrace_attach is allowed from confined process to unconfined
-runchecktest "test 7a -c " pass -c -n 100 /bin/true
-+runchecktest "test 7a -c " pass -c -n 100 ${bin_true}
- runchecktest "test 7a -h" pass -h -n 100 $helper
- # pass - ptrace_attach is allowed from confined process to unconfined
- runchecktest "test 7a -hc " pass -h -c -n 100 $helper
-runchecktest "test 7a -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 7a -hc prog" pass -h -c -n 100 $helper /bin/true
-+runchecktest "test 7a -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 7a -hc prog" pass -h -c -n 100 $helper ${bin_true}
- 
- #traced helper from unconfined
-genprofile image=$helper $helper:ix /bin/true:rpx -- image=/bin/true
-runchecktest "test 8" pass -n 100 /bin/true
-+genprofile image=$helper $helper:ix ${bin_true}:rpx -- image=${bin_true}
-+runchecktest "test 8" pass -n 100 ${bin_true}
- # pass - ptrace_attach is done before exec
-runchecktest "test 8 -c " pass -c -n 100 /bin/true
-+runchecktest "test 8 -c " pass -c -n 100 ${bin_true}
- runchecktest "test 8 -h" pass -h -n 100 $helper
- runchecktest "test 8 -hc " pass -h -c -n 100 $helper
- # pass - can px if tracer can ptrace target
-runchecktest "test 8 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 8 -hc prog" pass -h -c -n 100 $helper /bin/true
-+runchecktest "test 8 -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 8 -hc prog" pass -h -c -n 100 $helper ${bin_true}
- 
- #traced helper from unconfined
-genprofile image=$helper $helper:ix /bin/true:rux -- image=/bin/true
-runchecktest "test 9" pass -n 100 /bin/true
-+genprofile image=$helper $helper:ix ${bin_true}:rux -- image=${bin_true}
-+runchecktest "test 9" pass -n 100 ${bin_true}
- # pass - ptrace_attach is done before exec
-runchecktest "test 9 -c " pass -c -n 100 /bin/true
-+runchecktest "test 9 -c " pass -c -n 100 ${bin_true}
- runchecktest "test 9 -h" pass -h -n 100 $helper
- runchecktest "test 9 -hc " pass -h -c -n 100 $helper
- # pass - can ux if tracer can ptrace target
-runchecktest "test 9 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 9 -hc prog" pass -h -c -n 100 $helper /bin/true
-+runchecktest "test 9 -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 9 -hc prog" pass -h -c -n 100 $helper ${bin_true}
- 
- genprofile
- # fail due to no exec permission
-runchecktest "test 10" fail -n 100 /bin/true
-runchecktest "test 10 -c" fail -c -n 100 /bin/true
-+runchecktest "test 10" fail -n 100 ${bin_true}
-+runchecktest "test 10 -c" fail -c -n 100 ${bin_true}
- runchecktest "test 10 -h" fail -h -n 100 $helper
- runchecktest "test 10 -hc" fail -h -c -n 100 $helper
-runchecktest "test 10 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 10 -hc prog" fail -h -c -n 100 $helper /bin/true
-+runchecktest "test 10 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 10 -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
-genprofile /bin/true:ix $helper:ix
-+genprofile ${bin_true}:ix $helper:ix
- # fail due to missing r permission
-#runchecktest "test 11" fail -n 100 /bin/true
-#runchecktest "test 11 -c" fail -c -n 100 /bin/true
-+#runchecktest "test 11" fail -n 100 ${bin_true}
-+#runchecktest "test 11 -c" fail -c -n 100 ${bin_true}
- #runchecktest "test 11 -h" fail -h -n 100 $helper
- #runchecktest "test 11 -hc" fail -h -c -n 100 $helper
-#runchecktest "test 11 -h prog" fail -h -n 100 $helper /bin/true
-#runchecktest "test 11 -hc prog" fail -h -c -n 100 $helper /bin/true
-+#runchecktest "test 11 -h prog" fail -h -n 100 $helper ${bin_true}
-+#runchecktest "test 11 -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- # pass allowed to ix self
-genprofile /bin/true:rix $helper:rix
-runchecktest "test 12" pass -n 100 /bin/true
-runchecktest "test 12 -c" pass -c -n 100 /bin/true
-+genprofile ${bin_true}:rix $helper:rix
-+runchecktest "test 12" pass -n 100 ${bin_true}
-+runchecktest "test 12 -c" pass -c -n 100 ${bin_true}
- runchecktest "test 12 -h" pass -h -n 100 $helper
- runchecktest "test 12 -hc" pass -h -c -n 100 $helper
-runchecktest "test 12 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 12 -hc prog" pass -h -c -n 100 $helper /bin/true
-+runchecktest "test 12 -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 12 -hc prog" pass -h -c -n 100 $helper ${bin_true}
- 
- #ptraced confined app can't px - fails to unset profile
-genprofile image=$helper $helper:rix /bin/true:rpx
-runchecktest "test 13 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13 -hc prog" fail -h -c -n 100 $helper /bin/true
-+genprofile image=$helper $helper:rix ${bin_true}:rpx
-+runchecktest "test 13 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13 -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- 
- #ptraced confined app can ux - if the tracer is unconfined
- #
-genprofile image=$helper $helper:rix /bin/true:rux
-runchecktest "test 14a -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 14a -hc prog" pass -h -c -n 100 $helper /bin/true
-+genprofile image=$helper $helper:rix ${bin_true}:rux
-+runchecktest "test 14a -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 14a -hc prog" pass -h -c -n 100 $helper ${bin_true}
- #ptraced confined app can't ux - if the tracer can't trace unconfined
-genprofile $helper:rpx -- image=$helper $helper:rix /bin/true:rux
-runchecktest "test 14b -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 14b -hc prog" fail -h -c -n 100 $helper /bin/true
-+genprofile $helper:rpx -- image=$helper $helper:rix ${bin_true}:rux
-+runchecktest "test 14b -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 14b -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- #confined app can't ptrace an unconfined app
- genprofile $helper:rux
- runchecktest "test 15 -h" fail -h -n 100 $helper
-runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true
-+runchecktest "test 15 -h prog" fail -h -n 100 $helper ${bin_true}
- #an unconfined app can't ask a confined app to trace it
- runchecktest "test 15 -hc" fail -h -c -n 100 $helper
-runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true
-+runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- #confined app can't ptrace an app confined by a different profile
- genprofile $helper:rpx -- image=$helper
- runchecktest "test 15 -h" fail -h -n 100 $helper
-runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true
-+runchecktest "test 15 -h prog" fail -h -n 100 $helper ${bin_true}
- #a confined app can't ask another confined app with a different profile to
- #trace it
- runchecktest "test 15 -hc" fail -h -c -n 100 $helper
-runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true
-+runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- 
- 
-diff --git a/tests/regression/apparmor/ptrace_v6.inc b/tests/regression/apparmor/ptrace_v6.inc
-index 37781551..b0cf983a 100644
--- a/tests/regression/apparmor/ptrace_v6.inc
-+++ b/tests/regression/apparmor/ptrace_v6.inc
-@@ -25,186 +25,186 @@ genprofile image=$helper signal:ALL ptrace:tracedby:peer=unconfined
- 
- runchecktest "test 3 -h" pass -h -n 100 $helper
- runchecktest "test 3 -hc " pass -h -c -n 100 $helper
-# can't exec /bin/true so fail
-runchecktest "test 3 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 3 -hc prog" fail -h -c -n 100 $helper /bin/true
-+# can't exec ${bin_true} so fail
-+runchecktest "test 3 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 3 -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- # lack of 'r' perm is currently not working
- genprofile image=$helper $helper:ix signal:ALL
- runchecktest "test 4 -h" pass -h -n 100 $helper
- runchecktest "test 4 -hc " pass -h -c -n 100 $helper
-# can't exec /bin/true so fail
-runchecktest "test 4 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 4 -hc prog" fail -h -c -n 100 $helper /bin/true
-+# can't exec ${bin_true} so fail
-+runchecktest "test 4 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 4 -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- genprofile image=$helper $helper:rix signal:ALL
- runchecktest "test 5 -h" pass -h -n 100 $helper
- runchecktest "test 5 -hc " pass -h -c -n 100 $helper
-# can't exec /bin/true so fail
-runchecktest "test 5 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 5 -hc prog" fail -h -c -n 100 $helper /bin/true
-+# can't exec ${bin_true} so fail
-+runchecktest "test 5 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 5 -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
-genprofile image=$helper $helper:ix /bin/true:rix signal:ALL
-+genprofile image=$helper $helper:ix ${bin_true}:rix signal:ALL
- runchecktest "test 6 -h" pass -h -n 100 $helper
- runchecktest "test 6 -hc " pass -h -c -n 100 $helper
-runchecktest "test 6 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 6 -hc prog" pass -h -c -n 100 $helper /bin/true
-+runchecktest "test 6 -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 6 -hc prog" pass -h -c -n 100 $helper ${bin_true}
- 
- #traced child can ptrace_me to unconfined have unconfined trace them
-genprofile image=/bin/true signal:ALL
-runchecktest "test 7" pass -n 100 /bin/true
-+genprofile image=${bin_true} signal:ALL
-+runchecktest "test 7" pass -n 100 ${bin_true}
- # pass - ptrace_attach is done in unconfined helper
-runchecktest "test 7 -c " pass -c -n 100 /bin/true
-+runchecktest "test 7 -c " pass -c -n 100 ${bin_true}
- runchecktest "test 7 -h" pass -h -n 100 $helper
- # pass - ptrace_attach is done in unconfined helper
- runchecktest "test 7 -hc " pass -h -c -n 100 $helper
-runchecktest "test 7 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 7 -hc prog" pass -h -c -n 100 $helper /bin/true
-+runchecktest "test 7 -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 7 -hc prog" pass -h -c -n 100 $helper ${bin_true}
- 
-genprofile image=$helper $helper:ix /bin/true:rix signal:ALL
-runchecktest "test 7a" pass -n 100 /bin/true
-+genprofile image=$helper $helper:ix ${bin_true}:rix signal:ALL
-+runchecktest "test 7a" pass -n 100 ${bin_true}
- # pass - ptrace_attach is allowed from confined process to unconfined
-runchecktest "test 7a -c " pass -c -n 100 /bin/true
-+runchecktest "test 7a -c " pass -c -n 100 ${bin_true}
- runchecktest "test 7a -h" pass -h -n 100 $helper
- # pass - ptrace_attach is allowed from confined process to unconfined
- runchecktest "test 7a -hc " pass -h -c -n 100 $helper
-runchecktest "test 7a -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 7a -hc prog" pass -h -c -n 100 $helper /bin/true
-+runchecktest "test 7a -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 7a -hc prog" pass -h -c -n 100 $helper ${bin_true}
- 
- #traced helper from unconfined
-genprofile image=$helper $helper:ix /bin/true:rpx signal:ALL -- image=/bin/true signal:ALL
-runchecktest "test 8" pass -n 100 /bin/true
-+genprofile image=$helper $helper:ix ${bin_true}:rpx signal:ALL -- image=${bin_true} signal:ALL
-+runchecktest "test 8" pass -n 100 ${bin_true}
- # pass - ptrace_attach is done before exec
-runchecktest "test 8 -c " pass -c -n 100 /bin/true
-+runchecktest "test 8 -c " pass -c -n 100 ${bin_true}
- runchecktest "test 8 -h" pass -h -n 100 $helper
- runchecktest "test 8 -hc " pass -h -c -n 100 $helper
- # pass - can px if tracer can ptrace target
-runchecktest "test 8 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 8 -hc prog" pass -h -c -n 100 $helper /bin/true
-+runchecktest "test 8 -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 8 -hc prog" pass -h -c -n 100 $helper ${bin_true}
- 
- #traced helper from unconfined
-genprofile image=$helper $helper:ix /bin/true:rux signal:ALL -- image=/bin/true signal:ALL
-runchecktest "test 9" pass -n 100 /bin/true
-+genprofile image=$helper $helper:ix ${bin_true}:rux signal:ALL -- image=${bin_true} signal:ALL
-+runchecktest "test 9" pass -n 100 ${bin_true}
- # pass - ptrace_attach is done before exec
-runchecktest "test 9 -c " pass -c -n 100 /bin/true
-+runchecktest "test 9 -c " pass -c -n 100 ${bin_true}
- runchecktest "test 9 -h" pass -h -n 100 $helper
- runchecktest "test 9 -hc " pass -h -c -n 100 $helper
- # pass - can ux if tracer can ptrace target
-runchecktest "test 9 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 9 -hc prog" pass -h -c -n 100 $helper /bin/true
-+runchecktest "test 9 -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 9 -hc prog" pass -h -c -n 100 $helper ${bin_true}
- 
- genprofile signal:ALL
- # fail due to no exec permission
-runchecktest "test 10" fail -n 100 /bin/true
-runchecktest "test 10 -c" fail -c -n 100 /bin/true
-+runchecktest "test 10" fail -n 100 ${bin_true}
-+runchecktest "test 10 -c" fail -c -n 100 ${bin_true}
- runchecktest "test 10 -h" fail -h -n 100 $helper
- runchecktest "test 10 -hc" fail -h -c -n 100 $helper
-runchecktest "test 10 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 10 -hc prog" fail -h -c -n 100 $helper /bin/true
-+runchecktest "test 10 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 10 -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
-genprofile /bin/true:ix $helper:ix signal:ALL
-+genprofile ${bin_true}:ix $helper:ix signal:ALL
- # fail due to missing r permission
-#runchecktest "test 11" fail -n 100 /bin/true
-#runchecktest "test 11 -c" fail -c -n 100 /bin/true
-+#runchecktest "test 11" fail -n 100 ${bin_true}
-+#runchecktest "test 11 -c" fail -c -n 100 ${bin_true}
- #runchecktest "test 11 -h" fail -h -n 100 $helper
- #runchecktest "test 11 -hc" fail -h -c -n 100 $helper
-#runchecktest "test 11 -h prog" fail -h -n 100 $helper /bin/true
-#runchecktest "test 11 -hc prog" fail -h -c -n 100 $helper /bin/true
-+#runchecktest "test 11 -h prog" fail -h -n 100 $helper ${bin_true}
-+#runchecktest "test 11 -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- # fail was pass in v5 allowed to ix self
-genprofile /bin/true:rix $helper:rix signal:ALL
-runchecktest "test 12" fail -n 100 /bin/true
-runchecktest "test 12 -c" fail -c -n 100 /bin/true
-+genprofile ${bin_true}:rix $helper:rix signal:ALL
-+runchecktest "test 12" fail -n 100 ${bin_true}
-+runchecktest "test 12 -c" fail -c -n 100 ${bin_true}
- runchecktest "test 12 -h" fail -h -n 100 $helper
- runchecktest "test 12 -hc" fail -h -c -n 100 $helper
-runchecktest "test 12 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 12 -hc prog" fail -h -c -n 100 $helper /bin/true
-+runchecktest "test 12 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 12 -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- #ptraced confined app traced by unconfined can px
-genprofile image=$helper $helper:rix /bin/true:rpx signal:ALL -- image=/bin/true /bin/true:rix
-runchecktest "test 13u -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 13u -hc prog" pass -h -c -n 100 $helper /bin/true
-+genprofile image=$helper $helper:rix ${bin_true}:rpx signal:ALL -- image=${bin_true} ${bin_true}:rix
-+runchecktest "test 13u -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 13u -hc prog" pass -h -c -n 100 $helper ${bin_true}
- 
- #ptraced confined app traced by profile without ptrace on targeted can't px
-genprofile /bin/true:rpx signal:ALL -- image=/bin/true /bin/true:rix
-runchecktest "test 13 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13 -hc prog" fail -h -c -n 100 $helper /bin/true
-+genprofile ${bin_true}:rpx signal:ALL -- image=${bin_true} ${bin_true}:rix
-+runchecktest "test 13 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13 -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- 
- #ptraced confined app can ux - if the tracer is unconfined
- #
-genprofile image=$helper $helper:rix /bin/true:rux signal:ALL
-runchecktest "test 14a -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 14a -hc prog" pass -h -c -n 100 $helper /bin/true
-+genprofile image=$helper $helper:rix ${bin_true}:rux signal:ALL
-+runchecktest "test 14a -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 14a -hc prog" pass -h -c -n 100 $helper ${bin_true}
- #ptraced confined app can't ux - if the tracer can't trace unconfined
-genprofile $helper:rpx signal:ALL -- image=$helper $helper:rix /bin/true:rux signal:ALL
-runchecktest "test 14b -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 14b -hc prog" fail -h -c -n 100 $helper /bin/true
-+genprofile $helper:rpx signal:ALL -- image=$helper $helper:rix ${bin_true}:rux signal:ALL
-+runchecktest "test 14b -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 14b -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- #confined app can't ptrace an unconfined app
- genprofile $helper:rux signal:ALL
- runchecktest "test 15 -h" fail -h -n 100 $helper
-runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true
-+runchecktest "test 15 -h prog" fail -h -n 100 $helper ${bin_true}
- #an unconfined app can't ask a confined app to trace it
- runchecktest "test 15 -hc" fail -h -c -n 100 $helper
-runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true
-+runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- #confined app can't ptrace an app confined by a different profile
- genprofile $helper:rpx signal:ALL -- image=$helper signal:ALL
- runchecktest "test 15 -h" fail -h -n 100 $helper
-runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true
-+runchecktest "test 15 -h prog" fail -h -n 100 $helper ${bin_true}
- #a confined app can't ask another confined app with a different profile to
- #trace it
- runchecktest "test 15 -hc" fail -h -c -n 100 $helper
-runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true
-+runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- ################### cap:sys_ptrace doesn't change results from above ##########################
- # fail was pass in v5 allowed to ix self
-genprofile /bin/true:rix $helper:rix signal:ALL cap:sys_ptrace
-runchecktest "test 12c" fail -n 100 /bin/true
-runchecktest "test 12c -c" fail -c -n 100 /bin/true
-+genprofile ${bin_true}:rix $helper:rix signal:ALL cap:sys_ptrace
-+runchecktest "test 12c" fail -n 100 ${bin_true}
-+runchecktest "test 12c -c" fail -c -n 100 ${bin_true}
- runchecktest "test 12c -h" fail -h -n 100 $helper
- runchecktest "test 12c -hc" fail -h -c -n 100 $helper
-runchecktest "test 12c -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 12c -hc prog" fail -h -c -n 100 $helper /bin/true
-+runchecktest "test 12c -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 12c -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- #ptraced confined app traced by unconfined can px
-genprofile image=$helper $helper:rix /bin/true:rpx signal:ALL cap:sys_ptrace -- image=/bin/true /bin/true:rix cap:sys_ptrace
-runchecktest "test 13cu -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 13cu -hc prog" pass -h -c -n 100 $helper /bin/true
-+genprofile image=$helper $helper:rix ${bin_true}:rpx signal:ALL cap:sys_ptrace -- image=${bin_true} ${bin_true}:rix cap:sys_ptrace
-+runchecktest "test 13cu -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 13cu -hc prog" pass -h -c -n 100 $helper ${bin_true}
- 
- #ptraced confined app traced by profile without ptrace on targeted can't px
-genprofile /bin/true:rpx signal:ALL cap:sys_ptrace -- image=/bin/true /bin/true:rix cap:sys_ptrace
-runchecktest "test 13c -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13c -hc prog" fail -h -c -n 100 $helper /bin/true
-+genprofile ${bin_true}:rpx signal:ALL cap:sys_ptrace -- image=${bin_true} ${bin_true}:rix cap:sys_ptrace
-+runchecktest "test 13c -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13c -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- 
- #ptraced confined app can ux - if the tracer is unconfined
- #
-genprofile image=$helper $helper:rix /bin/true:rux signal:ALL cap:sys_ptrace
-runchecktest "test 14ca -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 14ca -hc prog" pass -h -c -n 100 $helper /bin/true
-+genprofile image=$helper $helper:rix ${bin_true}:rux signal:ALL cap:sys_ptrace
-+runchecktest "test 14ca -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 14ca -hc prog" pass -h -c -n 100 $helper ${bin_true}
- #ptraced confined app can't ux - if the tracer can't trace unconfined
-genprofile $helper:rpx signal:ALL -- image=$helper $helper:rix /bin/true:rux signal:ALL
-runchecktest "test 14cb -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 14cb -hc prog" fail -h -c -n 100 $helper /bin/true
-+genprofile $helper:rpx signal:ALL -- image=$helper $helper:rix ${bin_true}:rux signal:ALL
-+runchecktest "test 14cb -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 14cb -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- #confined app can't ptrace an unconfined app
- genprofile $helper:rux signal:ALL cap:sys_ptrace
- runchecktest "test 15c -h" fail -h -n 100 $helper
-runchecktest "test 15c -h prog" fail -h -n 100 $helper /bin/true
-+runchecktest "test 15c -h prog" fail -h -n 100 $helper ${bin_true}
- #an unconfined app can't ask a confined app to trace it
- runchecktest "test 15c -hc" fail -h -c -n 100 $helper
-runchecktest "test 15c -hc prog" fail -h -c -n 100 $helper /bin/true
-+runchecktest "test 15c -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- #confined app can't ptrace an app confined by a different profile
- genprofile $helper:rpx signal:ALL cap:sys_ptrace -- image=$helper signal:ALL cap:sys_ptrace
- runchecktest "test 15c -h" fail -h -n 100 $helper
-runchecktest "test 15c -h prog" fail -h -n 100 $helper /bin/true
-+runchecktest "test 15c -h prog" fail -h -n 100 $helper ${bin_true}
- #a confined app can't ask another confined app with a different profile to
- #trace it
- runchecktest "test 15c -hc" fail -h -c -n 100 $helper
-runchecktest "test 15c -hc prog" fail -h -c -n 100 $helper /bin/true
-+runchecktest "test 15c -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- 
- ################################################################################
-@@ -213,163 +213,163 @@ runchecktest "test 15c -hc prog" fail -h -c -n 100 $helper /bin/true
- 
- ##### Now do tests with ptrace rules in profiles #######
- # pass in v5 allowed to ix self
-genprofile /bin/true:rix $helper:rix signal:ALL ptrace:ALL
-runchecktest "test 12p" pass -n 100 /bin/true
-runchecktest "test 12p -c" pass -c -n 100 /bin/true
-+genprofile ${bin_true}:rix $helper:rix signal:ALL ptrace:ALL
-+runchecktest "test 12p" pass -n 100 ${bin_true}
-+runchecktest "test 12p -c" pass -c -n 100 ${bin_true}
- runchecktest "test 12p -h" pass -h -n 100 $helper
- runchecktest "test 12p -hc" pass -h -c -n 100 $helper
-runchecktest "test 12p -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 12p -hc prog" pass -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rix $helper:rix signal:ALL ptrace:peer=$test
-runchecktest "test 12p1" pass -n 100 /bin/true
-runchecktest "test 12p1 -c" pass -c -n 100 /bin/true
-+runchecktest "test 12p -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 12p -hc prog" pass -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rix $helper:rix signal:ALL ptrace:peer=$test
-+runchecktest "test 12p1" pass -n 100 ${bin_true}
-+runchecktest "test 12p1 -c" pass -c -n 100 ${bin_true}
- runchecktest "test 12p1 -h" pass -h -n 100 $helper
- runchecktest "test 12p1 -hc" pass -h -c -n 100 $helper
-runchecktest "test 12p1 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 12p1 -hc prog" pass -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rix $helper:rix signal:ALL ptrace:peer=notaprofile
-runchecktest "test 12p2" fail -n 100 /bin/true
-runchecktest "test 12p2 -c" fail -c -n 100 /bin/true
-+runchecktest "test 12p1 -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 12p1 -hc prog" pass -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rix $helper:rix signal:ALL ptrace:peer=notaprofile
-+runchecktest "test 12p2" fail -n 100 ${bin_true}
-+runchecktest "test 12p2 -c" fail -c -n 100 ${bin_true}
- runchecktest "test 12p2 -h" fail -h -n 100 $helper
- runchecktest "test 12p2 -hc" fail -h -c -n 100 $helper
-runchecktest "test 12p2 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 12p2 -hc prog" fail -h -c -n 100 $helper /bin/true
-+runchecktest "test 12p2 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 12p2 -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- 
- #ptraced confined app traced by profile can px
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=/bin/true -- image=/bin/true /bin/true:rix
-runchecktest "test 13p1 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13p2 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby
-runchecktest "test 13p3 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 13p4 -hc prog" pass -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=$test
-runchecktest "test 13p5 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 13p6 -hc prog" pass -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=notaprofile
-runchecktest "test 13p7 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13p8 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:trace
-runchecktest "test 13p9 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13pa -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:trace:peer=$test
-runchecktest "test 13pb -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13pc -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:trace:peer=notaprofile
-runchecktest "test 13pd -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13pe -hc prog" fail -h -c -n 100 $helper /bin/true
-
-
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=/bin/true -- image=/bin/true /bin/true:rix
-runchecktest "test 13p11 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13p21 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby
-runchecktest "test 13p31 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 13p41 -hc prog" pass -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=$test
-runchecktest "test 13p51 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 13p61 -hc prog" pass -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=notaprofile
-runchecktest "test 13p71 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13p81 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:trace
-runchecktest "test 13p91 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13pa1 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:trace:peer=$test
-runchecktest "test 13pb1 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13pc1 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:trace:peer=notaprofile
-runchecktest "test 13pd1 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13pe1 -hc prog" fail -h -c -n 100 $helper /bin/true
-
-
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=/bin/true /bin/true:rix
-runchecktest "test 13p12 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13p22 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=/bin/true /bin/true:rix ptrace:tracedby
-runchecktest "test 13p32 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 13p42 -hc prog" pass -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=$test
-runchecktest "test 13p52 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 13p62 -hc prog" pass -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=notaprofile
-runchecktest "test 13p72 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13p82 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=/bin/true /bin/true:rix ptrace:trace
-runchecktest "test 13p92 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13pa2 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=/bin/true /bin/true:rix ptrace:trace:peer=$test
-runchecktest "test 13pb2 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13pc2 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=/bin/true /bin/true:rix ptrace:trace:peer=notaprofile
-runchecktest "test 13pd2 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13pe2 -hc prog" fail -h -c -n 100 $helper /bin/true
-
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=/bin/true /bin/true:rix
-runchecktest "test 13p13 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13p23 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=/bin/true /bin/true:rix ptrace:tracedby
-runchecktest "test 13p33 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13p43 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=$test
-runchecktest "test 13p53 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13p63 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=notaprofile
-runchecktest "test 13p73 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13p83 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=/bin/true /bin/true:rix ptrace:trace
-runchecktest "test 13p93 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13pa3 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=/bin/true /bin/true:rix ptrace:trace:peer=$test
-runchecktest "test 13pb3 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13pc3 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=/bin/true /bin/true:rix ptrace:trace:peer=notaprofile
-runchecktest "test 13pd3 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13pe3 -hc prog" fail -h -c -n 100 $helper /bin/true
-
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=/bin/true /bin/true:rix
-runchecktest "test 13p14 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13p24 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby
-runchecktest "test 13p34 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13p44 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=$test
-runchecktest "test 13p54 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13p64 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=notaprofile
-runchecktest "test 13p74 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13p84 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:trace
-runchecktest "test 13p94 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13pa4 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:trace:peer=$test
-runchecktest "test 13pb4 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13pc4 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:trace:peer=notaprofile
-runchecktest "test 13pd4 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13pe4 -hc prog" fail -h -c -n 100 $helper /bin/true
-
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=/bin/true /bin/true:rix
-runchecktest "test 13p15 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13p25 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby
-runchecktest "test 13p35 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13p45 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=$test
-runchecktest "test 13p55 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13p65 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=notaprofile
-runchecktest "test 13p75 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13p85 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:trace
-runchecktest "test 13p95 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13pa5 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:trace:peer=$test
-runchecktest "test 13pb5 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13pc5 -hc prog" fail -h -c -n 100 $helper /bin/true
-genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:trace:peer=notaprofile
-runchecktest "test 13pd5 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13pe5 -hc prog" fail -h -c -n 100 $helper /bin/true
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix
-+runchecktest "test 13p1 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p2 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:tracedby
-+runchecktest "test 13p3 -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p4 -hc prog" pass -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=$test
-+runchecktest "test 13p5 -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p6 -hc prog" pass -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=notaprofile
-+runchecktest "test 13p7 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p8 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:trace
-+runchecktest "test 13p9 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13pa -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=$test
-+runchecktest "test 13pb -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13pc -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=notaprofile
-+runchecktest "test 13pd -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13pe -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+
-+
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix
-+runchecktest "test 13p11 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p21 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:tracedby
-+runchecktest "test 13p31 -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p41 -hc prog" pass -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=$test
-+runchecktest "test 13p51 -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p61 -hc prog" pass -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=notaprofile
-+runchecktest "test 13p71 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p81 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:trace
-+runchecktest "test 13p91 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13pa1 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=$test
-+runchecktest "test 13pb1 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13pc1 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=notaprofile
-+runchecktest "test 13pd1 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13pe1 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+
-+
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=${bin_true} ${bin_true}:rix
-+runchecktest "test 13p12 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p22 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=${bin_true} ${bin_true}:rix ptrace:tracedby
-+runchecktest "test 13p32 -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p42 -hc prog" pass -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=$test
-+runchecktest "test 13p52 -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p62 -hc prog" pass -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=notaprofile
-+runchecktest "test 13p72 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p82 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=${bin_true} ${bin_true}:rix ptrace:trace
-+runchecktest "test 13p92 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13pa2 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=$test
-+runchecktest "test 13pb2 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13pc2 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=notaprofile
-+runchecktest "test 13pd2 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13pe2 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=${bin_true} ${bin_true}:rix
-+runchecktest "test 13p13 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p23 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=${bin_true} ${bin_true}:rix ptrace:tracedby
-+runchecktest "test 13p33 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p43 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=$test
-+runchecktest "test 13p53 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p63 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=notaprofile
-+runchecktest "test 13p73 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p83 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=${bin_true} ${bin_true}:rix ptrace:trace
-+runchecktest "test 13p93 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13pa3 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=$test
-+runchecktest "test 13pb3 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13pc3 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=notaprofile
-+runchecktest "test 13pd3 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13pe3 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=${bin_true} ${bin_true}:rix
-+runchecktest "test 13p14 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p24 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:tracedby
-+runchecktest "test 13p34 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p44 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=$test
-+runchecktest "test 13p54 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p64 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=notaprofile
-+runchecktest "test 13p74 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p84 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:trace
-+runchecktest "test 13p94 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13pa4 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=$test
-+runchecktest "test 13pb4 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13pc4 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=notaprofile
-+runchecktest "test 13pd4 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13pe4 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=${bin_true} ${bin_true}:rix
-+runchecktest "test 13p15 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p25 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:tracedby
-+runchecktest "test 13p35 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p45 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=$test
-+runchecktest "test 13p55 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p65 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=notaprofile
-+runchecktest "test 13p75 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13p85 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:trace
-+runchecktest "test 13p95 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13pa5 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=$test
-+runchecktest "test 13pb5 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13pc5 -hc prog" fail -h -c -n 100 $helper ${bin_true}
-+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=notaprofile
-+runchecktest "test 13pd5 -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 13pe5 -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- 
- ### todo Variations of below tests
-@@ -377,30 +377,30 @@ runchecktest "test 13pe5 -hc prog" fail -h -c -n 100 $helper /bin/true
- 
- #ptraced confined app can ux - if the tracer is unconfined
- #
-genprofile image=$helper $helper:rix /bin/true:rux signal:ALL
-runchecktest "test 14pa -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 14pa -hc prog" pass -h -c -n 100 $helper /bin/true
-+genprofile image=$helper $helper:rix ${bin_true}:rux signal:ALL
-+runchecktest "test 14pa -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test 14pa -hc prog" pass -h -c -n 100 $helper ${bin_true}
- #ptraced confined app can't ux - if the tracer can't trace unconfined
-genprofile $helper:rpx signal:ALL -- image=$helper $helper:rix /bin/true:rux signal:ALL
-runchecktest "test 14pb -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 14pb -hc prog" fail -h -c -n 100 $helper /bin/true
-+genprofile $helper:rpx signal:ALL -- image=$helper $helper:rix ${bin_true}:rux signal:ALL
-+runchecktest "test 14pb -h prog" fail -h -n 100 $helper ${bin_true}
-+runchecktest "test 14pb -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- #confined app can't ptrace an unconfined app
- genprofile $helper:rux signal:ALL
- runchecktest "test 15p -h" fail -h -n 100 $helper
-runchecktest "test 15p -h prog" fail -h -n 100 $helper /bin/true
-+runchecktest "test 15p -h prog" fail -h -n 100 $helper ${bin_true}
- #an unconfined app can't ask a confined app to trace it
- runchecktest "test 15p -hc" fail -h -c -n 100 $helper
-runchecktest "test 15p -hc prog" fail -h -c -n 100 $helper /bin/true
-+runchecktest "test 15p -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- #confined app can't ptrace an app confined by a different profile
- genprofile $helper:rpx signal:ALL -- image=$helper signal:ALL
- runchecktest "test 15p -h" fail -h -n 100 $helper
-runchecktest "test 15p -h prog" fail -h -n 100 $helper /bin/true
-+runchecktest "test 15p -h prog" fail -h -n 100 $helper ${bin_true}
- #a confined app can't ask another confined app with a different profile to
- #trace it
- runchecktest "test 15p -hc" fail -h -c -n 100 $helper
-runchecktest "test 15p -hc prog" fail -h -c -n 100 $helper /bin/true
-+runchecktest "test 15p -hc prog" fail -h -c -n 100 $helper ${bin_true}
- 
- # Test LP: #1390592
- # The bug was a policy compilation bug that triggers in a rule such as
-@@ -408,9 +408,9 @@ runchecktest "test 15p -hc prog" fail -h -c -n 100 $helper /bin/true
- # a-f|A-F|0-9 to trigger the bug. A parser affected by this bug will create a
- # bad binary policy that causes the kernel to unexpectedly deny the ptrace
- # 'trace' of a process confined by profile ABC.
-genprofile "$helper rpx -> ABC" signal:ALL ptrace:trace:peer=ABC -- image=ABC addimage:$helper /bin/true:rix signal:ALL ptrace:tracedby:peer=$test
-runchecktest "test LP: #1390592 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test LP: #1390592 -hc prog" pass -h -c -n 100 $helper /bin/true
-+genprofile "$helper rpx -> ABC" signal:ALL ptrace:trace:peer=ABC -- image=ABC addimage:$helper ${bin_true}:rix signal:ALL ptrace:tracedby:peer=$test
-+runchecktest "test LP: #1390592 -h prog" pass -h -n 100 $helper ${bin_true}
-+runchecktest "test LP: #1390592 -hc prog" pass -h -c -n 100 $helper ${bin_true}
- 
- ## TODO: ptrace read tests
- ## TODO: ptrace + change_profile
-diff --git a/utils/test/fake_ldd b/utils/test/fake_ldd
-index 60f5c675..afec6eba 100755
--- a/utils/test/fake_ldd
-+++ b/utils/test/fake_ldd
-@@ -5,7 +5,7 @@ import sys
- if len(sys.argv) != 2:
-     raise Exception('wrong number of arguments in fake_ldd')
- 
-if sys.argv[1] == '/AATest/bin/bash' or sys.argv[1] == '/bin/bash':
-+if sys.argv[1] in ['/AATest/bin/bash', '/bin/bash', '/usr/bin/bash']:
-     print('        linux-vdso.so.1 (0x00007ffcf97f4000)')
-     print('        libreadline.so.6 => /AATest/lib64/libreadline.so.6 (0x00007f2c41324000)')
-     print('        libtinfo.so.6 => /AATest/lib64/libtinfo.so.6 (0x00007f2c410f9000)')
-diff --git a/utils/test/test-aa.py b/utils/test/test-aa.py
-index d93b8eae..56b14c6e 100644
--- a/utils/test/test-aa.py
-+++ b/utils/test/test-aa.py
-@@ -135,6 +135,9 @@ class AaTest_create_new_profile(AATest):
-         apparmor.aa.load_include('abstractions/bash')
- 
-         exp_interpreter_path, exp_abstraction = expected
-+        # damn symlinks!
-+        if exp_interpreter_path:
-+            exp_interpreter_path = os.path.realpath(exp_interpreter_path)
- 
-         program = self.writeTmpfile('script', params)
-         profile = create_new_profile(program)
-@@ -178,11 +181,8 @@ class AaTest_get_interpreter_and_abstraction(AATest):
-         interpreter_path, abstraction = get_interpreter_and_abstraction(program)
- 
-         # damn symlinks!
-        if exp_interpreter_path and os.path.islink(exp_interpreter_path):
-            dirname = os.path.dirname(exp_interpreter_path)
-            exp_interpreter_path = os.readlink(exp_interpreter_path)
-            if not exp_interpreter_path.startswith('/'):
-                exp_interpreter_path = os.path.join(dirname, exp_interpreter_path)
-+        if exp_interpreter_path:
-+            exp_interpreter_path = os.path.realpath(exp_interpreter_path)
- 
-         self.assertEqual(interpreter_path, exp_interpreter_path)
-         self.assertEqual(abstraction, exp_abstraction)