apparmor/changes-since-3.0.0.diff
Christian Boltz 980f095fc4 Accepting request 844157 from home:cboltz
- update to AppArmor 3.0.0
  - introduce feature abi declaration in profiles to enable use of
    new rule types (for openSUSE: dbus and unix rules)
  - support xattr attachment conditionals
  - experimental support for kill and unconfined profile modes
  - rewritten aa-status (in C), including support for new profile modes
  - rewritten aa-notify (in python), finally dropping the perl
    requirement at runtime
  - new tool aa-features-abi for extracting feature abis from the kernel
  - update profiles to have profile names and to use 3.0 feature abi
  - introduce @{etc_ro} and @{etc_rw} profile variables
  - new profile for php-fpm
  - several updates to profiles and abstractions (including boo#1166007)
  - fully support 'include if exists' in the aa-* tools
  - rewrite handling of alias, include, link and variable rules in
    the aa-* tools
  - rewrite and simplify log handling in the aa-logprof and aa-genprof
  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0
    for the detailed upstream changelog
- patches:
  - add changes-since-3.0.0.diff with upstream fixes since the 3.0.0
    release up to 3e18c0785abc03ee42a022a67a27a085516a7921
  - drop upstreamed usr-etc-abstractions-base-nameservice.diff
  - drop 2.13-only libapparmor-so-number.diff
  - refresh apparmor-enable-profile-cache.diff - partially upstreamed
  - update apparmor-samba-include-permissions-for-shares.diff and
    apparmor-lessopen-profile.patch - switch to "include if exists"
  - apparmor-lessopen-profile.patch: add abi rule to lessopen profile
  - refresh apparmor-lessopen-nfs-workaround.diff
- move away very loose apache profile that doesn't even match the
  apache2 binary path in openSUSE to avoid confusion (boo#872984)
- move rewritten aa-status from utils to parser subpackage
- add aa-features-abi to parser subpackage
- replace perl and libnotify-tools requires with requiring
  python3-notify2 and python3-psutil (needed by the rewritten
  aa-notify)
- drop ancient cleanup for /etc/init.d/subdomain from parser %pre
- drop (never enabled) conditionals to build with python2 and to
  build the python-apparmor subpackage (upstream dropped python2
  support)
- drop setting PYTHON and PYTHON_VERSIONS env variable, no longer needed
- set PYFLAKES path for utils check
- add precompiled_cache build conditional to allow faster local
  builds without using kvm
- remove duplicated BuildRequires: swig

libapparmor:
- update to AppArmor 3.0.0
  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0
    for the detailed upstream changelog
- add changes-since-3.0.0.diff with upstream fixes since the 3.0.0
  release up to 3e18c0785abc03ee42a022a67a27a085516a7921
- drop 2.13-only patch libapparmor-so-number.diff

OBS-URL: https://build.opensuse.org/request/show/844157
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=281
2020-10-26 20:16:22 +00:00

2114 lines
72 KiB
Diff

Changes since v3.0.0 up to 3e18c0785abc03ee42a022a67a27a085516a7921
commit 3e18c0785abc03ee42a022a67a27a085516a7921
Author: John Johansen <john@jjmx.net>
Date: Sun Oct 25 11:32:06 2020 +0000
Merge profiles/apparmor.d/abstractions/X: make x11 socket writable again
Unfortunately in apparmor sockets need `rw` access. Currently x11 can only work if abstract socket is available and used instead so those restrictions won't trigger.
partially reverts https://gitlab.com/apparmor/apparmor/-/commit/c7b836821660b561fee29ce360949aebcb7b4298
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/664
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 0cb35fda84a6ace742d9da3a7630a0dcc6ffae9d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit 15595eb51d0949b7f57e59b7dca73d1b0a26a6e0
Author: John Johansen <john@jjmx.net>
Date: Sun Oct 25 11:24:58 2020 +0000
Merge Add Fontmatrix to abstractions/fonts
[Fontmatrix](https://github.com/fontmatrix/fontmatrix) [adds \~/.Fontmatrix/Activated to fonts.conf](https://github.com/fontmatrix/fontmatrix/blob/75552e2/src/typotek.cpp#L1081-L1088). This causes programs which use [Fontconfig](https://gitlab.freedesktop.org/fontconfig/fontconfig) (directly or indirectly through libraries such as [Pango](https://pango.gnome.org/)) to include that directory in their font search path, which causes errors such as:
```
audit: type=1400 audit(1602678958.525:53): apparmor="DENIED" operation="open" profile="fr.emersion.Mako" name="/home/username/.Fontmatrix/Activated/.uuid" pid=48553 comm="mako" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
audit: type=1400 audit(1602678958.525:54): apparmor="DENIED" operation="open" profile="fr.emersion.Mako" name="/home/username/.Fontmatrix/Activated/" pid=48553 comm="mako" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
```
if the program does not explicitly include this directory in its AppArmor profile. As with other common font locations, add `~/.Fontmatrix/Activated` to the fonts abstraction for read-only access.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/657
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 24855edd11f14fe80fe8744ef61b3a4297fdf5ce)
commit ad30555a96488989f4b623fb9499c530bdda6de3
Author: Francois Marier <francois@debian.org>
Date: Sun Oct 25 09:37:01 2020 +0000
Adjust to support brave in ubuntu abstractions
Bug-Ubuntu: https://launchpad.net/bugs/1889699
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/667
(cherry picked from commit 9b30f9306dcc87bcfc0d5de51af6357e98f8b099)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit b0e12a5788744149ee4a108064d5c92e0e77f2b5
Author: Jamie Strandboge <jamie@canonical.com>
Date: Sun Oct 25 09:37:01 2020 +0000
Adjust ubuntu-integration to use abstractions/exo-open
Bug-Ubuntu: https://launchpad.net/bugs/1891338
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/666
(cherry picked from commit 9ff0bbb69e47f8f3cddc56a2134558a79ac062d5)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit 1ba978b65c6d544af1b67126e348398218210488
Author: Christian Boltz <gitlab2@cboltz.de>
Date: Sun Oct 25 10:16:26 2020 +0000
Merge branch 'adjust-for-new-ICEauthority-path-in-run' into 'master'
Adjust for new ICEauthority path in /run
Bug-Ubuntu: https://launchpad.net/bugs/1881357
See merge request apparmor/apparmor!668
Acked-by: Christian Boltz <apparmor@cboltz.de> for 3.0 and master
(cherry picked from commit dbb1b900b818d270086e2da3e780cdc83e2c7a1c)
1abe1017 Adjust for new ICEauthority path in /run
commit 3c2ddc2ede2d0b479cb4f3f27fa108789a3ca9f2
Author: Mikhail Morfikov <mmorfikov@gmail.com>
Date: Sun Oct 11 05:08:32 2020 -0700
abstractions: mesa - tightens cache location and add fallback
This tightens the cache location in @{HOME}/.cache and also adds
the tmp fallback location.
Currently there are the following entries in the mesa abstraction:
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/91
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 5aa6db68e0fb8a7db5a4e5872a0a1e14cfbbfdfe)
commit 805cb2c796bb66e7ab5043554edd4c27da774e51
Author: glitsj16 <apparmor.issue124@gitlab.com>
Date: Sun Oct 11 04:46:48 2020 -0700
profiles: nscd: service fails with apparmor 3.0.0-2 on Arch Linux
After a recent upgrade of apparmor on Arch Linux the nscd systemd service fails to start. Arch Linux has /var/db/nscd and that path is missing from the profile AFAICT.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/651
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/124
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 821f9fe42d4e83b6b73972a97953686d005858e9)
commit 8cb1f8f4f656f30ecd30246ef436ebd85b03450e
Author: John Johansen <john.johansen@canonical.com>
Date: Wed Oct 21 03:16:46 2020 -0700
utils: fix make -C profiles check-logprof fails
On arch
make -C profiles check-logprof
fails with
*** Checking profiles from ./apparmor.d against logprof
ERROR: Can't find AppArmor profiles in /etc/apparmor.d
make: *** [Makefile:113: check-logprof] Error 1
make: Leaving directory '/build/apparmor/src/apparmor-2.13.3/profiles'
because /etc/apparmor.d/ is not available in the build environment
and aa-logprofs --dir argument, is not being passed to init_aa()
but used to update profiles_dir after the fact.
Fix this by passing profiledir as an argument to init_aa()
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/36
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/663
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 15dc06248c62ccceec00f70296a6c17f7c5096a1)
commit ff72ea9a56918da19f4a53acda26d14c7e598b56
Author: John Johansen <john.johansen@canonical.com>
Date: Mon Oct 19 19:14:59 2020 -0700
aa-notify: Stop aa-notify from exit after 100s of polling
When run with the -p flag, aa-notify works fine for 100 seconds and then it exits.
I suspect that the issue arises from the following check on line 259 in utils/aa-notify
if debug_logger.debug_level <= 10 and int(time.time()) - start_time > 100:
debug_logger.debug('Debug mode detected: aborting notification emitter after 100 seconds.')
sys.exit(0)
together with line 301 in utils/apparmor/common.py which initializes debug_logger.debug_level to logging.DEBUG which has the numerical value 10.
A simple solution might be to just remove the check as I'm not quit sure why one would want aa-notify to exit when run in debug mode in the first place.
Alternatively, one could check against debug_logger.debugging (initialized to False) or change the initialization of debug_logger.debug_level to something else, but I don't know how that would affect other consumers of utils/apparmor/common.py.
For now just add dbugger_logger.debugging as an additional check as the
reason for timing out after 100s during debugging are unclear.
Suggested-by: vicvbcun
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/126
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/660
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Otto Kekäläinen <otto@kekalainen.net>
(cherry picked from commit 8ea7630b6dc6b46e00341835e92c4f6ead05e984)
commit eab43b53589c9fbe40c7f1a9957b7696e1b89e11
Author: John Johansen <john.johansen@canonical.com>
Date: Tue Oct 20 21:38:02 2020 -0700
utils: split linting with PYFLAKES into a separate target.
This a step towards addressing the linting of the utils causing
problems in a build vs dev environment. See
https://gitlab.com/apparmor/apparmor/-/issues/121
Split off linting with PYFLAKES into its own target as a step towards
making the running of the lint checks as a configuration option.
https://gitlab.com/apparmor/apparmor/-/merge_requests/662
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 43eb54d13caf2c46178328e451a971698f3f35a7)
commit bf75381287e36b0a1f567ed39cc65c7db75db154
Author: John Johansen <john@jjmx.net>
Date: Mon Oct 19 22:22:23 2020 +0000
Merge Revert "Merge dnsmasq: Permit access to /proc/self/fd/"
This reverts merge request !628. My reason for this proposal is that commit 88c142c6 already provided this change, something I must have missed when I opened the initial merge request. This resulted in duplicate entries in the profile, something that is also potentially confusing to users or other contributors.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/659
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 38c611ed314f739f62279c00b07c249046209488)
e0b20a4d Revert "Merge dnsmasq: Permit access to /proc/self/fd/"
commit 80efc15e18a6bb0d0abd2821cb03bf6be51cc517
Author: Christian Boltz <apparmor@cboltz.de>
Date: Wed Oct 14 14:01:55 2020 +0200
Add CAP_CHECKPOINT_RESTORE to severity.db
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/656
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 2c2dbdc3a3012ce06371edc1e9be6f58711d8565)
commit 49db93a79d164cbd49d05c5d8ef51a56ed87d4d5
Author: John Johansen <john.johansen@canonical.com>
Date: Wed Oct 14 04:08:04 2020 -0700
translations: update generated pot files
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit 935003883e02a8a2af79ccc483ad4f9e9d2e50c7
Author: John Johansen <john.johansen@canonical.com>
Date: Tue Oct 13 19:19:10 2020 -0700
parser: Add support for CAP_CHECKPOINT_RESTORE
Linux 5.9 added CAP_CHECKPOINT_RESTORE add it to the set of supported
capabilities.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/654
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
(cherry picked from commit 644a473971df4e18555e97fa36bafd89459c4717)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit 5ee729331ac5e9d765db0e4a621d5366a074bb29
Author: John Johansen <john.johansen@canonical.com>
Date: Tue Oct 13 04:34:24 2020 -0700
regression tests: fix aa_policy_cache to use correct config file
The aa_policy_cache test is using the system parser.conf file even
when the tests are set to use source. This can lead to failures
if the system parser.conf contain options not understood by
the source parser.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/653
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 1033e19171941a4655565d4bbe9b69c552a2353b)
commit d89478794e4b315b066bb3d0504d9d08003b384d
Author: John Johansen <john.johansen@canonical.com>
Date: Tue Oct 13 03:48:31 2020 -0700
regression test: Fix regression tests when using in tree parser
When using the in tree parser we should not be using the system
parser.conf file, as if the system apparmor is newer than the
tree being tested the parser.conf file could contain options not
understood by the in tree apparmor_parser.
Use --config-file to specify the default in tree parser.conf
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/653
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 5ac368bce7a710c61e7d94bf1e23b03d2ace824e)
commit 738c7c60ba5d61707013fe4cf2faee2f75f4b9ec
Author: John Johansen <john.johansen@canonical.com>
Date: Fri Oct 9 14:08:27 2020 -0700
parser: Fix warning message when complain mode is forced
when a profile is being forced to complain a variation of the
following message is displayed
Warning from /etc/apparmor.d/usr.sbin.sssd (/etc/apparmor.d/usr.sbin.sssd line 54): Warning failed to create cache: usr.sbin.sssd
This is incorrect in that the parser doesn't even try to create the
cache, it just can't cache force complain profiles.
Output a warning message for this case that is correct.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1899218
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/649
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 21060e802aa997fc7a1788fd9443f7e7be5ca1ed)
commit e142376368142963b60ab6dc3b8974552a347419
Author: John Johansen <john.johansen@canonical.com>
Date: Fri Oct 9 12:59:22 2020 -0700
parser: fix parser.conf commenting on pinning an abi
The comments describing the example rules to pin the abi are wrong.
The comments of the two example rules are swapped resulting in confusion.
While we are at it. Add a reference to the wiki doc on abi, and
how to disable abi warnings without pinning.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/648
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
(cherry picked from commit ec19ff9f72c0585065599bf1d10a28f45254cf00)
commit 8f39da550199fee18a821112246af5fd0d91ae06
Author: Armin Kuster <akuster@mvista.com>
Date: Wed Oct 7 20:50:38 2020 -0700
parser/Makefile: dont force host cpp to detect reallocarray
In cross build environments, using the hosts cpp gives incorrect
detection of reallocarray. Change cpp to a variable.
fixes:
parser_misc.c: In function 'int capable_add_cap(const char*, int, unsigned int, capability_flags)':
| parser_misc.c:297:37: error: 'reallocarray' was not declared in this scope
| 297 | tmp = (struct capability_table *) reallocarray(cap_table, sizeof(struct capability_table), cap_table_size+1);
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/647
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 0dbcbee70097ecde66708064ec1dedfa64e581e8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit 2f774431cb0ffa0d540c780004ce658dba8012f5
Author: Armin Kuster <akuster808@gmail.com>
Date: Wed Oct 7 08:27:11 2020 -0700
aa_status: Fix build issue with musl
add limits.h
aa_status.c:269:22: error: 'PATH_MAX' undeclared (first use in this function); did you mean 'AF_MAX'?
| 269 | real_exe = calloc(PATH_MAX + 1, sizeof(char));
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/647
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit a2a0d14b9c5046b76124c828a53b0e9cbc1bc5c8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit b64bf7771a0b68ad4e404f34861c54b3feba961e
Author: Armin Kuster <akuster808@gmail.com>
Date: Fri Oct 2 19:43:44 2020 -0700
apparmor: fix manpage order
It trys to create a symlink before the man pages are installed.
ln -sf aa-status.8 /(path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8
| ln: failed to create symbolic link '{path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8': No such file or directory
...
install -d /{path}/apparmor/3.0-r0/image/usr/share/man/man8 ; install -m 644 aa-status.8 /{path}/apparmor/3.0-r0/image/usr/share/man/man8;
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/646
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 37b902849932eda888c095a65783604d540cb44f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit 848664b47b41b74098b28c427e0abbf75b86ca85
Author: Anton Nesterov <anton@nesterov.cc>
Date: Tue Oct 6 19:51:07 2020 +0000
Fix dhclient and dhclient-script profiles to work on debian buster
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/645
(cherry picked from commit 9b70ef4fb74af9b5cfbce8d34de925f7540399ad)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit 526c902ba2bade777c164f4ec6dbbce3f81b64da
Author: David Runge <dave@sleepmap.de>
Date: Fri Oct 2 23:58:53 2020 +0200
Skip test if it can not access /var/log/wtmp
utils/test/test-aa-notify.py:
Change `AANotifyTest.test_entries_since_login()` to be decorated by a
`skipUnless()` checking for existence of **/var/log/wtmp** (similar to
`AANotifyTest.test_entries_since_login_verbose()`).
The test otherwise fails trying to access /var/log/wtmp in environments
where the file is not available.
Fixes https://gitlab.com/apparmor/apparmor/-/issues/120
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/641
(cherry picked from commit e0200b1b1681c2a9210f4b50788efacf671e5c8f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit b73b8ed432e24effabb41356a5974af4ae20145c
Author: Patrick Steinhardt <ps@pks.im>
Date: Sat Oct 3 20:37:55 2020 +0200
libapparmor: add missing include for `socklen_t`
While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't
include the `<sys/socket.h>` header to make its declaration available.
While this works on systems using glibc via transitive includes, it
breaks compilation on musl libc.
Fix the issue by including the header.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/642
Signed-off-by: Patrick Steinhardt <ps@pks.im>
(cherry picked from commit 47263a3a74d7973e7a54b17db6aa903701468ffd)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit 59589308eb577bee7316436b64d9ac2268e19c48
Author: Patrick Steinhardt <ps@pks.im>
Date: Sat Oct 3 21:04:57 2020 +0200
libapparmor: add _aa_asprintf to private symbols
While `_aa_asprintf` is supposed to be of private visibility, it's used
by apparmor_parser and thus required to be visible when linking. This
commit thus adds it to the list of private symbols to make it available
for linking in apparmor_parser.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/643
Signed-off-by: Patrick Steinhardt <ps@pks.im>
(cherry picked from commit 9a8fee6bf1c79c261374d928b838b5eb9244ee9b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit 2ef17fa97237a78e9a41357497a94bd9c7fcaa2d
Author: Patrick Steinhardt <ps@pks.im>
Date: Sat Oct 3 20:58:45 2020 +0200
libapparmor: add `aa_features_new_from_file` to public symbols
With AppArmor release 3.0, a new function `aa_features_new_from_file`
was added, but not added to the list of public symbols. As a result,
it's not possible to make use of this function when linking against
libapparmor.so.
Fix the issue by adding it to the symbol map.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/643
Signed-off-by: Patrick Steinhardt <ps@pks.im>
(cherry picked from commit c9255a03436e6a91bd4e410601da8d43a341ffc2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
diff --git a/binutils/Makefile b/binutils/Makefile
index 99e54875..3f1d0011 100644
--- a/binutils/Makefile
+++ b/binutils/Makefile
@@ -156,12 +156,12 @@ install-arch: arch
install -m 755 -d ${SBINDIR}
ln -sf aa-status ${SBINDIR}/apparmor_status
install -m 755 ${SBINTOOLS} ${SBINDIR}
- ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
.PHONY: install-indep
install-indep: indep
$(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR}
$(MAKE) install_manpages DESTDIR=${DESTDIR}
+ ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
ifndef VERBOSE
.SILENT: clean
diff --git a/binutils/aa_status.c b/binutils/aa_status.c
index 78b03409..41f1954e 100644
--- a/binutils/aa_status.c
+++ b/binutils/aa_status.c
@@ -10,6 +10,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
diff --git a/binutils/po/aa-enabled.pot b/binutils/po/aa_enabled.pot
similarity index 63%
rename from binutils/po/aa-enabled.pot
rename to binutils/po/aa_enabled.pot
index bb2b69e7..e9850bf4 100644
--- a/binutils/po/aa-enabled.pot
+++ b/binutils/po/aa_enabled.pot
@@ -1,13 +1,14 @@
-# Copyright (C) 2015 Canonical Ltd
-# This file is distributed under the same license as the AppArmor package.
-# John Johansen <john.johansen@canonical.com>, 2015.
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR Canonical Ltd
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
-"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"POT-Creation-Date: 2020-10-14 03:58-0700\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
@@ -16,51 +17,57 @@ msgstr ""
"Content-Type: text/plain; charset=CHARSET\n"
"Content-Transfer-Encoding: 8bit\n"
-#: ../aa_enabled.c:26
+#: ../aa_enabled.c:21
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
+" -x | --exclusive Shared interfaces must be availabe\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
-#: ../aa_enabled.c:45
+#: ../aa_enabled.c:37
#, c-format
-msgid "unknown or incompatible options\n"
+msgid "No - not available on this system.\n"
msgstr ""
-#: ../aa_enabled.c:55
+#: ../aa_enabled.c:41
#, c-format
-msgid "unknown option '%s'\n"
+msgid "No - disabled at boot.\n"
msgstr ""
-#: ../aa_enabled.c:64
+#: ../aa_enabled.c:45
#, c-format
-msgid "Yes\n"
+msgid "Maybe - policy interface not available.\n"
msgstr ""
-#: ../aa_enabled.c:71
+#: ../aa_enabled.c:50
#, c-format
-msgid "No - not available on this system.\n"
+msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr ""
-#: ../aa_enabled.c:74
+#: ../aa_enabled.c:54
#, c-format
-msgid "No - disabled at boot.\n"
+msgid "Partially - public shared interfaces are not available.\n"
msgstr ""
-#: ../aa_enabled.c:77
+#: ../aa_enabled.c:58
#, c-format
-msgid "Maybe - policy interface not available.\n"
+msgid "Error - %s\n"
msgstr ""
-#: ../aa_enabled.c:81
+#: ../aa_enabled.c:73
#, c-format
-msgid "Maybe - insufficient permissions to determine availability.\n"
+msgid "unknown or incompatible options\n"
msgstr ""
-#: ../aa_enabled.c:84
+#: ../aa_enabled.c:87
#, c-format
-msgid "Error - '%s'\n"
+msgid "unknown option '%s'\n"
+msgstr ""
+
+#: ../aa_enabled.c:98
+#, c-format
+msgid "Yes\n"
msgstr ""
diff --git a/binutils/po/aa_exec.pot b/binutils/po/aa_exec.pot
new file mode 100644
index 00000000..bfaa2ffe
--- /dev/null
+++ b/binutils/po/aa_exec.pot
@@ -0,0 +1,55 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR Canonical Ltd
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
+"POT-Creation-Date: 2020-10-14 03:58-0700\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../aa_exec.c:50
+#, c-format
+msgid ""
+"USAGE: %s [OPTIONS] <prog> <args>\n"
+"\n"
+"Confine <prog> with the specified PROFILE.\n"
+"\n"
+"OPTIONS:\n"
+" -p PROFILE, --profile=PROFILE\t\tPROFILE to confine <prog> with\n"
+" -n NAMESPACE, --namespace=NAMESPACE\tNAMESPACE to confine <prog> in\n"
+" -d, --debug\t\t\t\tshow messages with debugging information\n"
+" -i, --immediate\t\t\tchange profile immediately instead of at exec\n"
+" -v, --verbose\t\t\t\tshow messages with stats\n"
+" -h, --help\t\t\t\tdisplay this help\n"
+"\n"
+msgstr ""
+
+#: ../aa_exec.c:65
+#, c-format
+msgid "[%ld] aa-exec: ERROR: "
+msgstr ""
+
+#: ../aa_exec.c:76
+#, c-format
+msgid "[%ld] aa-exec: DEBUG: "
+msgstr ""
+
+#: ../aa_exec.c:89
+#, c-format
+msgid "[%ld] "
+msgstr ""
+
+#: ../aa_exec.c:107
+#, c-format
+msgid "[%ld] exec"
+msgstr ""
diff --git a/binutils/po/aa_features_abi.pot b/binutils/po/aa_features_abi.pot
new file mode 100644
index 00000000..12a68610
--- /dev/null
+++ b/binutils/po/aa_features_abi.pot
@@ -0,0 +1,51 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR Canonical Ltd
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
+"POT-Creation-Date: 2020-10-14 03:58-0700\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../aa_features_abi.c:53
+#, c-format
+msgid ""
+"USAGE: %s [OPTIONS] <SOURCE> [OUTPUT OPTIONS]\n"
+"\n"
+"Output AppArmor feature abi from SOURCE to OUTPUT\n"
+"OPTIONS:\n"
+" -d, --debug show messages with debugging information\n"
+" -v, --verbose show messages with stats\n"
+" -h, --help display this help\n"
+"SOURCE:\n"
+" -f F, --file=F load features abi from file F\n"
+" -x, --extract extract features abi from the kernel\n"
+"OUTPUT OPTIONS:\n"
+" --stdout default, write features to stdout\n"
+" -w F, --write=F write features abi to the file F instead of stdout\n"
+"\n"
+msgstr ""
+
+#: ../aa_features_abi.c:73
+#, c-format
+msgid "%s: ERROR: "
+msgstr ""
+
+#: ../aa_features_abi.c:85
+#, c-format
+msgid "%s: DEBUG: "
+msgstr ""
+
+#: ../aa_features_abi.c:98
+msgid "\n"
+msgstr ""
diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
index 32892d06..d70eff94 100644
--- a/libraries/libapparmor/include/sys/apparmor.h
+++ b/libraries/libapparmor/include/sys/apparmor.h
@@ -21,6 +21,7 @@
#include <stdbool.h>
#include <stdint.h>
#include <unistd.h>
+#include <sys/socket.h>
#include <sys/types.h>
#ifdef __cplusplus
diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
index bbff51f5..41e541ac 100644
--- a/libraries/libapparmor/src/libapparmor.map
+++ b/libraries/libapparmor/src/libapparmor.map
@@ -117,6 +117,7 @@ APPARMOR_2.13.1 {
APPARMOR_3.0 {
global:
+ aa_features_new_from_file;
aa_features_write_to_fd;
aa_features_value;
local:
@@ -126,6 +127,7 @@ APPARMOR_3.0 {
PRIVATE {
global:
_aa_is_blacklisted;
+ _aa_asprintf;
_aa_autofree;
_aa_autoclose;
_aa_autofclose;
diff --git a/parser/Makefile b/parser/Makefile
index acef3d77..8250ac45 100644
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -54,7 +54,7 @@ endif
CPPFLAGS += -D_GNU_SOURCE
STDLIB_INCLUDE:="\#include <stdlib.h>"
-HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | cpp ${CPPFLAGS} | grep -q reallocarray && echo true)
+HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | ${CPP} ${CPPFLAGS} | grep -q reallocarray && echo true)
WARNINGS = -Wall
CXX_WARNINGS = ${WARNINGS} ${EXTRA_WARNINGS}
diff --git a/parser/base_cap_names.h b/parser/base_cap_names.h
index 6886ed99..9f922c22 100644
--- a/parser/base_cap_names.h
+++ b/parser/base_cap_names.h
@@ -8,6 +8,8 @@
{"bpf", CAP_BPF, CAP_SYS_ADMIN, CAPFLAG_BASE_FEATURE},
+{"checkpoint_restore", CAP_CHECKPOINT_RESTORE, CAP_SYS_ADMIN, CAPFLAG_BASE_FEATURE},
+
{"chown", CAP_CHOWN, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
{"dac_override", CAP_DAC_OVERRIDE, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
diff --git a/parser/capability.h b/parser/capability.h
index 7d1b7a29..23edf7c6 100644
--- a/parser/capability.h
+++ b/parser/capability.h
@@ -29,6 +29,10 @@
#define CAP_BPF 39
#endif
+#ifndef CAP_CHECKPOINT_RESTORE
+#define CAP_CHECKPOINT_RESTORE 40
+#endif
+
typedef enum capability_flags {
CAPFLAGS_CLEAR = 0,
CAPFLAG_BASE_FEATURE = 1,
diff --git a/parser/parser.conf b/parser/parser.conf
index 3ef00d45..1d1c0da2 100644
--- a/parser/parser.conf
+++ b/parser/parser.conf
@@ -65,10 +65,15 @@
### policy to be used in AppArmor 3.x without the warning
### Warning from stdin (stdin line 1): apparmor_parser: File 'example'
### missing feature abi, falling back to default policy feature abi.
+### For more info please see
+### https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorpolicyfeaturesabi
+
+### Turn off abi rule warnings without pinning the abi
+#warn=no-abi
### Only a single feature ABI rule should be used at a time.
## Pin older policy to the 5.4 kernel abi
-#policy-features=/etc/apparmor.d/abi/kernel-5.4-outoftree-network
+#policy-features=/etc/apparmor.d/abi/kernel-5.4-vanilla
## Pin older policy to the 5.4 kernel abi + out of tree network and af_unix
-#policy-features=/etc/apparmor.d/abi/kernel-5.4-vanilla
+#policy-features=/etc/apparmor.d/abi/kernel-5.4-outoftree-network
diff --git a/parser/parser_main.c b/parser/parser_main.c
index 42bb7791..a0f593ac 100644
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -1159,9 +1159,11 @@ int process_profile(int option, aa_kernel_interface *kernel_interface,
/* cache file generated by load_policy */
retval = load_policy(option, kernel_interface, cachetmp);
if (retval == 0 && write_cache) {
- if (cachetmp == -1) {
+ if (force_complain) {
+ pwarn(WARN_CACHE, "Caching disabled for: '%s' due to force complain\n", basename);
+ } else if (cachetmp == -1) {
unlink(cachetmpname);
- pwarn(WARN_CACHE, "Warning failed to create cache: %s\n",
+ pwarn(WARN_CACHE, "Failed to create cache: %s\n",
basename);
} else {
install_cache(cachetmpname, writecachename);
diff --git a/parser/po/apparmor-parser.pot b/parser/po/apparmor-parser.pot
index 8e22fffa..df194e31 100644
--- a/parser/po/apparmor-parser.pot
+++ b/parser/po/apparmor-parser.pot
@@ -1,5 +1,5 @@
# SOME DESCRIPTIVE TITLE.
-# Copyright (C) YEAR NOVELL, Inc.
+# Copyright (C) YEAR Canonical Ltd
# This file is distributed under the same license as the PACKAGE package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
-"POT-Creation-Date: 2014-09-13 00:11-0700\n"
+"POT-Creation-Date: 2020-10-14 04:04-0700\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
@@ -17,95 +17,106 @@ msgstr ""
"Content-Type: text/plain; charset=CHARSET\n"
"Content-Transfer-Encoding: 8bit\n"
-#: ../parser_include.c:113 ../parser_include.c:111
+#: ../parser_include.c:113 ../parser_include.c:111 ../parser_include.c:96
msgid "Error: Out of memory.\n"
msgstr ""
-#: ../parser_include.c:123 ../parser_include.c:121
+#: ../parser_include.c:123 ../parser_include.c:121 ../parser_include.c:106
#, c-format
msgid "Error: basedir %s is not a directory, skipping.\n"
msgstr ""
-#: ../parser_include.c:137
+#: ../parser_include.c:137 ../parser_include.c:122
#, c-format
msgid "Error: Could not add directory %s to search path.\n"
msgstr ""
-#: ../parser_include.c:147 ../parser_include.c:151
+#: ../parser_include.c:147 ../parser_include.c:151 ../parser_include.c:136
msgid "Error: Could not allocate memory.\n"
msgstr ""
#: ../parser_interface.c:69 ../parser_interface.c:72 ../parser_interface.c:49
+#: ../parser_interface.c:52
msgid "Bad write position\n"
msgstr ""
#: ../parser_interface.c:72 ../parser_interface.c:75 ../parser_interface.c:52
+#: ../parser_interface.c:55
msgid "Permission denied\n"
msgstr ""
#: ../parser_interface.c:75 ../parser_interface.c:78 ../parser_interface.c:55
+#: ../parser_interface.c:58
msgid "Out of memory\n"
msgstr ""
#: ../parser_interface.c:78 ../parser_interface.c:81 ../parser_interface.c:58
+#: ../parser_interface.c:61
msgid "Couldn't copy profile: Bad memory address\n"
msgstr ""
#: ../parser_interface.c:81 ../parser_interface.c:84 ../parser_interface.c:61
+#: ../parser_interface.c:64
msgid "Profile doesn't conform to protocol\n"
msgstr ""
#: ../parser_interface.c:84 ../parser_interface.c:87 ../parser_interface.c:64
+#: ../parser_interface.c:67
msgid "Profile does not match signature\n"
msgstr ""
#: ../parser_interface.c:87 ../parser_interface.c:90 ../parser_interface.c:67
+#: ../parser_interface.c:70
msgid "Profile version not supported by Apparmor module\n"
msgstr ""
#: ../parser_interface.c:90 ../parser_interface.c:93 ../parser_interface.c:70
+#: ../parser_interface.c:73
msgid "Profile already exists\n"
msgstr ""
#: ../parser_interface.c:93 ../parser_interface.c:96 ../parser_interface.c:73
+#: ../parser_interface.c:76
msgid "Profile doesn't exist\n"
msgstr ""
#: ../parser_interface.c:96 ../parser_interface.c:99 ../parser_interface.c:76
+#: ../parser_interface.c:79
msgid "Permission denied; attempted to load a profile while confined?\n"
msgstr ""
#: ../parser_interface.c:99 ../parser_interface.c:102 ../parser_interface.c:79
+#: ../parser_interface.c:82
#, c-format
msgid "Unknown error (%d): %s\n"
msgstr ""
-#: ../parser_interface.c:116 ../parser_interface.c:119
-#: ../parser_interface.c:96
+#: ../parser_interface.c:116 ../parser_interface.c:119 ../parser_interface.c:96
+#: ../parser_interface.c:100
#, c-format
msgid "%s: Unable to add \"%s\". "
msgstr ""
#: ../parser_interface.c:121 ../parser_interface.c:124
-#: ../parser_interface.c:101
+#: ../parser_interface.c:101 ../parser_interface.c:105
#, c-format
msgid "%s: Unable to replace \"%s\". "
msgstr ""
#: ../parser_interface.c:126 ../parser_interface.c:129
-#: ../parser_interface.c:106
+#: ../parser_interface.c:106 ../parser_interface.c:110
#, c-format
msgid "%s: Unable to remove \"%s\". "
msgstr ""
#: ../parser_interface.c:131 ../parser_interface.c:134
-#: ../parser_interface.c:111
+#: ../parser_interface.c:111 ../parser_interface.c:115
#, c-format
msgid "%s: Unable to write to stdout\n"
msgstr ""
#: ../parser_interface.c:135 ../parser_interface.c:138
-#: ../parser_interface.c:115
+#: ../parser_interface.c:115 ../parser_interface.c:119
#, c-format
msgid "%s: Unable to write to output file\n"
msgstr ""
@@ -113,24 +124,25 @@ msgstr ""
#: ../parser_interface.c:138 ../parser_interface.c:162
#: ../parser_interface.c:141 ../parser_interface.c:165
#: ../parser_interface.c:118 ../parser_interface.c:142
+#: ../parser_interface.c:123 ../parser_interface.c:147
#, c-format
msgid "%s: ASSERT: Invalid option: %d\n"
msgstr ""
#: ../parser_interface.c:147 ../parser_interface.c:150
-#: ../parser_interface.c:127
+#: ../parser_interface.c:127 ../parser_interface.c:132
#, c-format
msgid "Addition succeeded for \"%s\".\n"
msgstr ""
#: ../parser_interface.c:151 ../parser_interface.c:154
-#: ../parser_interface.c:131
+#: ../parser_interface.c:131 ../parser_interface.c:136
#, c-format
msgid "Replacement succeeded for \"%s\".\n"
msgstr ""
#: ../parser_interface.c:155 ../parser_interface.c:158
-#: ../parser_interface.c:135
+#: ../parser_interface.c:135 ../parser_interface.c:140
#, c-format
msgid "Removal succeeded for \"%s\".\n"
msgstr ""
@@ -141,7 +153,7 @@ msgid "PANIC bad increment buffer %p pos %p ext %p size %d res %p\n"
msgstr ""
#: ../parser_interface.c:656 ../parser_interface.c:658
-#: ../parser_interface.c:446
+#: ../parser_interface.c:446 ../parser_interface.c:476
#, c-format
msgid "profile %s network rules not enforced\n"
msgstr ""
@@ -186,7 +198,7 @@ msgid "%s: Unable to write entire profile entry\n"
msgstr ""
#: ../parser_interface.c:839 ../parser_interface.c:831
-#: ../parser_interface.c:593
+#: ../parser_interface.c:593 ../parser_interface.c:579
#, c-format
msgid "%s: Unable to write entire profile entry to cache\n"
msgstr ""
@@ -196,7 +208,7 @@ msgstr ""
msgid "Could not open '%s'"
msgstr ""
-#: parser_lex.l:104 parser_lex.l:167 parser_lex.l:173
+#: parser_lex.l:104 parser_lex.l:167 parser_lex.l:173 parser_lex.l:174
#, c-format
msgid "fstat failed for '%s'"
msgstr ""
@@ -222,7 +234,7 @@ msgstr ""
msgid "Found unexpected character: '%s'"
msgstr ""
-#: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428
+#: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428 parser_lex.l:474
msgid "Variable declarations do not accept trailing commas"
msgstr ""
@@ -242,6 +254,7 @@ msgid "%s: Could not allocate memory for subdomainbase mount point\n"
msgstr ""
#: ../parser_main.c:577 ../parser_main.c:616 ../parser_main.c:479
+#: ../parser_main.c:1444
#, c-format
msgid ""
"Warning: unable to find a suitable fs in %s, is it mounted?\n"
@@ -249,6 +262,7 @@ msgid ""
msgstr ""
#: ../parser_main.c:597 ../parser_main.c:635 ../parser_main.c:498
+#: ../parser_main.c:822
#, c-format
msgid ""
"%s: Sorry. You need root privileges to run this program.\n"
@@ -256,6 +270,7 @@ msgid ""
msgstr ""
#: ../parser_main.c:604 ../parser_main.c:642 ../parser_main.c:505
+#: ../parser_main.c:828
#, c-format
msgid ""
"%s: Warning! You've set this program setuid root.\n"
@@ -264,7 +279,7 @@ msgid ""
msgstr ""
#: ../parser_main.c:704 ../parser_main.c:813 ../parser_main.c:836
-#: ../parser_main.c:946 ../parser_main.c:860
+#: ../parser_main.c:946 ../parser_main.c:860 ../parser_main.c:1038
#, c-format
msgid "Error: Could not read profile %s: %s.\n"
msgstr ""
@@ -286,26 +301,36 @@ msgstr ""
#: parser_yacc.y:1166 parser_yacc.y:1170 parser_yacc.y:1180 parser_yacc.y:1190
#: parser_yacc.y:1298 parser_yacc.y:1376 parser_yacc.y:1479 parser_yacc.y:1490
#: parser_yacc.y:1565 parser_yacc.y:1583 parser_yacc.y:1590 parser_yacc.y:1639
-#: ../network.c:314 ../af_unix.cc:203
+#: ../network.c:314 ../af_unix.cc:203 ../parser_misc.c:215 ../parser_misc.c:939
+#: parser_yacc.y:343 parser_yacc.y:367 parser_yacc.y:533 parser_yacc.y:543
+#: parser_yacc.y:660 parser_yacc.y:741 parser_yacc.y:750 parser_yacc.y:1171
+#: parser_yacc.y:1219 parser_yacc.y:1255 parser_yacc.y:1264 parser_yacc.y:1268
+#: parser_yacc.y:1278 parser_yacc.y:1288 parser_yacc.y:1382 parser_yacc.y:1460
+#: parser_yacc.y:1592 parser_yacc.y:1597 parser_yacc.y:1674 parser_yacc.y:1692
+#: parser_yacc.y:1699 parser_yacc.y:1748 ../network.c:315 ../af_unix.cc:194
msgid "Memory allocation error."
msgstr ""
#: ../parser_main.c:740 ../parser_main.c:872 ../parser_main.c:757
+#: ../parser_main.c:975
#, c-format
msgid "Cached load succeeded for \"%s\".\n"
msgstr ""
#: ../parser_main.c:744 ../parser_main.c:876 ../parser_main.c:761
+#: ../parser_main.c:979
#, c-format
msgid "Cached reload succeeded for \"%s\".\n"
msgstr ""
#: ../parser_main.c:910 ../parser_main.c:1058 ../parser_main.c:967
+#: ../parser_main.c:1132
#, c-format
msgid "%s: Errors found in file. Aborting.\n"
msgstr ""
#: ../parser_misc.c:426 ../parser_misc.c:597 ../parser_misc.c:339
+#: ../parser_misc.c:532
msgid ""
"Uppercase qualifiers \"RWLIMX\" are deprecated, please convert to lowercase\n"
"See the apparmor.d(5) manpage for details.\n"
@@ -313,14 +338,17 @@ msgstr ""
#: ../parser_misc.c:467 ../parser_misc.c:474 ../parser_misc.c:638
#: ../parser_misc.c:645 ../parser_misc.c:380 ../parser_misc.c:387
+#: ../parser_misc.c:573 ../parser_misc.c:580
msgid "Conflict 'a' and 'w' perms are mutually exclusive."
msgstr ""
#: ../parser_misc.c:491 ../parser_misc.c:662 ../parser_misc.c:404
+#: ../parser_misc.c:597
msgid "Exec qualifier 'i' invalid, conflicting qualifier already specified"
msgstr ""
#: ../parser_misc.c:502 ../parser_misc.c:673 ../parser_misc.c:415
+#: ../parser_misc.c:608
#, c-format
msgid ""
"Unconfined exec qualifier (%c%c) allows some dangerous environment variables "
@@ -329,22 +357,26 @@ msgstr ""
#: ../parser_misc.c:510 ../parser_misc.c:551 ../parser_misc.c:681
#: ../parser_misc.c:722 ../parser_misc.c:423 ../parser_misc.c:464
+#: ../parser_misc.c:616 ../parser_misc.c:657
#, c-format
msgid "Exec qualifier '%c' invalid, conflicting qualifier already specified"
msgstr ""
#: ../parser_misc.c:537 ../parser_misc.c:545 ../parser_misc.c:708
#: ../parser_misc.c:716 ../parser_misc.c:450 ../parser_misc.c:458
+#: ../parser_misc.c:643 ../parser_misc.c:651
#, c-format
msgid "Exec qualifier '%c%c' invalid, conflicting qualifier already specified"
msgstr ""
#: ../parser_misc.c:593 ../parser_misc.c:764 ../parser_misc.c:506
+#: ../parser_misc.c:699
#, c-format
msgid "Internal: unexpected mode character '%c' in input"
msgstr ""
#: ../parser_misc.c:615 ../parser_misc.c:786 ../parser_misc.c:528
+#: ../parser_misc.c:721
#, c-format
msgid "Internal error generated invalid perm 0x%llx\n"
msgstr ""
@@ -356,10 +388,12 @@ msgid "AppArmor parser error: %s\n"
msgstr ""
#: ../parser_merge.c:92 ../parser_merge.c:91 ../parser_merge.c:83
+#: ../parser_merge.c:71
msgid "Couldn't merge entries. Out of Memory\n"
msgstr ""
#: ../parser_merge.c:111 ../parser_merge.c:113 ../parser_merge.c:105
+#: ../parser_merge.c:93
#, c-format
msgid "profile %s: has merged rule %s with conflicting x modifiers\n"
msgstr ""
@@ -368,114 +402,117 @@ msgstr ""
msgid "Profile attachment must begin with a '/'."
msgstr ""
-#: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348
+#: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348 parser_yacc.y:407
msgid ""
"Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."
msgstr ""
-#: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384
+#: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384 parser_yacc.y:449
#, c-format
msgid "Failed to create alias %s -> %s\n"
msgstr ""
-#: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506
+#: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506 parser_yacc.y:581
msgid "Profile flag chroot_relative conflicts with namespace_relative"
msgstr ""
-#: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510
+#: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510 parser_yacc.y:585
msgid "Profile flag mediate_deleted conflicts with delegate_deleted"
msgstr ""
-#: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513
+#: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513 parser_yacc.y:588
msgid "Profile flag attach_disconnected conflicts with no_attach_disconnected"
msgstr ""
-#: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516
+#: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516 parser_yacc.y:591
msgid "Profile flag chroot_attach conflicts with chroot_no_attach"
msgstr ""
-#: parser_yacc.y:441 parser_yacc.y:484 parser_yacc.y:530
+#: parser_yacc.y:441 parser_yacc.y:484 parser_yacc.y:530 parser_yacc.y:607
msgid "Profile flag 'debug' is no longer valid."
msgstr ""
-#: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552
+#: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552 parser_yacc.y:629
#, c-format
msgid "Invalid profile flag: %s."
msgstr ""
#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548 parser_yacc.y:594
+#: parser_yacc.y:673
msgid "Assert: `rule' returned NULL."
msgstr ""
#: parser_yacc.y:501 parser_yacc.y:546 parser_yacc.y:552 parser_yacc.y:584
-#: parser_yacc.y:598 parser_yacc.y:630
+#: parser_yacc.y:598 parser_yacc.y:630 parser_yacc.y:677 parser_yacc.y:709
msgid ""
"Invalid mode, in deny rules 'x' must not be preceded by exec qualifier 'i', "
"'p', or 'u'"
msgstr ""
-#: parser_yacc.y:524 parser_yacc.y:556 parser_yacc.y:602
+#: parser_yacc.y:524 parser_yacc.y:556 parser_yacc.y:602 parser_yacc.y:681
msgid ""
"Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'"
msgstr ""
-#: parser_yacc.y:549 parser_yacc.y:587 parser_yacc.y:633
+#: parser_yacc.y:549 parser_yacc.y:587 parser_yacc.y:633 parser_yacc.y:712
msgid "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"
msgstr ""
#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614 parser_yacc.y:660
+#: parser_yacc.y:739
msgid "Assert: `network_rule' return invalid protocol."
msgstr ""
-#: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786
+#: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786 parser_yacc.y:867
msgid "Assert: `change_profile' returned NULL."
msgstr ""
-#: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810
+#: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810 parser_yacc.y:905
msgid "Assert: 'hat rule' returned NULL."
msgstr ""
-#: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819
+#: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819 parser_yacc.y:914
msgid "Assert: 'local_profile rule' returned NULL."
msgstr ""
-#: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992
+#: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992 parser_yacc.y:1077
#, c-format
msgid "Unset boolean variable %s used in if-expression"
msgstr ""
-#: parser_yacc.y:882 parser_yacc.y:986 parser_yacc.y:1092
+#: parser_yacc.y:882 parser_yacc.y:986 parser_yacc.y:1092 parser_yacc.y:1181
msgid "unsafe rule missing exec permissions"
msgstr ""
-#: parser_yacc.y:901 parser_yacc.y:954 parser_yacc.y:1060
+#: parser_yacc.y:901 parser_yacc.y:954 parser_yacc.y:1060 parser_yacc.y:1148
msgid "subset can only be used with link rules."
msgstr ""
-#: parser_yacc.y:903 parser_yacc.y:956 parser_yacc.y:1062
+#: parser_yacc.y:903 parser_yacc.y:956 parser_yacc.y:1062 parser_yacc.y:1150
msgid "link and exec perms conflict on a file rule using ->"
msgstr ""
-#: parser_yacc.y:905 parser_yacc.y:958 parser_yacc.y:1064
+#: parser_yacc.y:905 parser_yacc.y:958 parser_yacc.y:1064 parser_yacc.y:1152
msgid "link perms are not allowed on a named profile transition.\n"
msgstr ""
-#: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109
+#: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109 parser_yacc.y:1198
#, c-format
msgid "missing an end of line character? (entry: %s)"
msgstr ""
#: parser_yacc.y:975 parser_yacc.y:985 parser_yacc.y:1057 parser_yacc.y:1067
-#: parser_yacc.y:1145 parser_yacc.y:1155
+#: parser_yacc.y:1145 parser_yacc.y:1155 parser_yacc.y:1234 parser_yacc.y:1244
msgid "Invalid network entry."
msgstr ""
#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254 parser_yacc.y:1510
+#: parser_yacc.y:1617
#, c-format
msgid "Invalid capability %s."
msgstr ""
-#: parser_yacc.y:1066 parser_yacc.y:1269 parser_yacc.y:1525
+#: parser_yacc.y:1066 parser_yacc.y:1269 parser_yacc.y:1525 parser_yacc.y:1637
#, c-format
msgid "AppArmor parser error for %s%s%s at line %d: %s\n"
msgstr ""
@@ -491,17 +528,20 @@ msgid "%s: Illegal open {, nesting groupings not allowed\n"
msgstr ""
#: ../parser_regex.c:265 ../parser_regex.c:274 ../parser_regex.c:278
+#: ../parser_regex.c:306
#, c-format
msgid "%s: Regex grouping error: Invalid number of items between {}\n"
msgstr ""
#: ../parser_regex.c:271 ../parser_regex.c:280 ../parser_regex.c:284
+#: ../parser_regex.c:312
#, c-format
msgid ""
"%s: Regex grouping error: Invalid close }, no matching open { detected\n"
msgstr ""
#: ../parser_regex.c:337 ../parser_regex.c:343 ../parser_regex.c:361
+#: ../parser_regex.c:403
#, c-format
msgid ""
"%s: Regex grouping error: Unclosed grouping or character class, expecting "
@@ -514,16 +554,19 @@ msgid "%s: Internal buffer overflow detected, %d characters exceeded\n"
msgstr ""
#: ../parser_regex.c:355 ../parser_regex.c:361 ../parser_regex.c:377
+#: ../parser_regex.c:419
#, c-format
msgid "%s: Unable to parse input line '%s'\n"
msgstr ""
#: ../parser_regex.c:397 ../parser_regex.c:405 ../parser_regex.c:421
+#: ../parser_regex.c:487
#, c-format
msgid "%s: Invalid profile name '%s' - bad regular expression\n"
msgstr ""
#: ../parser_policy.c:202 ../parser_policy.c:402 ../parser_policy.c:375
+#: ../parser_policy.c:383
#, c-format
msgid "ERROR merging rules for profile %s, failed to load\n"
msgstr ""
@@ -537,16 +580,19 @@ msgid ""
msgstr ""
#: ../parser_policy.c:279 ../parser_policy.c:359 ../parser_policy.c:332
+#: ../parser_policy.c:340
#, c-format
msgid "ERROR processing regexs for profile %s, failed to load\n"
msgstr ""
#: ../parser_policy.c:306 ../parser_policy.c:389 ../parser_policy.c:362
+#: ../parser_policy.c:370
#, c-format
msgid "ERROR expanding variables for profile %s, failed to load\n"
msgstr ""
#: ../parser_policy.c:390 ../parser_policy.c:382 ../parser_policy.c:355
+#: ../parser_policy.c:363
#, c-format
msgid "ERROR adding hat access rule for profile %s\n"
msgstr ""
@@ -576,7 +622,7 @@ msgstr ""
msgid "%s: Errors found in combining rules postprocessing. Aborting.\n"
msgstr ""
-#: parser_lex.l:180 parser_lex.l:186
+#: parser_lex.l:180 parser_lex.l:186 parser_lex.l:187
#, c-format
msgid "Could not process include directory '%s' in '%s'"
msgstr ""
@@ -586,7 +632,8 @@ msgid "Feature buffer full."
msgstr ""
#: ../parser_main.c:1115 ../parser_main.c:1132 ../parser_main.c:1024
-#: ../parser_main.c:1041
+#: ../parser_main.c:1041 ../parser_main.c:1332 ../parser_main.c:1354
+#: ../parser_misc.c:280 ../parser_misc.c:299 ../parser_misc.c:308
msgid "Out of memory"
msgstr ""
@@ -615,11 +662,11 @@ msgstr ""
msgid "Internal error generated invalid DBus perm 0x%x\n"
msgstr ""
-#: parser_yacc.y:575 parser_yacc.y:621
+#: parser_yacc.y:575 parser_yacc.y:621 parser_yacc.y:700
msgid "deny prefix not allowed"
msgstr ""
-#: parser_yacc.y:612 parser_yacc.y:658
+#: parser_yacc.y:612 parser_yacc.y:658 parser_yacc.y:737
msgid "owner prefix not allowed"
msgstr ""
@@ -635,41 +682,41 @@ msgstr ""
msgid "owner prefix not allow on capability rules"
msgstr ""
-#: parser_yacc.y:1357 parser_yacc.y:1613
+#: parser_yacc.y:1357 parser_yacc.y:1613 parser_yacc.y:1722
#, c-format
msgid "invalid mount conditional %s%s"
msgstr ""
-#: parser_yacc.y:1374 parser_yacc.y:1628
+#: parser_yacc.y:1374 parser_yacc.y:1628 parser_yacc.y:1737
msgid "bad mount rule"
msgstr ""
-#: parser_yacc.y:1381 parser_yacc.y:1635
+#: parser_yacc.y:1381 parser_yacc.y:1635 parser_yacc.y:1744
msgid "mount point conditions not currently supported"
msgstr ""
-#: parser_yacc.y:1398 parser_yacc.y:1650
+#: parser_yacc.y:1398 parser_yacc.y:1650 parser_yacc.y:1759
#, c-format
msgid "invalid pivotroot conditional '%s'"
msgstr ""
-#: ../parser_regex.c:241 ../parser_regex.c:236
+#: ../parser_regex.c:241 ../parser_regex.c:236 ../parser_regex.c:264
#, c-format
msgid ""
"%s: Regex grouping error: Invalid close ], no matching open [ detected\n"
msgstr ""
-#: ../parser_regex.c:257 ../parser_regex.c:256
+#: ../parser_regex.c:257 ../parser_regex.c:256 ../parser_regex.c:284
#, c-format
msgid "%s: Regex grouping error: Exceeded maximum nesting of {}\n"
msgstr ""
-#: ../parser_policy.c:366 ../parser_policy.c:339
+#: ../parser_policy.c:366 ../parser_policy.c:339 ../parser_policy.c:347
#, c-format
msgid "ERROR processing policydb rules for profile %s, failed to load\n"
msgstr ""
-#: ../parser_policy.c:396 ../parser_policy.c:369
+#: ../parser_policy.c:396 ../parser_policy.c:369 ../parser_policy.c:377
#, c-format
msgid "ERROR replacing aliases for profile %s, failed to load\n"
msgstr ""
@@ -689,51 +736,244 @@ msgstr ""
msgid "Error: Could not read cache file '%s', skipping...\n"
msgstr ""
-#: ../parser_misc.c:575
+#: ../parser_misc.c:575 ../parser_misc.c:768
#, c-format
msgid "Internal: unexpected %s mode character '%c' in input"
msgstr ""
-#: ../parser_misc.c:599
+#: ../parser_misc.c:599 ../parser_misc.c:792
#, c-format
msgid "Internal error generated invalid %s perm 0x%x\n"
msgstr ""
-#: parser_yacc.y:703
+#: parser_yacc.y:703 parser_yacc.y:784
msgid "owner prefix not allowed on mount rules"
msgstr ""
-#: parser_yacc.y:720
+#: parser_yacc.y:720 parser_yacc.y:801
msgid "owner prefix not allowed on dbus rules"
msgstr ""
-#: parser_yacc.y:736
+#: parser_yacc.y:736 parser_yacc.y:817
msgid "owner prefix not allowed on signal rules"
msgstr ""
-#: parser_yacc.y:752
+#: parser_yacc.y:752 parser_yacc.y:833
msgid "owner prefix not allowed on ptrace rules"
msgstr ""
-#: parser_yacc.y:768
+#: parser_yacc.y:768 parser_yacc.y:849 parser_yacc.y:869
msgid "owner prefix not allowed on unix rules"
msgstr ""
-#: parser_yacc.y:794
+#: parser_yacc.y:794 parser_yacc.y:885
msgid "owner prefix not allowed on capability rules"
msgstr ""
-#: parser_yacc.y:1293
+#: parser_yacc.y:1293 parser_yacc.y:1377
#, c-format
msgid "dbus rule: invalid conditional group %s=()"
msgstr ""
-#: parser_yacc.y:1371
+#: parser_yacc.y:1371 parser_yacc.y:1455
#, c-format
msgid "unix rule: invalid conditional group %s=()"
msgstr ""
-#: ../parser_regex.c:368
+#: ../parser_regex.c:368 ../parser_regex.c:410
#, c-format
msgid "%s: Regex error: trailing '\\' escape character\n"
msgstr ""
+
+#: ../parser_common.c:112
+#, c-format
+msgid "%s from %s (%s%sline %d): %s"
+msgstr ""
+
+#: ../parser_common.c:113
+msgid "Warning converted to Error"
+msgstr ""
+
+#: ../parser_common.c:113
+msgid "Warning"
+msgstr ""
+
+#: ../parser_interface.c:524
+#, c-format
+msgid "Unable to open stdout - %s\n"
+msgstr ""
+
+#: ../parser_interface.c:533
+#, c-format
+msgid "Unable to open output file - %s\n"
+msgstr ""
+
+#: parser_lex.l:326
+msgid "Failed to process filename\n"
+msgstr ""
+
+#: parser_lex.l:720
+#, c-format
+msgid "Lexer found unexpected character: '%s' (0x%x) in state: %s"
+msgstr ""
+
+#: ../parser_main.c:915
+#, c-format
+msgid "Unable to print the cache directory: %m\n"
+msgstr ""
+
+#: ../parser_main.c:951
+#, c-format
+msgid "Error: Could not load profile %s: %s\n"
+msgstr ""
+
+#: ../parser_main.c:961
+#, c-format
+msgid "Error: Could not replace profile %s: %s\n"
+msgstr ""
+
+#: ../parser_main.c:966
+#, c-format
+msgid "Error: Invalid load option specified: %d\n"
+msgstr ""
+
+#: ../parser_main.c:1077
+#, c-format
+msgid "Could not get cachename for '%s'\n"
+msgstr ""
+
+#: ../parser_main.c:1434
+msgid "Kernel features abi not found"
+msgstr ""
+
+#: ../parser_main.c:1438
+msgid "Failed to add kernel capabilities to known capabilities set"
+msgstr ""
+
+#: ../parser_main.c:1465
+#, c-format
+msgid "Failed to clear cache files (%s): %s\n"
+msgstr ""
+
+#: ../parser_main.c:1474
+msgid ""
+"The --create-cache-dir option is deprecated. Please use --write-cache.\n"
+msgstr ""
+
+#: ../parser_main.c:1479
+#, c-format
+msgid "Failed setting up policy cache (%s): %s\n"
+msgstr ""
+
+#: ../parser_misc.c:904
+#, c-format
+msgid "Namespace not terminated: %s\n"
+msgstr ""
+
+#: ../parser_misc.c:906
+#, c-format
+msgid "Empty namespace: %s\n"
+msgstr ""
+
+#: ../parser_misc.c:908
+#, c-format
+msgid "Empty named transition profile name: %s\n"
+msgstr ""
+
+#: ../parser_misc.c:910
+#, c-format
+msgid "Unknown error while parsing label: %s\n"
+msgstr ""
+
+#: parser_yacc.y:306
+msgid "Failed to setup default policy feature abi"
+msgstr ""
+
+#: parser_yacc.y:308
+#, c-format
+msgid ""
+"%s: File '%s' missing feature abi, falling back to default policy feature "
+"abi\n"
+msgstr ""
+
+#: parser_yacc.y:313
+msgid "Failed to add policy capabilities to known capabilities set"
+msgstr ""
+
+#: parser_yacc.y:350
+msgid "Profile names must begin with a '/' or a namespace"
+msgstr ""
+
+#: parser_yacc.y:372
+msgid "Profile attachment must begin with a '/' or variable."
+msgstr ""
+
+#: parser_yacc.y:375
+#, c-format
+msgid "profile id: invalid conditional group %s=()"
+msgstr ""
+
+#: parser_yacc.y:404
+msgid ""
+"The use of file paths as profile names is deprecated. See man apparmor.d for "
+"more information\n"
+msgstr ""
+
+#: parser_yacc.y:573
+#, c-format
+msgid "Profile flag '%s' conflicts with '%s'"
+msgstr ""
+
+#: parser_yacc.y:954
+msgid "RLIMIT 'cpu' no units specified using default units of seconds\n"
+msgstr ""
+
+#: parser_yacc.y:966
+msgid ""
+"RLIMIT 'rttime' no units specified using default units of microseconds\n"
+msgstr ""
+
+#: parser_yacc.y:1582
+msgid "Exec condition is required when unsafe or safe keywords are present"
+msgstr ""
+
+#: parser_yacc.y:1584
+msgid "Exec condition must begin with '/'."
+msgstr ""
+
+#: parser_yacc.y:1643
+#, c-format
+msgid "AppArmor parser error at line %d: %s\n"
+msgstr ""
+
+#: parser_yacc.y:1790
+#, c-format
+msgid "Could not open '%s': %m"
+msgstr ""
+
+#: parser_yacc.y:1795
+#, c-format
+msgid "fstat failed for '%s': %m"
+msgstr ""
+
+#: parser_yacc.y:1809
+#, c-format
+msgid "failed to find features abi '%s': %m"
+msgstr ""
+
+#: parser_yacc.y:1813
+#, c-format
+msgid ""
+"%s: %s features abi '%s' differs from policy declared feature abi, using the "
+"features abi declared in policy\n"
+msgstr ""
+
+#: ../parser_regex.c:98 ../parser_regex.c:238
+#, c-format
+msgid "%s: Invalid glob type %d\n"
+msgstr ""
+
+#: ../parser_regex.c:693
+#, c-format
+msgid "The current kernel does not support stacking of named transitions: %s\n"
+msgstr ""
diff --git a/profiles/apparmor.d/abstractions/X b/profiles/apparmor.d/abstractions/X
index 59b79a15..6cce2e1f 100644
--- a/profiles/apparmor.d/abstractions/X
+++ b/profiles/apparmor.d/abstractions/X
@@ -17,6 +17,7 @@
# .ICEauthority files required for X authentication, per user
owner @{HOME}/.ICEauthority r,
+ owner @{run}/user/*/ICEauthority r,
# .Xauthority files required for X connections, per user
owner @{HOME}/.Xauthority r,
@@ -29,7 +30,7 @@
owner @{run}/user/*/xauth_* r,
# the unix socket to use to connect to the display
- /tmp/.X11-unix/* r,
+ /tmp/.X11-unix/* rw,
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
diff --git a/profiles/apparmor.d/abstractions/fonts b/profiles/apparmor.d/abstractions/fonts
index 402703d7..46324dbb 100644
--- a/profiles/apparmor.d/abstractions/fonts
+++ b/profiles/apparmor.d/abstractions/fonts
@@ -52,6 +52,8 @@
owner @{HOME}/.fonts.conf.d/** r,
owner @{HOME}/.config/fontconfig/ r,
owner @{HOME}/.config/fontconfig/** r,
+ owner @{HOME}/.Fontmatrix/Activated/ r,
+ owner @{HOME}/.Fontmatrix/Activated/** r,
/usr/local/share/fonts/ r,
/usr/local/share/fonts/** r,
diff --git a/profiles/apparmor.d/abstractions/mesa b/profiles/apparmor.d/abstractions/mesa
index 01609ff9..11cb40d0 100644
--- a/profiles/apparmor.d/abstractions/mesa
+++ b/profiles/apparmor.d/abstractions/mesa
@@ -12,11 +12,18 @@
# User files
owner @{HOME}/.cache/ w, # if user clears all caches
- owner @{HOME}/.cache/mesa_shader_cache/ w,
+ owner @{HOME}/.cache/mesa_shader_cache/ rw,
owner @{HOME}/.cache/mesa_shader_cache/index rw,
- owner @{HOME}/.cache/mesa_shader_cache/??/ w,
- owner @{HOME}/.cache/mesa_shader_cache/??/* rwk,
+ owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
+ owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
+ owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
+ # Fallback location when @{HOME}/.cache is not available
+ owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/ rw,
+ owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/index rw,
+ owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
+ owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
+ owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
# Include additions to the abstraction
include if exists <abstractions/mesa.d>
diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers b/profiles/apparmor.d/abstractions/ubuntu-browsers
index a0548f4b..c2c710a1 100644
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers
@@ -38,3 +38,4 @@
/usr/lib/icecat-*/icecat Cx -> sanitized_helper,
/usr/bin/opera Cx -> sanitized_helper,
/opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} Cx -> sanitized_helper,
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Cx -> sanitized_helper,
diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
index d8fcdf1f..cdbd47cd 100644
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
@@ -28,10 +28,7 @@
/usr/lib/mozilla/kmozillahelper Cxr -> sanitized_helper,
# Exo-aware applications
- /usr/bin/exo-open ixr,
- /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
- /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
- /etc/xdg/xfce4/helpers.rc r,
+ include <abstractions/exo-open>
# unity webapps integration. Could go in its own abstraction
owner /run/user/*/dconf/user rw,
diff --git a/profiles/apparmor.d/abstractions/ubuntu-helpers b/profiles/apparmor.d/abstractions/ubuntu-helpers
index 101cd599..4b9ea96b 100644
--- a/profiles/apparmor.d/abstractions/ubuntu-helpers
+++ b/profiles/apparmor.d/abstractions/ubuntu-helpers
@@ -74,6 +74,12 @@ profile sanitized_helper {
/opt/google/chrome{,-beta,-unstable}/chrome Pixr,
/opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m,
+ # The same is needed for Brave
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr,
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr,
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr,
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/{,**/}lib*.so{,.*} m,
+
# Full access
/ r,
/** rwkl,
diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
index d911b60d..7ae9a148 100644
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
@@ -70,8 +70,6 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
# access to iface mtu needed for Router Advertisement messages in IPv6
# Neighbor Discovery protocol (RFC 2461)
@{PROC}/sys/net/ipv6/conf/*/mtu r,
- # closing superfluous file descriptors scans /proc/self/fd/ to find open ones
- @{PROC}/@{pid}/fd/ r,
# for the read-only TFTP server
@{TFTP_DIR}/ r,
diff --git a/profiles/apparmor.d/usr.sbin.nscd b/profiles/apparmor.d/usr.sbin.nscd
index 339d4ad8..7cb40d8f 100644
--- a/profiles/apparmor.d/usr.sbin.nscd
+++ b/profiles/apparmor.d/usr.sbin.nscd
@@ -30,7 +30,7 @@ profile nscd /usr/{bin,sbin}/nscd {
@{run}/nscd/ rw,
@{run}/nscd/db* rwl,
@{run}/nscd/socket wl,
- /{var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
+ /{var/cache,var/db,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
@{run}/{nscd/,}nscd.pid rwl,
/var/lib/libvirt/dnsmasq/ r,
/var/lib/libvirt/dnsmasq/*.status r,
diff --git a/profiles/apparmor/profiles/extras/sbin.dhclient b/profiles/apparmor/profiles/extras/sbin.dhclient
index 7043d465..7b15dca3 100644
--- a/profiles/apparmor/profiles/extras/sbin.dhclient
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient
@@ -58,14 +58,14 @@ profile dhclient /{usr/,}sbin/dhclient {
/usr/lib/{NetworkManager/,}nm-dhcp-helper rix,
/var/lib/dhclient/dhclient{6,}.leases* rw,
/var/lib/dhcp/dhclient*.leases rw,
- /var/lib/dhcp6/dhclient.leases rw,
+ /var/lib/dhcp{6,}/dhclient.leases rw,
/var/lib/NetworkManager/dhclient{6,}-*.conf r,
/var/lib/NetworkManager/dhclient{6,}-*.lease rw,
/var/log/lastlog r,
/var/log/messages r,
/var/log/wtmp r,
/{,var/}run/dhclient{6,}.pid rw,
- /{,var/}run/dhclient{6,}-*.pid rw,
+ /{,var/}run/dhclient{6,}{-,.}*.pid rw,
/var/spool r,
/var/spool/mail r,
diff --git a/profiles/apparmor/profiles/extras/sbin.dhclient-script b/profiles/apparmor/profiles/extras/sbin.dhclient-script
index 637ab8ff..7b311352 100644
--- a/profiles/apparmor/profiles/extras/sbin.dhclient-script
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient-script
@@ -12,13 +12,20 @@ profile dhclient-script /{usr/,}sbin/dhclient-script {
include <abstractions/bash>
include <abstractions/consoles>
+ /{usr/,}bin/dash rix,
/{usr/,}bin/bash rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/sleep rix,
/{usr/,}bin/touch rix,
+ /{usr/,}bin/run-parts rix,
+ /{usr/,}bin/logger rix,
/dev/.sysconfig/network/** r,
/etc/netconfig.d/* mrix,
/etc/sysconfig/network/** r,
+ /etc/dhcp/{**,} r,
/{usr/,}sbin/dhclient-script r,
/{usr/,}sbin/ip rix,
+ /{usr/,}sbin/resolvconf rPux,
+
+ include if exists <local/sbin.dhclient-script>
}
diff --git a/tests/regression/apparmor/aa_policy_cache.sh b/tests/regression/apparmor/aa_policy_cache.sh
index 8a787a8a..6fe97e47 100755
--- a/tests/regression/apparmor/aa_policy_cache.sh
+++ b/tests/regression/apparmor/aa_policy_cache.sh
@@ -56,7 +56,7 @@ create_cache_files()
do
cachefile="${cachedir}/${policy}"
- echo "profile $policy { /f r, }" | ${subdomain} -qS > "$cachefile"
+ echo "profile $policy { /f r, }" | ${subdomain} "${parser_config}" -qS > "$cachefile"
done
}
diff --git a/tests/regression/apparmor/uservars.inc.source b/tests/regression/apparmor/uservars.inc.source
index 198df439..5ec1aa6f 100644
--- a/tests/regression/apparmor/uservars.inc.source
+++ b/tests/regression/apparmor/uservars.inc.source
@@ -3,7 +3,8 @@ subdomain=${PWD}/../../../parser/apparmor_parser
#subdomain=/sbin/apparmor_parser
# 2. additional arguments to the apparmor parser
-parser_args="-q -K"
+parser_config="--config-file=${PWD}/../../../parser/parser.conf"
+parser_args="${parser_config} -q -K"
# 3. directory to be used for temp files
# Need to be able to access this directory by the root and nobody users.
diff --git a/tests/regression/apparmor/uservars.inc.system b/tests/regression/apparmor/uservars.inc.system
index c448a6b7..6c41ac44 100644
--- a/tests/regression/apparmor/uservars.inc.system
+++ b/tests/regression/apparmor/uservars.inc.system
@@ -3,7 +3,9 @@
subdomain=/sbin/apparmor_parser
# 2. additional arguments to the apparmor parser
-parser_args="-q -K"
+parser_config=""
+parser_args="${parser_config} -q -K"
+
# 3. directory to be used for temp files
# Need to be able to access this directory by the root and nobody users.
diff --git a/utils/Makefile b/utils/Makefile
index d31ed380..1f08f259 100644
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -87,12 +87,17 @@ check_severity_db: /usr/include/linux/capability.h severity.db
test "$$RC" -eq 0
# check_pod_files is defined in common/Make.rules
-.PHONY: check
-.SILENT: check
-check: check_severity_db check_pod_files
+.PHONY: check_lint
+.SILENT: check_lint
+check_lint:
for i in ${PYTOOLS} apparmor test/*.py; do \
echo Checking $$i; \
$(PYFLAKES) $$i || exit 1; \
done
+
+# check_pod_files is defined in common/Make.rules
+.PHONY: check
+.SILENT: check
+check: check_severity_db check_pod_files check_lint
$(MAKE) -C test check
$(MAKE) -C vim check
diff --git a/utils/aa-genprof b/utils/aa-genprof
index 1ba58d07..bf5c5ee6 100755
--- a/utils/aa-genprof
+++ b/utils/aa-genprof
@@ -72,20 +72,14 @@ if args.json:
aaui.set_json_mode()
profiling = args.program
-profiledir = args.dir
-apparmor.init_aa()
+apparmor.init_aa(profiledir=args.dir)
apparmor.set_logfile(args.file)
aa_mountpoint = apparmor.check_for_apparmor()
if not aa_mountpoint:
raise apparmor.AppArmorException(_('It seems AppArmor was not started. Please enable AppArmor and try again.'))
-if profiledir:
- apparmor.profile_dir = apparmor.get_full_path(profiledir)
- if not os.path.isdir(apparmor.profile_dir):
- raise apparmor.AppArmorException(_("%s is not a directory.") %profiledir)
-
program = None
#if os.path.exists(apparmor.which(profiling.strip())):
if os.path.exists(profiling):
diff --git a/utils/aa-logprof b/utils/aa-logprof
index ac7e7836..b56d4e64 100755
--- a/utils/aa-logprof
+++ b/utils/aa-logprof
@@ -13,7 +13,6 @@
#
# ----------------------------------------------------------------------
import argparse
-import os
import apparmor.aa as apparmor
import apparmor.ui as aaui
@@ -36,21 +35,16 @@ args = parser.parse_args()
if args.json:
aaui.set_json_mode()
-profiledir = args.dir
logmark = args.mark or ''
-apparmor.init_aa()
+apparmor.init_aa(profiledir=args.dir)
+
apparmor.set_logfile(args.file)
aa_mountpoint = apparmor.check_for_apparmor()
if not aa_mountpoint:
raise apparmor.AppArmorException(_('It seems AppArmor was not started. Please enable AppArmor and try again.'))
-if profiledir:
- apparmor.profile_dir = apparmor.get_full_path(profiledir)
- if not os.path.isdir(apparmor.profile_dir):
- raise apparmor.AppArmorException("%s is not a directory."%profiledir)
-
apparmor.loadincludes()
apparmor.read_profiles(True)
diff --git a/utils/aa-mergeprof b/utils/aa-mergeprof
index 2e744758..4b67719e 100755
--- a/utils/aa-mergeprof
+++ b/utils/aa-mergeprof
@@ -14,7 +14,6 @@
#
# ----------------------------------------------------------------------
import argparse
-import os
import apparmor.aa
@@ -22,7 +21,6 @@ import apparmor.severity
import apparmor.cleanprofile as cleanprofile
import apparmor.ui as aaui
-from apparmor.common import AppArmorException
# setup exception handling
@@ -41,16 +39,10 @@ args = parser.parse_args()
args.other = None
-apparmor.aa.init_aa()
+apparmor.aa.init_aa(profiledir=args.dir)
profiles = args.files
-profiledir = args.dir
-if profiledir:
- apparmor.aa.profile_dir = apparmor.aa.get_full_path(profiledir)
- if not os.path.isdir(apparmor.aa.profile_dir):
- raise AppArmorException(_("%s is not a directory.") %profiledir)
-
def find_profiles_from_files(files):
profile_to_filename = dict()
for file_name in files:
diff --git a/utils/aa-notify b/utils/aa-notify
index 7bb8997c..b98a5d43 100755
--- a/utils/aa-notify
+++ b/utils/aa-notify
@@ -256,7 +256,7 @@ def follow_apparmor_events(logfile, wait=0):
continue
yield event
- if debug_logger.debug_level <= 10 and int(time.time()) - start_time > 100:
+ if debug_logger.debugging and debug_logger.debug_level <= 10 and int(time.time()) - start_time > 100:
debug_logger.debug('Debug mode detected: aborting notification emitter after 100 seconds.')
sys.exit(0)
@@ -407,7 +407,8 @@ def main():
debug_logger.activateStderr()
debug_logger.debug('Logging level: {}'.format(debug_logger.debug_level))
debug_logger.debug('Running as uid: {0[0]}, euid: {0[1]}, suid: {0[2]}'.format(os.getresuid()))
-
+ if args.poll:
+ debug_logger.debug('Running with --debug and --poll. Will exit in 100s')
# Sanity checks
user_ids = os.getresuid()
groups_ids = os.getresgid()
diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
index 4cb2155f..b6bb0968 100644
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -2511,7 +2511,7 @@ def logger_path():
######Initialisations######
-def init_aa(confdir="/etc/apparmor"):
+def init_aa(confdir="/etc/apparmor", profiledir=None):
global CONFDIR
global conf
global cfg
@@ -2534,7 +2534,10 @@ def init_aa(confdir="/etc/apparmor"):
if cfg['settings'].get('default_owner_prompt', False):
cfg['settings']['default_owner_prompt'] = ''
- profile_dir = conf.find_first_dir(cfg['settings'].get('profiledir')) or '/etc/apparmor.d'
+ if profiledir:
+ profile_dir = profiledir
+ else:
+ profile_dir = conf.find_first_dir(cfg['settings'].get('profiledir')) or '/etc/apparmor.d'
profile_dir = os.path.abspath(profile_dir)
if not os.path.isdir(profile_dir):
raise AppArmorException('Can\'t find AppArmor profiles in %s' % (profile_dir))
diff --git a/utils/apparmor/tools.py b/utils/apparmor/tools.py
index f1f05195..fd3ef32b 100644
--- a/utils/apparmor/tools.py
+++ b/utils/apparmor/tools.py
@@ -25,10 +25,9 @@ _ = init_translation()
class aa_tools:
def __init__(self, tool_name, args):
- apparmor.init_aa()
+ apparmor.init_aa(profiledir=args.dir)
self.name = tool_name
- self.profiledir = args.dir
self.profiling = args.program
self.check_profile_dir()
self.silent = None
@@ -43,11 +42,6 @@ class aa_tools:
self.silent = args.silent
def check_profile_dir(self):
- if self.profiledir:
- apparmor.profile_dir = apparmor.get_full_path(self.profiledir)
- if not os.path.isdir(apparmor.profile_dir):
- raise apparmor.AppArmorException("%s is not a directory." % self.profiledir)
-
if not user_perm(apparmor.profile_dir):
raise apparmor.AppArmorException("Cannot write to profile directory: %s" % (apparmor.profile_dir))
diff --git a/utils/severity.db b/utils/severity.db
index 3e07d44e..85b1d5de 100644
--- a/utils/severity.db
+++ b/utils/severity.db
@@ -30,6 +30,7 @@
CAP_SETUID 9
CAP_FOWNER 9
CAP_BPF 9
+ CAP_CHECKPOINT_RESTORE 9
# Denial of service, bypass audit controls, information leak
CAP_SYS_TIME 8
CAP_NET_ADMIN 8
diff --git a/utils/test/test-aa-notify.py b/utils/test/test-aa-notify.py
index 40dacd96..2484c7f9 100644
--- a/utils/test/test-aa-notify.py
+++ b/utils/test/test-aa-notify.py
@@ -189,6 +189,7 @@ optional arguments:
result = 'Got output "%s", expected "%s"\n' % (output, expected_output_has)
self.assertIn(expected_output_has, output, result + output)
+ @unittest.skipUnless(os.path.isfile('/var/log/wtmp'), 'Requires wtmp on system')
def test_entries_since_login(self):
'''Test showing log entries since last login'''