Imported Upstream version 2.10.95

Makefile

@@ -8,12 +8,13 @@ all:
 COMMONDIR=common
 include ${COMMONDIR}/Make.rules
 
-DIRS=parser \
-     profiles \
+DIRS=libraries/libapparmor \
+     binutils \
+     parser \
      utils \
-     libraries/libapparmor \
      changehat/mod_apparmor \
      changehat/pam_apparmor \
+     profiles \
      tests
 
 #REPO_URL?=lp:apparmor
@@ -23,6 +24,7 @@ REPO_URL?=https://code.launchpad.net/~apparmor-dev/apparmor/master
 #REPO_URL=.
 #REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/"
 
+COVERITY_DIR=cov-int
 RELEASE_DIR=apparmor-${VERSION}
 __SETUP_DIR?=.
 
@@ -44,12 +46,18 @@ tarball: clean
 
 .PHONY: snapshot
 snapshot: clean
-	REPO_VERSION=`$(value REPO_VERSION_CMD)` ; \
-	SNAPSHOT_DIR=apparmor-${VERSION}~$${REPO_VERSION} ;\
-	make export_dir __EXPORT_DIR=$${SNAPSHOT_DIR} __REPO_VERSION=$${REPO_VERSION} ; \
-	make setup __SETUP_DIR=$${SNAPSHOT_DIR} ; \
-	tar ${TAR_EXCLUSIONS} -cvzf $${SNAPSHOT_DIR}.tar.gz $${SNAPSHOT_DIR} ;
+	$(eval REPO_VERSION:=$(shell $(value REPO_VERSION_CMD)))
+	$(eval SNAPSHOT_NAME=apparmor-$(VERSION)~$(REPO_VERSION))
+	make export_dir __EXPORT_DIR=${SNAPSHOT_NAME} __REPO_VERSION=${REPO_VERSION} ; \
+	make setup __SETUP_DIR=${SNAPSHOT_NAME} ; \
+	tar ${TAR_EXCLUSIONS} -cvzf ${SNAPSHOT_NAME}.tar.gz ${SNAPSHOT_NAME} ;
 
+.PHONY: coverity
+coverity: snapshot
+	cd $(SNAPSHOT_NAME)/libraries/libapparmor && ./configure --with-python
+	$(foreach dir, $(filter-out utils profiles tests, $(DIRS)), \
+		cov-build --dir $(COVERITY_DIR) -- make -C $(SNAPSHOT_NAME)/$(dir);)
+	tar -cvzf $(SNAPSHOT_NAME)-$(COVERITY_DIR).tar.gz $(COVERITY_DIR)
 
 .PHONY: export_dir
 export_dir:
@@ -59,7 +67,7 @@ export_dir:
 
 .PHONY: clean
 clean:
-	-rm -rf ${RELEASE_DIR} ./apparmor-${VERSION}~*
+	-rm -rf ${RELEASE_DIR} ./apparmor-${VERSION}~* ${COVERITY_DIR}
 	for dir in $(DIRS); do \
 		make -C $$dir clean; \
 	done

README

@@ -27,6 +27,7 @@ Source Layout
 
 AppArmor consists of several different parts:
 
+binutils/	source for basic utilities written in compiled languages
 changehat/	source for using changehat with Apache, PAM and Tomcat
 common/		common makefile rules
 desktop/	empty
@@ -71,6 +72,13 @@ $ make install
 generate Ruby bindings to libapparmor.]
 
 
+Binary Utilities:
+$ cd binutils
+$ make
+$ make check
+$ make install
+
+
 Utilities:
 $ cd utils
 $ make
@@ -104,7 +112,7 @@ $ make check	# depends on the parser having been built first
 $ make install
 
 
-[Note that for the parser and the utils, if you only with to build/use
+[Note that for the parser, binutils, and utils, if you only wish to build/use
  some of the locale languages, you can override the default by passing
  the LANGS arguments to make; e.g. make all install "LANGS=en_US fr".]
 
@@ -188,6 +196,27 @@ $ ./stress.sh
 
 (see stress.sh -h for options)
 
+Coverity Support
+----------------
+Coverity scans are available to AppArmor developers at
+https://scan.coverity.com/projects/apparmor.
+
+In order to submit a Coverity build for analysis, the cov-build binary
+must be discoverable from your PATH. See the "To Setup" section of
+https://scan.coverity.com/download?tab=cxx to obtain a pre-built copy of
+cov-build.
+
+To generate a compressed tarball of an intermediate Coverity directory:
+$ make coverity
+
+The compressed tarball is written to
+apparmor-<SNAPSHOT_VERSION>-cov-int.tar.gz, where <SNAPSHOT_VERSION>
+is something like 2.10.90~3328, and must be uploaded to
+https://scan.coverity.com/projects/apparmor/builds/new for analysis. You must
+include the snapshot version in Coverity's project build submission form, in
+the "Project Version" field, so that it is quickly obvious to all AppArmor
+developers what snapshot of the AppArmor repository was used for the analysis.
+
 -----------------------------------------------
 Building and Installing AppArmor Kernel Patches
 -----------------------------------------------

binutils/Makefile

+# ----------------------------------------------------------------------
+#    Copyright (c) 2015
+#    Canonical Ltd. (All rights reserved)
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+# ----------------------------------------------------------------------
+NAME=aa-binutils
+all:
+COMMONDIR=../common/
+
+include $(COMMONDIR)/Make.rules
+
+DESTDIR=/
+BINDIR=${DESTDIR}/usr/bin
+LOCALEDIR=/usr/share/locale
+MANPAGES=aa-enabled.8 aa-exec.8
+
+WARNINGS = -Wall
+EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter
+CPP_WARNINGS =
+ifndef CFLAGS
+CFLAGS	= -g -O2 -pipe
+
+ifdef DEBUG
+CFLAGS += -pg -D DEBUG
+endif
+ifdef COVERAGE
+CFLAGS = -g -pg -fprofile-arcs -ftest-coverage
+endif
+endif #CFLAGS
+
+EXTRA_CFLAGS = ${EXTRA_CXXFLAGS} ${CPP_WARNINGS}
+
+#INCLUDEDIR = /usr/src/linux/include
+INCLUDEDIR =
+
+ifdef INCLUDEDIR
+	CFLAGS += -I$(INCLUDEDIR)
+endif
+
+# Internationalization support. Define a package and a LOCALEDIR
+EXTRA_CFLAGS+=-DPACKAGE=\"${NAME}\" -DLOCALEDIR=\"${LOCALEDIR}\"
+
+SRCS = aa_enabled.c
+HDRS =
+TOOLS = aa-enabled aa-exec
+
+AALIB = -Wl,-Bstatic -lapparmor  -Wl,-Bdynamic -lpthread
+
+ifdef USE_SYSTEM
+  # Using the system libapparmor so Makefile dependencies can't be used
+  LIBAPPARMOR_A =
+  INCLUDE_APPARMOR =
+  APPARMOR_H =
+  LIBAPPARMOR_LDFLAGS =
+else
+  LIBAPPARMOR_SRC = ../libraries/libapparmor/
+  LOCAL_LIBAPPARMOR_INCLUDE = $(LIBAPPARMOR_SRC)/include
+  LOCAL_LIBAPPARMOR_LDPATH = $(LIBAPPARMOR_SRC)/src/.libs
+
+  LIBAPPARMOR_A = $(LOCAL_LIBAPPARMOR_LDPATH)/libapparmor.a
+  INCLUDE_APPARMOR = -I$(LOCAL_LIBAPPARMOR_INCLUDE)
+  APPARMOR_H = $(LOCAL_LIBAPPARMOR_INCLUDE)/sys/apparmor.h
+  LIBAPPARMOR_LDFLAGS = -L$(LOCAL_LIBAPPARMOR_LDPATH)
+endif
+EXTRA_CFLAGS += $(INCLUDE_APPARMOR)
+LDFLAGS += $(LIBAPPARMOR_LDFLAGS)
+
+ifdef V
+  VERBOSE = 1
+endif
+ifndef VERBOSE
+  VERBOSE = 0
+endif
+ifeq ($(VERBOSE),1)
+  BUILD_OUTPUT =
+  Q =
+else
+  BUILD_OUTPUT = > /dev/null 2>&1
+  Q = @
+endif
+export Q VERBOSE BUILD_OUTPUT
+
+po/%.pot: %.c
+	$(MAKE) -C po $(@F) NAME=$* SOURCES=$*.c
+
+# targets arranged this way so that people who don't want full docs can
+# pick specific targets they want.
+arch: 	$(TOOLS)
+
+manpages:	$(MANPAGES)
+
+docs:	manpages
+
+indep: docs
+	$(Q)$(MAKE) -C po all
+
+all:	arch indep
+
+.PHONY: coverage
+coverage:
+	$(MAKE) clean $(TOOLS) COVERAGE=1
+
+ifndef USE_SYSTEM
+$(LIBAPPARMOR_A):
+	@if [ ! -f $@ ]; then \
+		echo "error: $@ is missing. Pick one of these possible solutions:" 1>&2; \
+		echo "  1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \
+		echo "  2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2;\
+		return 1; \
+	fi
+endif
+
+aa-enabled: aa_enabled.c $(LIBAPPARMOR_A)
+	$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB) 
+
+aa-exec: aa_exec.c $(LIBAPPARMOR_A)
+	$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB)
+
+.SILENT: check
+.PHONY: check
+check: check_pod_files tests
+
+.SILENT: tests
+tests: $(TOOLS) $(TESTS)
+	echo "no tests atm"
+
+.PHONY: install
+install: install-indep install-arch
+
+.PHONY: install-arch
+install-arch: arch
+	install -m 755 -d ${BINDIR}
+	install -m 755 ${TOOLS} ${BINDIR}
+
+.PHONY: install-indep
+install-indep:
+	$(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR}
+	$(MAKE) install_manpages DESTDIR=${DESTDIR}
+
+ifndef VERBOSE
+.SILENT: clean
+endif
+.PHONY: clean
+clean: pod_clean
+	rm -f core core.* *.o *.s *.a *~ *.gcda *.gcno
+	rm -f gmon.out
+	rm -f $(TOOLS) $(TESTS)
+	$(MAKE) -s -C po clean
+

binutils/aa-enabled.pod

+# This publication is intellectual property of Canonical Ltd. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither Canonical Ltd, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. Canonical Ltd
+# essentially adheres to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa-enabled - test whether AppArmor is enabled
+
+=head1 SYNOPSIS
+
+B<aa-enabled> [options]
+
+=head1 DESCRIPTION
+
+B<aa-enabled> is used to determine if AppArmor is enabled.
+
+=head1 OPTIONS
+
+B<aa-enabled> accepts the following arguments:
+
+=over 4
+
+=item -h, --help
+
+Display a brief usage guide.
+
+=item -q, --quiet
+
+Do not output anything to stdout. This option is intended to be used by
+scripts that simply want to use the exit code to determine if AppArmor is
+enabled.
+
+=back
+
+=head1 EXIT STATUS
+
+Upon exiting, B<aa-enabled> will set its exit status to the following values:
+
+=over 4
+
+=item 0:
+
+if AppArmor is enabled.
+
+=item 1:
+
+if AppArmor is not enabled/loaded.
+
+=item 2:
+
+intentionally not used as an B<aa-enabled> exit status.
+
+=item 3:
+
+if the AppArmor control files aren't available under /sys/kernel/security/.
+
+=item 4:
+
+if B<aa-enabled> doesn't have enough privileges to read the apparmor control files.
+
+=item 64:
+
+if any unexpected error or condition is encountered.
+
+=back
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L<https://bugs.launchpad.net/apparmor/+filebug>.
+
+=head1 SEE ALSO
+
+apparmor(7), apparmor.d(5), aa_is_enabled(2), and L<http://wiki.apparmor.net>.
+
+=cut

utils/aa-exec.pod → binutils/aa-exec.pod

@@ -57,10 +57,6 @@ use the current profile name (likely unconfined).
 use profiles in NAMESPACE.  This will result in confinement transitioning
 to using the new profile namespace.
 
-=item -f FILE, --file=FILE
-
-a file or directory containing profiles to load before confining the program.
-
 =item -i, --immediate
 
 transition to PROFILE before doing executing I<E<lt>commandE<gt>>.  This

binutils/aa_enabled.c

+/*
+ *   Copyright (C) 2015 Canonical Ltd.
+ *
+ *   This program is free software; you can redistribute it and/or
+ *    modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
+ */
+
+#include <errno.h>
+#include <locale.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <libintl.h>
+#define _(s) gettext(s)
+
+#include <sys/apparmor.h>
+
+void print_help(const char *command)
+{
+	printf(_("%s: [options]\n"
+		 "  options:\n"
+		 "  -q | --quiet        Don't print out any messages\n"
+		 "  -h | --help         Print help\n"),
+	       command);
+	exit(1);
+}
+
+
+/* Exit statuses and meanings are documented in the aa-enabled.pod file */
+static void exit_with_error(int saved_errno, int quiet)
+{
+	int err;
+
+	switch(saved_errno) {
+	case ENOSYS:
+		if (!quiet)
+			printf(_("No - not available on this system.\n"));
+		exit(1);
+	case ECANCELED:
+		if (!quiet)
+			printf(_("No - disabled at boot.\n"));
+		exit(1);
+	case ENOENT:
+		if (!quiet)
+			printf(_("Maybe - policy interface not available.\n"));
+		exit(3);
+	case EPERM:
+	case EACCES:
+		if (!quiet)
+			printf(_("Maybe - insufficient permissions to determine availability.\n"));
+		exit(4);
+	}
+
+	if (!quiet)
+		printf(_("Error - %s\n"), strerror(saved_errno));
+	exit(64);
+}
+
+int main(int argc, char **argv)
+{
+	int enabled;
+	int quiet = 0;
+
+	setlocale(LC_MESSAGES, "");
+	bindtextdomain(PACKAGE, LOCALEDIR);
+	textdomain(PACKAGE);
+
+	if (argc > 2) {
+		printf(_("unknown or incompatible options\n"));
+		print_help(argv[0]);
+	} else if (argc == 2) {
+		if (strcmp(argv[1], "--quiet") == 0 ||
+		    strcmp(argv[1], "-q") == 0) {
+			quiet = 1;
+		} else if (strcmp(argv[1], "--help") == 0 ||
+			   strcmp(argv[1], "-h") == 0) {
+			print_help(argv[0]);
+		} else {
+			printf(_("unknown option '%s'\n"), argv[1]);
+			print_help(argv[0]);
+		}
+	}
+
+	enabled = aa_is_enabled();
+	if (!enabled)
+		exit_with_error(errno, quiet);
+
+	if (!quiet)
+		printf(_("Yes\n"));
+	exit(0);
+}

binutils/aa_exec.c

+/*
+ *   Copyright (c) 2015
+ *   Canonical, Ltd. (All rights reserved)
+ *
+ *   This program is free software; you can redistribute it and/or
+ *   modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, contact Novell, Inc. or Canonical
+ *   Ltd.
+ */
+
+#include <errno.h>
+#include <getopt.h>
+#include <libintl.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/apparmor.h>
+#include <unistd.h>
+#define _(s) gettext(s)
+
+static const char *opt_profile = NULL;
+static const char *opt_namespace = NULL;
+static bool opt_debug = false;
+static bool opt_immediate = false;
+static bool opt_verbose = false;
+
+static void usage(const char *name, bool error)
+{
+	FILE *stream = stdout;
+	int status = EXIT_SUCCESS;
+
+	if (error) {
+		stream = stderr;
+		status = EXIT_FAILURE;
+	}
+
+	fprintf(stream,
+		_("USAGE: %s [OPTIONS] <prog> <args>\n"
+		"\n"
+		"Confine <prog> with the specified PROFILE.\n"
+		"\n"
+		"OPTIONS:\n"
+		"  -p PROFILE, --profile=PROFILE		PROFILE to confine <prog> with\n"
+		"  -n NAMESPACE, --namespace=NAMESPACE	NAMESPACE to confine <prog> in\n"
+		"  -d, --debug				show messages with debugging information\n"
+		"  -i, --immediate			change profile immediately instead of at exec\n"
+		"  -v, --verbose				show messages with stats\n"
+		"  -h, --help				display this help\n"
+		"\n"), name);
+	exit(status);
+}
+
+#define error(fmt, args...) _error(_("aa-exec: ERROR: " fmt "\n"), ## args)
+static void _error(const char *fmt, ...)
+{
+	va_list args;
+
+	va_start(args, fmt);
+	vfprintf(stderr, fmt, args);
+	va_end(args);
+	exit(EXIT_FAILURE);
+}
+
+#define debug(fmt, args...) _debug(_("aa-exec: DEBUG: " fmt "\n"), ## args)
+static void _debug(const char *fmt, ...)
+{
+	va_list args;
+
+	if (!opt_debug)
+		return;
+
+	va_start(args, fmt);
+	vfprintf(stderr, fmt, args);
+	va_end(args);
+}
+
+#define verbose(fmt, args...) _verbose(_(fmt "\n"), ## args)
+static void _verbose(const char *fmt, ...)
+{
+	va_list args;
+
+	if (!opt_verbose)
+		return;
+
+	va_start(args, fmt);
+	vfprintf(stderr, fmt, args);
+	va_end(args);
+}
+
+static void verbose_print_argv(char **argv)
+{
+	if (!opt_verbose)
+		return;
+
+	fprintf(stderr, _("exec"));
+	for (; *argv; argv++)
+		fprintf(stderr, " %s", *argv);
+	fprintf(stderr, "\n");
+}
+
+static char **parse_args(int argc, char **argv)
+{
+	int opt;
+	struct option long_opts[] = {
+		{"debug", no_argument, 0, 'd'},
+		{"help", no_argument, 0, 'h'},
+		{"profile", required_argument, 0, 'p'},
+		{"namespace", required_argument, 0, 'n'},
+		{"immediate", no_argument, 0, 'i'},
+		{"verbose", no_argument, 0, 'v'},
+	};
+
+	while ((opt = getopt_long(argc, argv, "+dhp:n:iv", long_opts, NULL)) != -1) {
+		switch (opt) {
+		case 'd':
+			opt_debug = true;
+			break;
+		case 'h':
+			usage(argv[0], false);
+			break;
+		case 'p':
+			opt_profile = optarg;
+			break;
+		case 'n':
+			opt_namespace = optarg;
+			break;
+		case 'i':
+			opt_immediate = true;
+			break;
+		case 'v':
+			opt_verbose = true;
+			break;
+		default:
+			usage(argv[0], true);
+			break;
+		}
+	}
+
+	if (optind >= argc)
+		usage(argv[0], true);
+
+	return argv + optind;
+}
+
+static void build_name(char *name, size_t name_len,
+		       const char *namespace, const char *profile)
+{
+	size_t required_len = 1; /* reserve 1 byte for NUL-terminator */
+
+	if (namespace)
+		required_len += 1 + strlen(namespace) + 3; /* :<NAMESPACE>:// */
+
+	if (profile)
+		required_len += strlen(profile);
+
+	if (required_len > name_len)
+		error("name too long (%zu > %zu)", required_len, name_len);
+
+	name[0] = '\0';
+
+	if (namespace) {
+		strcat(name, ":");
+		strcat(name, namespace);
+		strcat(name, "://");
+	}
+
+	if (profile)
+		strcat(name, profile);
+}
+
+int main(int argc, char **argv)
+{
+	char name[PATH_MAX];
+	int rc = 0;
+
+	argv = parse_args(argc, argv);
+
+	if (opt_namespace || opt_profile)
+		build_name(name, sizeof(name), opt_namespace, opt_profile);
+	else
+		goto exec;
+
+	if (opt_immediate) {
+		verbose("aa_change_profile(\"%s\")", name);
+		rc = aa_change_profile(name);
+		debug("%d = aa_change_profile(\"%s\")", rc, name);
+	} else {
+		verbose("aa_change_onexec(\"%s\")", name);
+		rc = aa_change_onexec(name);
+		debug("%d = aa_change_onexec(\"%s\")", rc, name);
+	}
+
+	if (rc) {
+		if (errno == ENOENT || errno == EACCES) {
+			error("%s '%s' does not exist\n",
+			      opt_profile ? "profile" : "namespace", name);
+		} else if (errno == EINVAL) {
+			error("AppArmor interface not available");
+		} else {
+			error("%m");
+		}
+	}
+
+exec:
+	verbose_print_argv(argv);
+	execvp(argv[0], argv);
+	error("Failed to execute \"%s\": %m", argv[0]);
+}

binutils/po/Makefile

+# ----------------------------------------------------------------------
+#    Copyright (C) 2015 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+# ----------------------------------------------------------------------
+all:
+
+# As translations get added, they will automatically be included, unless
+# the lang is explicitly added to DISABLED_LANGS; e.g. DISABLED_LANGS=en es
+
+DISABLED_LANGS=
+
+COMMONDIR=../../common
+include $(COMMONDIR)/Make-po.rules
+
+XGETTEXT_ARGS+=--language=C --keyword=_ $(shell if [ -f ${NAME}.pot ] ; then echo -n -j ; fi)
+

binutils/po/aa-enabled.pot

+# Copyright (C) 2015 Canonical Ltd
+# This file is distributed under the same license as the AppArmor package.
+# John Johansen <john.johansen@canonical.com>, 2015.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr ""
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr ""
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr ""
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr ""
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr ""
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr ""
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr ""
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr ""

binutils/po/en_GB.po

+# English (United Kingdom) translation for apparmor
+# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2016-02-18 06:22+0000\n"
+"Last-Translator: Andi Chandler <Unknown>\n"
+"Language-Team: English (United Kingdom) <en_GB@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2016-02-19 05:10+0000\n"
+"X-Generator: Launchpad (build 17925)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr "unknown or incompatible options\n"
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr "unknown option '%s'\n"
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr "Yes\n"
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr "No - not available on this system.\n"
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr "No - disabled at boot.\n"
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr "Maybe - policy interface not available.\n"
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr "Maybe - insufficient permissions to determine availability.\n"
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr "Error - '%s'\n"

binutils/po/id.po

+# Indonesian translation for apparmor
+# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2016-01-20 08:59+0000\n"
+"Last-Translator: Ari Setyo Wibowo <mr.a.contact@gmail.com>\n"
+"Language-Team: Indonesian <id@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2016-02-02 05:11+0000\n"
+"X-Generator: Launchpad (build 17908)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+"%s: [options]\n"
+"  pilihan:\n"
+"  -q | --quiet       Jangan tampilkan pesan apapun\n"
+"  -h | --help         Tampilkan bantuan\n"
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr "pilihan yang tidak dikenali atau tidak kompatibel\n"
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr "pilihan tidak dikenali '%s'\n"
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr "Ya\n"
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr "Tidak - tidak tersedia di sistem ini.\n"
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr "Tidak - nonaktifkan saat boot.\n"
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr "Mungkin - kebijakan antarmuka tidak tersedia.\n"
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr "Mungkin - izin tidak memadai untuk menentukan ketersediaan.\n"
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr "Kesalahan - '%s'\n"

binutils/po/pt.po

+# Portuguese translation for apparmor
+# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2016-03-03 08:34+0000\n"
+"Last-Translator: Ivo Xavier <ivofernandes12@gmail.com>\n"
+"Language-Team: Portuguese <pt@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2016-03-04 04:35+0000\n"
+"X-Generator: Launchpad (build 17936)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+"%s: [opções]\n"
+"  opções:\n"
+"  -q | --silencioso        Não mostrar mensagens\n"
+"  -h | --ajuda         Mostar ajuda\n"
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr "opções desconhecidas ou incompatíveis\n"
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr "opção desconhecida '%s'\n"
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr "Sim\n"
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr "Não - não disponível neste sistema.\n"
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr "Não - desligado ao iniciar.\n"
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr "Talvez - política de interface não disponível.\n"
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr "Talvez - permissões insuficientes para determinar disponibilidade.\n"
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr "Erro - '%s'\n"

changehat/pam_apparmor/pam_apparmor.c

@@ -111,6 +111,7 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
 					  sizeof(magic_token));
 		if (retval < 0) {
 			pam_syslog(pamh, LOG_ERR, "Can't read from /dev/urandom\n");
+			close(fd);
 			return PAM_PERM_DENIED;
 		}
 	} while ((magic_token == 0) || (retval != sizeof(magic_token)));

common/.stamp_rev

-https://code.launchpad.net/~apparmor-dev/apparmor/master 3205
+https://code.launchpad.net/~apparmor-dev/apparmor/master 3423

common/Make-po.rules

 # ------------------------------------------------------------------
 #
 # Copyright (c) 1999-2008 NOVELL (All rights reserved)
-# Copyright 2009-2010 Canonical Ltd.
+# Copyright 2009-2015 Canonical Ltd.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of version 2 of the GNU General Public 
@@ -21,7 +21,7 @@
 # exist
 LOCALEDIR=/usr/share/locale
 
-XGETTEXT_ARGS=--copyright-holder="NOVELL, Inc." --msgid-bugs-address=apparmor@lists.ubuntu.com -d ${NAME}
+XGETTEXT_ARGS=--copyright-holder="Canonical Ltd" --msgid-bugs-address=apparmor@lists.ubuntu.com -d ${NAME}
 
 # When making the .pot file, it's expected that the parent Makefile will
 # pass in the list of sources in the SOURCES variable

common/Make.rules

@@ -45,7 +45,7 @@ define nl
 
 endef
 
-REPO_VERSION_CMD=([ -x /usr/bin/bzr ] && /usr/bin/bzr version-info . 2> /dev/null || awk '{ print "revno: "$2 }' common/.stamp_rev) | awk '/^revno:/ { print $2 }'
+REPO_VERSION_CMD=[ -x /usr/bin/bzr ] && /usr/bin/bzr version-info --custom --template="{revno}" . 2> /dev/null || awk '{ print $2 }' common/.stamp_rev
 
 ifndef PYTHON_VERSIONS
 PYTHON_VERSIONS = $(call map, pathsearch, python2 python3)
@@ -66,7 +66,7 @@ version:
 .PHONY: repo_version
 .SILENT: repo_version
 repo_version:
-	 $(value REPO_VERSION_CMD)
+	echo $(shell $(value REPO_VERSION_CMD))
 
 .PHONY: pod_clean
 ifndef VERBOSE
@@ -82,7 +82,7 @@ pod_clean:
 # =====================
 
 # emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2"
-CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort)
+CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | LC_ALL=C sort)
 
 .PHONY: list_capabilities
 list_capabilities: /usr/include/linux/capability.h
@@ -98,7 +98,7 @@ list_capabilities: /usr/include/linux/capability.h
 # to mediate. We use PF_ here since that is what is required in
 # bits/socket.h, but we will rewrite these as AF_.
 
-FILTER_FAMILIES=PF_UNSPEC PF_UNIX
+FILTER_FAMILIES=PF_UNIX
 
 __FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
 

common/Version

-2.10
+2.10.95

libraries/libapparmor/Makefile.in

-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -14,7 +14,17 @@
 
 @SET_MAKE@
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -78,10 +88,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = .
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/configure $(am__configure_deps) AUTHORS \
-	ChangeLog INSTALL NEWS README compile config.guess config.sub \
-	install-sh missing ltmain.sh
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/../../common/Version \
 	$(top_srcdir)/m4/ac_podchecker.m4 \
@@ -89,6 +95,8 @@ am__aclocal_m4_deps = $(top_srcdir)/../../common/Version \
 	$(top_srcdir)/m4/ac_python_devel.m4 $(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(top_srcdir)/configure \
+	$(am__configure_deps) $(am__DIST_COMMON)
 am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
  configure.lineno config.status.lineno
 mkinstalldirs = $(install_sh) -d
@@ -150,6 +158,9 @@ ETAGS = etags
 CTAGS = ctags
 CSCOPE = cscope
 DIST_SUBDIRS = $(SUBDIRS)
+am__DIST_COMMON = $(srcdir)/Makefile.in AUTHORS ChangeLog INSTALL NEWS \
+	README compile config.guess config.sub install-sh ltmain.sh \
+	missing
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
@@ -234,6 +245,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -325,6 +337,7 @@ program_transform_name = @program_transform_name@
 psdir = @psdir@
 pyexecdir = @pyexecdir@
 pythondir = @pythondir@
+runstatedir = @runstatedir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
@@ -356,7 +369,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --foreign Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -572,15 +584,15 @@ dist-xz: distdir
 	$(am__post_remove_distdir)
 
 dist-tarZ: distdir
-	@echo WARNING: "Support for shar distribution archives is" \
-	               "deprecated." >&2
+	@echo WARNING: "Support for distribution archives compressed with" \
+		       "legacy program 'compress' is deprecated." >&2
 	@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
 	tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
 	$(am__post_remove_distdir)
 
 dist-shar: distdir
-	@echo WARNING: "Support for distribution archives compressed with" \
-		       "legacy program 'compress' is deprecated." >&2
+	@echo WARNING: "Support for shar distribution archives is" \
+	               "deprecated." >&2
 	@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
 	shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
 	$(am__post_remove_distdir)
@@ -616,17 +628,17 @@ distcheck: dist
 	esac
 	chmod -R a-w $(distdir)
 	chmod u+w $(distdir)
-	mkdir $(distdir)/_build $(distdir)/_inst
+	mkdir $(distdir)/_build $(distdir)/_build/sub $(distdir)/_inst
 	chmod a-w $(distdir)
 	test -d $(distdir)/_build || exit 0; \
 	dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
 	  && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
 	  && am__cwd=`pwd` \
-	  && $(am__cd) $(distdir)/_build \
-	  && ../configure \
+	  && $(am__cd) $(distdir)/_build/sub \
+	  && ../../configure \
 	    $(AM_DISTCHECK_CONFIGURE_FLAGS) \
 	    $(DISTCHECK_CONFIGURE_FLAGS) \
-	    --srcdir=.. --prefix="$$dc_install_base" \
+	    --srcdir=../.. --prefix="$$dc_install_base" \
 	  && $(MAKE) $(AM_MAKEFLAGS) \
 	  && $(MAKE) $(AM_MAKEFLAGS) dvi \
 	  && $(MAKE) $(AM_MAKEFLAGS) check \
@@ -802,6 +814,8 @@ uninstall-am:
 	mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
 	ps ps-am tags tags-am uninstall uninstall-am
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.