- rel 4; bzr fixes

[packages/apparmor-parser.git] / apparmor-parser-bzr.patch

=== modified file 'libraries/libapparmor/swig/perl/Makefile.am'
--- libraries/libapparmor/swig/perl/Makefile.am 2009-05-12 21:56:56 +0000
+++ libraries/libapparmor/swig/perl/Makefile.am 2010-03-16 22:00:26 +0000
@@ -1,7 +1,8 @@
 EXTRA_DIST =Makefile.PL libapparmor_wrap.c LibAppArmor.pm examples/*.pl
+
+if HAVE_PERL
 noinst_DATA =LibAppArmor.so
 
-if HAVE_PERL
 libapparmor_wrap.c: $(srcdir)/../SWIG/libapparmor.i
        $(SWIG) -perl -I$(srcdir)/../../src -module LibAppArmor -o $@ $(srcdir)/../SWIG/libapparmor.i
 
@@ -27,4 +28,4 @@
 #rm -f Makefile.perl Makefile.perl.old
        rm -f *.so # *.o
 
-endif
\ No newline at end of file
+endif

=== modified file 'parser/Makefile'
--- parser/Makefile     2009-11-11 18:58:57 +0000
+++ parser/Makefile     2010-03-16 22:18:55 +0000
@@ -125,9 +125,20 @@
 techdoc.txt: techdoc/index.html
        w3m -dump $< > $@
 
-all:   $(TOOLS) $(MANPAGES) ${HTMLMANPAGES} techdoc.pdf
+# targets arranged this way so that people who don't want full docs can
+# pick specific targets they want.
+main:  $(TOOLS)
        $(Q)make -C po all
-       $(Q)make -s tests
+
+manpages:      $(MANPAGES)
+
+htmlmanpages:  $(HTMLMANPAGES)
+
+pdf:   techdoc.pdf
+
+docs:  manpages htmlmanpages pdf
+
+all:   main docs tests
 
 apparmor_parser: $(OBJECTS) $(PCREOBJECTS) $(AAREOBJECTS)
        rm -f ./libstdc++.a
@@ -191,7 +202,7 @@
 af_names.h: /usr/include/bits/socket.h
        LC_ALL=C sed -n -e '/$(__FILTER)/d' -e "s/^\#define[ \\t]\\+PF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/#ifndef AF_\\1\\n#  define AF_\\1 \\2\\n#endif\\nAA_GEN_NET_ENT(\"\\L\\1\", \\UAF_\\1)\\n/p" $< > $@
        LC_ALL=C sed -n -e "s/^\#define[ \\t]\\+PF_MAX[ \\t]\\+\\([0-9]\\+\\)[ \\t]\\+.*/#define AA_AF_MAX \\1\n/p" $< >> $@
-       cat $@
+       # cat $@
 
 cap_names.h: /usr/include/linux/capability.h
        LC_ALL=C sed -n -e "/CAP_EMPTY_SET/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9xa-f]\\+\\)\\(.*\\)\$$/\{\"\\L\\1\", \\UCAP_\\1\},/p" $< > $@
@@ -214,7 +225,7 @@
 
 .SILENT: tests
 tests: ${TESTS}
-       for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test} $(BUILD_OUTPUT) ; done
+       sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test} $(BUILD_OUTPUT) ; done'
        $(Q)make -s -C tst tests
 
 .SILENT: check

=== modified file 'parser/apparmor_parser.pod'
--- parser/apparmor_parser.pod  2010-01-07 18:03:49 +0000
+++ parser/apparmor_parser.pod  2010-04-03 23:24:06 +0000
@@ -154,6 +154,33 @@
 Given once, only checks the profiles to ensure syntactic correctness.
 Given twice, dumps its interpretation of the profile for checking.
 
+=item -D n, --dump=n
+
+Debug flag for dumping various structures and passes of policy compilation.
+A single dump flag can be specified per --dump option, but the dump flag
+can be passed multiple times.  Note progress flags tend to also imply
+the matching stats flag.
+
+  apparmor_parser --dump=dfa-stats --dump=trans-stats <file>
+
+Use --help=dump to see a full list of which dump flags are supported
+
+=item -O n, --optimize=n
+
+Set the optimization flags used by policy compilation.  A sinlge optimization
+flag can be toggled per -O option, but the optimize flag can be passed
+multiple times.  Turning off some phases of the optimization can make
+it so that policy can't complete compilation due to size constraints
+(it is entirely possible to create a dfa with millions of states that will
+take days or longer to compile).
+
+Note: The parser is set to use a balanced default set of flags, that
+will result in resonable compression but not take excessive amounts
+of time to complete.
+
+Use --help=optimize to see a full list of which optimization flags are
+supported.
+
 =item -h, --help
 
 Give a quick reference guide.

=== modified file 'parser/libapparmor_re/regexp.y'
--- parser/libapparmor_re/regexp.y      2010-02-01 07:21:00 +0000
+++ parser/libapparmor_re/regexp.y      2010-03-13 10:23:23 +0000
@@ -1715,7 +1715,9 @@
                        Trans::iterator j = trans.find(*i);
                        if (j != trans.end())
                                trans.erase(j);
+                       State *s = *i;
                        states.erase(*i);
+                       delete(s);
                }
        }
 

=== modified file 'parser/parser.h'
--- parser/parser.h     2010-02-17 20:21:52 +0000
+++ parser/parser.h     2010-03-12 23:26:32 +0000
@@ -4,6 +4,9 @@
  *   Copyright (c) 1999, 2000, 2001, 2002, 2004, 2005, 2006, 2007
  *   NOVELL (All rights reserved)
  *
+ *   Copyright (c) 2010
+ *   Canonical, Ltd. (All rights reserved)
+ *
  *   This program is free software; you can redistribute it and/or
  *   modify it under the terms of version 2 of the GNU General Public
  *   License published by the Free Software Foundation.
@@ -14,7 +17,8 @@
  *   GNU General Public License for more details.
  *
  *   You should have received a copy of the GNU General Public License
- *   along with this program; if not, contact Novell, Inc.
+ *   along with this program; if not, contact Novell, Inc. or Canonical
+ *   Ltd.
  */
 
 #include <netinet/in.h>
@@ -280,12 +284,16 @@
 extern void free_cod_entries(struct cod_entry *list);
 
 /* parser_symtab.c */
+struct set_value {;
+       char *val;
+       struct set_value *next;
+};
 extern int add_boolean_var(const char *var, int boolean);
 extern int get_boolean_var(const char *var);
 extern int new_set_var(const char *var, const char *value);
 extern int add_set_value(const char *var, const char *value);
-extern void *get_set_var(const char *var);
-extern char *get_next_set_value(void **context);
+extern struct set_value *get_set_var(const char *var);
+extern char *get_next_set_value(struct set_value **context);
 extern void dump_symtab(void);
 extern void dump_expanded_symtab(void);
 void free_symtabs(void);
@@ -312,7 +320,7 @@
 extern void add_hat_to_policy(struct codomain *policy, struct codomain *hat);
 extern void add_entry_to_policy(struct codomain *policy, struct cod_entry *entry);
 extern void post_process_nt_entries(struct codomain *cod);
-extern int post_process_policy(void);
+extern int post_process_policy(int debug_only);
 extern int process_hat_regex(struct codomain *cod);
 extern int process_hat_variables(struct codomain *cod);
 extern int post_merge_rules(void);

=== modified file 'parser/parser_lex.l'
--- parser/parser_lex.l 2010-03-09 05:49:16 +0000
+++ parser/parser_lex.l 2010-03-12 09:50:26 +0000
@@ -227,6 +227,7 @@
 }
 
 <<EOF>> {
+       fclose(yyin);
        yypop_buffer_state();
        if ( !YY_CURRENT_BUFFER ) yyterminate();
 }

=== modified file 'parser/parser_main.c'
--- parser/parser_main.c        2010-01-28 01:20:13 +0000
+++ parser/parser_main.c        2010-04-03 22:41:40 +0000
@@ -4,6 +4,9 @@
  *   Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
  *   NOVELL (All rights reserved)
  *
+ *   Copyright (c) 2010
+ *   Canonical, Ltd. (All rights reserved)
+ *
  *   This program is free software; you can redistribute it and/or
  *   modify it under the terms of version 2 of the GNU General Public
  *   License published by the Free Software Foundation.
@@ -14,7 +17,8 @@
  *   GNU General Public License for more details.
  *
  *   You should have received a copy of the GNU General Public License
- *   along with this program; if not, contact Novell, Inc.
+ *   along with this program; if not, contact Novell, Inc. or Canonical,
+ *   Ltd.
  */
 
 #include <stdio.h>
@@ -258,7 +262,7 @@
                        break;
                case 'd':
                        debug++;
-                       skip_cache = 1;
+                       skip_read_cache = 1;
                        break;
                case 'h':
                        if (!optarg) {
@@ -316,7 +320,7 @@
                        subdomainbase = strndup(optarg, PATH_MAX);
                        break;
                case 'D':
-                       skip_cache = 1;
+                       skip_read_cache = 1;
                        if (!optarg) {
                                dump_vars = 1;
                        } else if (strcmp(optarg, "variables") == 0) {
@@ -359,7 +363,7 @@
                        }
                        break;
                case 'O':
-                       skip_cache = 1;
+                       skip_read_cache = 1;
                        if (strcmp(optarg, "0") == 0) {
                                dfaflags |= DFA_CONTROL_NO_TREE_NORMAL |
                                        DFA_CONTROL_NO_TREE_SIMPLE |
@@ -812,7 +816,7 @@
                goto out;
        }
 
-       retval = post_process_policy();
+       retval = post_process_policy(debug);
        if (retval != 0) {
                PERROR(_("%s: Errors found in file. Aborting.\n"), progname);
                goto out;

=== modified file 'parser/parser_policy.c'
--- parser/parser_policy.c      2009-08-20 15:27:12 +0000
+++ parser/parser_policy.c      2010-03-12 23:26:32 +0000
@@ -4,6 +4,9 @@
  *   Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
  *   NOVELL (All rights reserved)
  *
+ *   Copyright (c) 2010
+ *   Canonical, Ltd. (All rights reserved)
+ *
  *   This program is free software; you can redistribute it and/or
  *   modify it under the terms of version 2 of the GNU General Public
  *   License published by the Free Software Foundation.
@@ -14,7 +17,8 @@
  *   GNU General Public License for more details.
  *
  *   You should have received a copy of the GNU General Public License
- *   along with this program; if not, contact Novell, Inc.
+ *   along with this program; if not, contact Novell, Inc. or Canonical,
+ *   Ltd.
  */
 
 #include <stdio.h>
@@ -664,7 +668,7 @@
        return ret;
 }
 
-int post_process_policy(void)
+int post_process_policy(int debug_only)
 {
        int retval = 0;
 
@@ -696,11 +700,13 @@
                return retval;
        }
 
-       retval = post_process_regex();
-       if (retval != 0) {
-               PERROR(_("%s: Errors found during regex postprocess.  Aborting.\n"),
-                      progname);
-               return retval;
+       if (!debug_only) {
+               retval = post_process_regex();
+               if (retval != 0) {
+                       PERROR(_("%s: Errors found during regex postprocess.  Aborting.\n"),
+                              progname);
+                       return retval;
+               }
        }
 
        return retval;

=== modified file 'parser/parser_symtab.c'
--- parser/parser_symtab.c      2009-07-24 13:24:53 +0000
+++ parser/parser_symtab.c      2010-03-12 22:41:58 +0000
@@ -33,11 +33,6 @@
        sd_set,
 };
 
-struct set_value {
-       char *val;
-       struct set_value *next;
-};
-
 struct symtab {
        char *var_name;
        enum var_type type;
@@ -288,7 +283,7 @@
 
 /* returns a pointer to the value list, which should be used as the
  * argument to the get_next_set_value() function. */
-void *get_set_var(const char *var)
+struct set_value *get_set_var(const char *var)
 {
        struct symtab *result;
        struct set_value *valuelist = NULL;
@@ -321,16 +316,17 @@
 }
 
 /* iterator to walk the list of set values */
-char *get_next_set_value(void **list)
+char *get_next_set_value(struct set_value **list)
 {
-       struct set_value **valuelist = (struct set_value **) list;
+       struct set_value *next;
        char *ret;
 
-       if (!valuelist || !(*valuelist))
+       if (!list || !(*list))
                return NULL;
 
-       ret = (*valuelist)->val;
-       (*valuelist) = (*valuelist)->next;
+       ret = (*list)->val;
+       next = (*list)->next;
+       (*list) = next;
 
        return ret;
 }
@@ -569,7 +565,7 @@
 {
        int rc = 0;
        int retval;
-       void *retptr;
+       struct set_value *retptr;
        struct symtab *a, *b;
 
        a = new_symtab_entry("blah");

=== modified file 'parser/parser_variable.c'
--- parser/parser_variable.c    2009-07-24 23:47:46 +0000
+++ parser/parser_variable.c    2010-03-12 23:20:22 +0000
@@ -124,7 +124,7 @@
 
 static int expand_entry_variables(struct cod_entry *entry)
 {
-       void *valuelist;
+       struct set_value *valuelist;
        int ret = TRUE;
        char *value;
        struct var_string *split_var;

=== added file 'profiles/apparmor.d/abstractions/dbus-session'
--- profiles/apparmor.d/abstractions/dbus-session       1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/abstractions/dbus-session       2010-04-19 17:38:17 +0000
@@ -0,0 +1,14 @@
+# vim:syntax=apparmor
+# $Id$
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2010 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  #include <abstractions/dbus>
+  /usr/bin/dbus-launch Uxr,

=== modified file 'profiles/apparmor.d/abstractions/php5'
--- profiles/apparmor.d/abstractions/php5       2010-01-03 21:16:38 +0000
+++ profiles/apparmor.d/abstractions/php5       2010-03-30 17:34:32 +0000
@@ -2,7 +2,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2006 Novell/SUSE
-#    Copyright (C) 2009 Canonical, Ltd.
+#    Copyright (C) 2009-2010 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -11,13 +11,13 @@
 # ------------------------------------------------------------------
 
   # shared snippets for config files
-  /etc/php5/{conf.d,apache2,cli,fastcgi}/ r,
-  /etc/php5/{conf.d,apache2,cli,fastcgi}/*.ini r,
+  /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/ r,
+  /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/*.ini r,
 
   # Xlibs
   /usr/X11R6/lib{,32,64}/lib*.so* mr,
   # php extensions
-  /usr/lib{64,}/php5/{libexec,extensions}/*.so mr,
+  /usr/lib{64,}/php5/*/*.so mr,
 
   # php5 session mmap socket
   /var/lib/php5/session_mm_* rwlk,

=== modified file 'profiles/apparmor.d/abstractions/samba'
--- profiles/apparmor.d/abstractions/samba      2009-11-04 20:25:42 +0000
+++ profiles/apparmor.d/abstractions/samba      2010-03-25 23:13:00 +0000
@@ -2,7 +2,7 @@
 # $Id$
 # ------------------------------------------------------------------
 #
-#    Copyright (C) 2009 Canonical Ltd.
+#    Copyright (C) 2009-2010 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -12,7 +12,7 @@
 
   /etc/samba/smb.conf r,
   /usr/share/samba/*.dat r,
-  /var/lib/samba/**.tdb rw,
+  /var/lib/samba/**.tdb rwk,
   /var/log/samba/cores/* w,
   /var/log/samba/log.* w,
   /var/run/samba/*.tdb rw,

=== modified file 'profiles/apparmor.d/abstractions/user-tmp'
--- profiles/apparmor.d/abstractions/user-tmp   2009-11-04 20:25:42 +0000
+++ profiles/apparmor.d/abstractions/user-tmp   2010-05-12 08:52:23 +0000
@@ -2,7 +2,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2009 Novell/SUSE
-#    Copyright (C) 2009 Canonical Ltd.
+#    Copyright (C) 2009-2010 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -11,11 +11,11 @@
 # ------------------------------------------------------------------
 
   # per-user tmp directories
-  @{HOME}/tmp/**  rwkl,
-  @{HOME}/tmp/    rw,
+  owner @{HOME}/tmp/**  rwkl,
+  owner @{HOME}/tmp/    rw,
 
   # global tmp directories
-  /var/tmp/**     rwkl,
-  /var/tmp/       rw,
-  /tmp/**         rwkl,
-  /tmp/           rw,
+  owner /var/tmp/**     rwkl,
+  owner /var/tmp/       rw,
+  owner /tmp/**         rwkl,
+  owner /tmp/           rw,

=== modified file 'tests/regression/subdomain/prologue.inc'
--- tests/regression/subdomain/prologue.inc     2010-02-07 07:04:57 +0000
+++ tests/regression/subdomain/prologue.inc     2010-04-27 09:37:30 +0000
@@ -93,8 +93,10 @@
 
        while [ -h ${link} ]
        do
-               if [ -x /usr/bin/readlink ] ; then 
-                       target=$(/usr/bin/readlink ${link})
+               if [ -x /usr/bin/readlink ] ; then
+                       target=$(/usr/bin/readlink -f ${link})
+               elif [ -x /bin/readlink ] ; then
+                       target=$(/bin/readlink -f ${link})
                else 
                        # I'm sure there's a more perlish way to do this
                        target=$( perl -e "printf (\"%s\n\", readlink(\"${link}\"));") 

=== modified file 'tests/stress/parser/stress.rb'
--- tests/stress/parser/stress.rb       2008-11-26 22:16:48 +0000
+++ tests/stress/parser/stress.rb       2010-03-15 18:31:38 +0000
@@ -14,10 +14,27 @@
   return sprintf("%0#{len}x", rand(2 ** (4 * len)))
 end
 
+def get_random_regex()
+  case rand(10)
+    when 0..3
+      return "{#{get_random_name(rand(8) + 2)},#{get_random_name(rand(8) + 2)},#{get_random_name(rand(8) + 2)}}"
+    when 4..5
+      return "[#{get_random_name(rand(5) + 1)}]"
+    when 6..7
+      return "*"
+    when 8..9
+      return "**"
+  end
+end
+
 def get_random_path()
   out = ""
-  0.upto(rand(20)) do
-    out = "#{out}/#{get_random_name(4)}"
+  0.upto(rand(20) + 2) do
+    if rand(4) == 0
+      out = "#{out}/#{get_random_regex}"
+    else
+      out = "#{out}/#{get_random_name(rand(10) + 4)}"
+    end
   end
   return out
 end
@@ -83,7 +100,10 @@
     "mknod",
     "lease",
     "audit_write",
-    "audit_control"
+    "audit_control",
+    "setfcap",
+    "mac_override",
+    "mac_admin"
   ]
 
   def initialize()
@@ -95,6 +115,93 @@
   end
 end
 
+class NetRule < Rule
+  # XXX Fill me in
+end
+
+class RlimitRule < Rule
+  RLIMIT_LIST = [
+#"cpu",                # cpu rlimit not supported
+    "fsize",
+    "data",
+    "stack",
+    "core",
+    "rss",
+    "nofile",
+    "ofile",
+    "as",
+    "nproc",
+    "memlock",
+    "locks",
+    "sigpending",
+    "msgqueue",
+    "nice",
+    "rtprio"
+  ]
+
+  def initialize()
+    @rlimit = RLIMIT_LIST[rand(RLIMIT_LIST.length)]
+    if rand(20) == 0
+      @limit = "infinity"
+    elsif @rlimit == "nice"
+      @limit = rand(40) - 20
+    else
+      @limit = rand(2 ** 31)
+    end
+  end
+
+  def to_s
+    return "  set rlimit #{@rlimit} <= #{@limit},"
+  end
+end
+
+class Flags
+  FLAG_LIST = [
+    "complain",
+    "audit",
+    "chroot_relative",
+    "namespace_relative",
+    "mediate_deleted",
+    "delegate_deleted",
+    "attach_disconnected",
+    "no_attach_disconnected",
+    "chroot_attach",
+    "chroot_no_attach"
+  ]
+
+  FLAG_CONFLICTS = [
+    ["chroot_relative", "namespace_relative"],
+    ["mediate_deleted", "delegate_deleted"],
+    ["attach_disconnected", "no_attach_disconnected"],
+    ["chroot_attach", "chroot_no_attach"]
+  ]
+
+  def initialize()
+    @flags = []
+    if rand(2) == 1
+      return
+    end
+
+    0.upto(4 - Math.log(rand(32) + 1).to_int) do |x|
+      @flags << FLAG_LIST[rand(FLAG_LIST.length)]
+    end
+
+    FLAG_CONFLICTS.each do |c|
+      if @flags.include?(c[0]) and @flags.include?(c[1])
+        @flags.delete(c[rand(2)])
+      end
+    end
+  end
+
+  def to_s
+    if @flags.empty?
+      return ""
+    end
+    out = @flags.join(",")
+    return "flags=(#{out})"
+  end
+end
+
 def prefix_to_s(name)
   out = []
   out << "#"
@@ -112,16 +219,19 @@
     @rvalue = get_random_name()
     @name = "/does/not/exist/#{@rvalue}"
     @rules = []
+    @flags = Flags.new()
   end
 
   def generate_rules
-    @rules << FileRule.new(@name, "rm")
+    @rules << FileRule.new(@name, "rm").to_s
     0.upto(rand($max_rules - $min_rules) + $min_rules) do |x|
       case rand(100)
-        when 0..19
-          @rules << CapRule.new
-        when 19..100
-          @rules << FileRule.new
+        when 0..14
+          @rules << CapRule.new.to_s
+        when 15..24
+          @rules << RlimitRule.new.to_s
+        when 25..100
+          @rules << FileRule.new.to_s
       end
     end
   end
@@ -132,10 +242,10 @@
     out << "# profile for #{@name}"
     out << "# generated by #{__FILE__} #{$my_version}"
     out << "#"
-    out << "#{@name} {"
+    out << "#{@name} #{@flags} {"
     out << "  #include <abstractions/base>"
     out << ""
-    @rules.each { |r| out << r.to_s }
+    @rules.sort.each { |r| out << "  #{r}" }
     out << "}"
     out << ""
   end

=== modified file 'utils/SubDomain.pm'
--- utils/SubDomain.pm  2010-03-10 23:30:06 +0000
+++ utils/SubDomain.pm  2010-03-26 13:51:21 +0000
@@ -6612,10 +6612,14 @@
     LibAppArmor::free_record($event);
 
     #map new c and d to w as logprof doesn't support them yet
-    $rmask =~ s/c/w/g;
-    $rmask =~ s/d/w/g;
-    $dmask =~ s/c/w/g;
-    $dmask =~ s/d/w/g;
+    if ($rmask) {
+        $rmask =~ s/c/w/g;
+        $rmask =~ s/d/w/g;
+    }
+    if ($dmask) {
+        $dmask =~ s/c/w/g;
+        $dmask =~ s/d/w/g;
+    }
 
     if ($rmask && !validate_log_mode(hide_log_mode($rmask))) {
         fatal_error(sprintf(gettext('Log contains unknown mode %s.'),

=== modified file 'utils/apparmor_notify'
--- utils/apparmor_notify       2010-03-10 16:11:26 +0000
+++ utils/apparmor_notify       2010-05-27 14:08:12 +0000
@@ -30,8 +30,7 @@
 require Time::Local;
 require File::Basename;
 
-use vars qw($opt_p $opt_s $opt_l $opt_h $opt_v $opt_d $opt_w);
-use Getopt::Std;
+use Getopt::Long;
 
 my %prefs;
 my $conf = "/etc/apparmor/notify.conf";
@@ -67,7 +66,6 @@
 $ENV{SHELL} = "/bin/sh";
 defined($ENV{IFS}) and $ENV{IFS} = ' \t\n';
 
-print $0 . "\n";
 my $prog = File::Basename::basename($0);
 
 if ($prog !~ /^[a-zA-Z0-9_\-]+$/) {
@@ -75,32 +73,66 @@
     exitscript(1);
 }
 
-my $logfile = "/var/log/kern.log";
--e "/var/run/auditd.pid" and $logfile = "/var/log/audit/audit.log";
-
 $> == $< or die "Cannot be suid\n";
 $) == $( or die "Cannot be sgid\n";
 
 my $login;
+our $orig_euid = $>;
 
-getopts('dhlpvs:w:');
+my $opt_d = '';
+my $opt_h = '';
+my $opt_l = '';
+my $opt_p = '';
+my $opt_v = '';
+my $opt_f = '';
+my $opt_s = 0;
+my $opt_u = '';
+my $opt_w = 0;
+GetOptions(
+    'debug|d'        => \$opt_d,
+    'help|h'         => \$opt_h,
+    'since-last|l'   => \$opt_l,
+    'poll|p'         => \$opt_p,
+    'verbose|v'      => \$opt_v,
+    'file|f=s'       => \$opt_f,
+    'since-days|s=n' => \$opt_s,
+    'user|u=s'       => \$opt_u,
+    'wait|w=n'       => \$opt_w,
+);
 if ($opt_h) {
     usage;
     exitscript(0);
 }
 
+# monitor file specified with -f, else use audit.log if auditd is running,
+# otherwise kern.log
+our $logfile = "/var/log/kern.log";
+if ($opt_f) {
+    -f $opt_f or die "'$opt_f' does not exist. Aborting\n";
+    $logfile = $opt_f;
+} else {
+    -e "/var/run/auditd.pid" and $logfile = "/var/log/audit/audit.log";
+}
+
+-r $logfile or die "Cannot read '$logfile'\n";
+our $logfile_inode = get_logfile_inode($logfile);
+our $logfile_size = get_logfile_size($logfile);
 open (LOGFILE, "<$logfile") or die "Could not open '$logfile'\n";
 # Drop priviliges, if running as root
 if ($< == 0) {
     $login = "root";
     if (defined($ENV{SUDO_UID}) and defined($ENV{SUDO_GID})) {
         POSIX::setgid($ENV{SUDO_GID}) or _error("Could not change gid");
-        POSIX::setuid($ENV{SUDO_UID}) or _error("Could not change uid");
+        $> = $ENV{SUDO_UID} or _error("Could not change euid");
         defined($ENV{SUDO_USER}) and $login = $ENV{SUDO_USER};
     } else {
+        my $drop_to = $nobody_user;
+        if ($opt_u) {
+            $drop_to = $opt_u;
+        }
         # nobody/nogroup
-        POSIX::setgid(scalar(getpwnam($nobody_group))) or _error("Could not change gid to '$nobody_group'");
-        POSIX::setuid(scalar(getpwnam($nobody_user))) or _error("Could not change uid to '$nobody_user'");
+        POSIX::setgid(scalar(getgrnam($nobody_group))) or _error("Could not change gid to '$nobody_group'");
+        $> = scalar(getpwnam($drop_to)) or _error("Could not change euid to '$drop_to'");
     }
 } else {
     $login = getlogin();
@@ -111,7 +143,7 @@
     readconf($conf);
     if (defined($prefs{use_group})) {
         my ($name, $passwd, $gid, $members) = getgrnam($prefs{use_group});
-        if (not defined($members) or not defined($login) or not grep { $_ eq $login } split(/ /, $members)) {
+        if (not defined($members) or not defined($login) or (not grep { $_ eq $login } split(/ /, $members) and $login ne "root")) {
             _error("'$login' must be in '$prefs{use_group}' group. Aborting");
         }
     }
@@ -220,7 +252,6 @@
     defined($name) and $formatted .= "Name: $name\n";
     defined($denied) and $formatted .= "Denied: $denied\n";
     defined($family) and defined ($sock_type) and $formatted .= "Family: $family\nSocket type: $sock_type\n";
-    #defined($date) and $since > 0 and $formatted .= "Date: ". scalar(localtime($date)) ."\n";
     $formatted .= "Logfile: $logfile\n";
 
     return $formatted;
@@ -259,6 +290,26 @@
     close(PS);
 }
 
+sub send_message {
+    my $msg = $_[0];
+
+    my $pid = fork();
+    if ($pid == 0) {   # child
+        # notify-send needs $< to be the unprivileged user
+        $< = $>;
+
+        # 'system' uses execvp() so no shell metacharacters here.
+        # $notify_exe is an absolute path so execvp won't search PATH.
+        system "$notify_exe", "-i", "gtk-dialog-warning", "-u", "critical", "--", "AppArmor Message", "$msg";
+        my $exit_code = $? >> 8;
+        exit($exit_code);
+    }
+
+    # parent
+    waitpid($pid, 0);
+    return $?;
+}
+
 sub do_notify {
     my %seen;
     my $seconds = 5;
@@ -273,7 +324,7 @@
         umask 0;
         open STDIN, '/dev/null' or die "Can't read /dev/null: $!";
         open STDOUT, '>/dev/null' or die "Can't write to /dev/null: $!";
-        open STDERR, '>/dev/null' or die "Can't write to /dev/null: $!";
+        #open STDERR, '>/dev/null' or die "Can't write to /dev/null: $!";
         my $pid = fork();
         exit if $pid;
         die "Couldn't fork: $!" unless defined($pid);
@@ -293,12 +344,24 @@
     my $count = 0;
     my $footer = "For more information, please see:\n$url";
     my $first_run = 1;
-    my $since = $now - (int($opt_s) * 60 * 60 * 24);
+    my $since = $now;
+    if ($opt_s and int($opt_s) > 0) {
+       $since = $since - (int($opt_s) * 60 * 60 * 24);
+    }
     for (my $i=0; $time_to_die == 0; $i++) {
+        if ($logfile_inode != get_logfile_inode($logfile)) {
+            _warn("$logfile changed inodes, reopening");
+            reopen_logfile();
+        } elsif (get_logfile_size($logfile) < $logfile_size) {
+            _warn("$logfile is smaller, reopening");
+            reopen_logfile();
+        }
         while(my $msg = <LOGFILE>) {
             my @attrib;
-            if ($first_run == 1 and $opt_s) {
-                @attrib = parse_message($msg, $since);
+            if ($first_run == 1) {
+                if ($since != $now) {
+                    @attrib = parse_message($msg, $since);
+                }
             } else {
                 @attrib = parse_message($msg);
             }
@@ -340,12 +403,9 @@
 
             $m .= $footer;
 
-           # 'system' uses execvp() so no shell metacharacters here.
-            # $notify_exe is an absolute path so execvp won't search PATH.
-            system "$notify_exe", "-i", "gtk-dialog-warning", "-u", "critical", "--", "AppArmor Message", "$m";
-            my $exit_code = $? >> 8;
-            if ($exit_code != 0) {
-                _warn("'$notify_exe' exited with '$exit_code'");
+            my $rc = send_message($m);
+            if ($rc != 0) {
+                _warn("'$notify_exe' exited with error '$rc'");
                 $time_to_die = 1;
                 last;
             }
@@ -356,7 +416,7 @@
 
         if ($first_run) {
             if ($count > 0) {
-                my $m = "$logfile contains $count existing denied message";
+                my $m = "$logfile contains $count denied message";
                 $count > 1 and $m .= "s";
                 if ($opt_s) {
                     $m .= " in the last ";
@@ -368,7 +428,7 @@
                 }
                 $m .= ". ";
                 $m .= $footer;
-                system "$notify_exe", "-i", "gtk-dialog-warning", "-u", "critical", "--", "AppArmor Message", "$m";
+                send_message($m);
             }
             $first_run = 0;
         }
@@ -390,6 +450,9 @@
 }
 
 sub show_since {
+    my %msg_hash;
+    my %last_date;
+    my @msg_list;
     my $count = 0;
     while(my $msg = <LOGFILE>) {
         my @attrib = parse_message($msg, $_[0]);
@@ -397,10 +460,31 @@
 
         my $m = format_message(@attrib);
         $m ne "" or next;
-
-        $opt_v and print "$m\n";
+        my $date = $attrib[6];
+        if ($opt_v) {
+            if (exists($msg_hash{$m})) {
+                $msg_hash{$m}++;
+                defined($date) and $last_date{$m} = scalar(localtime($date));
+            } else {
+                $msg_hash{$m} = 1;
+                push(@msg_list, $m);
+            }
+        }
         $count++;
     }
+    if ($opt_v) {
+        foreach my $m (@msg_list) {
+            print "$m";
+            if ($msg_hash{$m} gt 1) {
+                print "($msg_hash{$m} found";
+                if (exists($last_date{$m})) {
+                    print ", most recent from '$last_date{$m}'";
+                }
+                print ")\n";
+            }
+            print "\n";
+        }
+    }
     return $count;
 }
 
@@ -452,19 +536,63 @@
 sub usage {
     my $s = <<'EOF';
 USAGE: apparmor_notify [OPTIONS]
+
 Display AppArmor notifications or messages for DENIED entries.
 
 OPTIONS:
-  -p           poll AppArmor logs and display notifications
-  -l           display stats since last login
-  -s NUM       show stats for last NUM days (can be used alone or with -p)
-  -v           show messages with stats
-  -h           display this help
-  -w NUM       wait NUM seconds before displaying notifications (with -p)
+  -p, --poll                   poll AppArmor logs and display notifications
+  -f FILE, --file=FILE         search FILE for AppArmor messages
+  -l, --since-last             display stats since last login
+  -s NUM, --since-days=NUM     show stats for last NUM days (can be used alone
+                               or with -p)
+  -v, --verbose                        show messages with stats
+  -h, --help                   display this help
+  -u USER, --user=USER         user to drop privileges to when not using sudo
+  -w NUM, --wait=NUM           wait NUM seconds before displaying
+                               notifications (with -p)
 EOF
     print $s;
 }
 
+sub reopen_logfile {
+    # reopen the logfile, temporarily switching back to starting euid for
+    # file permissions.
+    close(LOGFILE);
+
+    my $old_euid = $>;
+    my $change_euid = 0;
+    if ($> != $<) {
+        _debug("raising privileges to '$orig_euid' in reopen_logfile()");
+        $change_euid = 1;
+        $> = $orig_euid;
+        $> == $orig_euid or die "Could not raise privileges\n";
+    }
+
+    $logfile_inode = get_logfile_inode($logfile);
+    $logfile_size = get_logfile_size($logfile);
+    open (LOGFILE, "<$logfile") or die "Could not open '$logfile'\n";
+
+    if ($change_euid) {
+        _debug("dropping privileges to '$old_euid' in reopen_logfile()");
+        $> = $old_euid;
+        $> == $old_euid or die "Could not drop privileges\n";
+    }
+}
+
+sub get_logfile_size {
+    my $fn = $_[0];
+    my $size;
+    defined(($size = (stat($fn))[7])) or (sleep(10) and defined(($size = (stat($fn))[7])) or die "'$fn' disappeared. Aborting\n");
+    return $size;
+}
+
+sub get_logfile_inode {
+    my $fn = $_[0];
+    my $inode;
+    defined(($inode = (stat($fn))[1])) or (sleep(10) and defined(($inode = (stat($fn))[1])) or die "'$fn' disappeared. Aborting\n");
+    return $inode;
+}
+
 #
 # end Subroutines
 #

=== modified file 'utils/apparmor_notify.pod'
--- utils/apparmor_notify.pod   2010-02-12 16:25:02 +0000
+++ utils/apparmor_notify.pod   2010-05-12 08:46:22 +0000
@@ -40,24 +40,37 @@
 
 =over 4
 
-=item -p
+=item -p, --poll
 
 poll AppArmor logs and display desktop notifications. Can be used with '-s'
 option to display a summary on startup.
 
-=item -l
+=item -f FILE, --file=FILE
+
+search FILE for AppArmor messages
+
+=item -l, --since-last
 
 show summary since last login.
 
-=item -s NUM
+=item -s NUM, --since-days=NUM
 
 show summary for last NUM of days.
 
-=item -v
+=item -u USER, --user=USER
+
+user to drop privileges to when running privileged. This has no effect when
+running under sudo.
+
+=item -w NUM, --wait=NUM
+
+wait NUM seconds before displaying notifications (for use with -p)
+
+=item -v, --verbose
 
 show messages with summaries.
 
-=item -h
+=item -h, --help
 
 displays a short usage statement.