testing/apparmor: upgrade to 2.13

15 files changed, 428 insertions, 258 deletions

diff --git a/testing/apparmor/0001-Add-missing-secure_getenv-and-scandirat-functions.patch b/testing/apparmor/0001-Add-missing-secure_getenv-and-scandirat-functions.patch
deleted file mode 100644
index 3791d12882..0000000000
--- a/testing/apparmor/0001-Add-missing-secure_getenv-and-scandirat-functions.patch
+++ /dev/null
@@ -1,175 +0,0 @@
-diff --git a/libraries/libapparmor/configure.ac b/libraries/libapparmor/configure.ac
-index 479ba6dd..afbb8e2d 100644
---- a/libraries/libapparmor/configure.ac
-+++ b/libraries/libapparmor/configure.ac
-@@ -81,7 +81,7 @@ AM_CONDITIONAL(HAVE_RUBY, test x$with_ruby = xyes)
- AC_HEADER_STDC
- AC_CHECK_HEADERS(unistd.h stdint.h syslog.h)
- 
--AC_CHECK_FUNCS([asprintf __secure_getenv secure_getenv])
-+AC_CHECK_FUNCS([asprintf __secure_getenv secure_getenv scandirat])
- 
- AM_PROG_CC_C_O
- AC_C_CONST
-diff --git a/libraries/libapparmor/src/Makefile.am b/libraries/libapparmor/src/Makefile.am
-index 6002017d..a3ae0703 100644
---- a/libraries/libapparmor/src/Makefile.am
-+++ b/libraries/libapparmor/src/Makefile.am
-@@ -46,9 +46,9 @@ af_protos.h: /usr/include/netinet/in.h
- 	 LC_ALL=C  sed  -n -e "/IPPROTO_MAX/d"  -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" $< > $@
- 
- lib_LTLIBRARIES = libapparmor.la
--noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h private.h
-+noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h secure_getenv.h scandirat.h private.h
- 
--libapparmor_la_SOURCES = grammar.y libaalogparse.c kernel.c scanner.c private.c features.c kernel_interface.c policy_cache.c
-+libapparmor_la_SOURCES = grammar.y libaalogparse.c kernel.c scanner.c secure_getenv.c scandirat.c private.c features.c kernel_interface.c policy_cache.c
- libapparmor_la_LDFLAGS = -version-info $(AA_LIB_CURRENT):$(AA_LIB_REVISION):$(AA_LIB_AGE) -XCClinker -dynamic -pthread \
- 	-Wl,--version-script=$(top_srcdir)/src/libapparmor.map
- 
-diff --git a/libraries/libapparmor/src/private.c b/libraries/libapparmor/src/private.c
-index 9378e224..b1c48051 100644
---- a/libraries/libapparmor/src/private.c
-+++ b/libraries/libapparmor/src/private.c
-@@ -39,10 +39,14 @@
-  #ifdef HAVE___SECURE_GETENV
-   #define secure_getenv __secure_getenv
-  #else
--  #error neither secure_getenv nor __secure_getenv is available
-+  #include "secure_getenv.h"
-  #endif
- #endif
- 
-+#ifndef HAVE_SCANDIRAT
-+#include "scandirat.h"
-+#endif
-+
- struct ignored_suffix_t {
- 	const char * text;
- 	int len;
-diff --git a/libraries/libapparmor/src/scandirat.c b/libraries/libapparmor/src/scandirat.c
-new file mode 100644
-index 00000000..1576a35f
---- /dev/null
-+++ b/libraries/libapparmor/src/scandirat.c
-@@ -0,0 +1,63 @@
-+#include <dirent.h>
-+#include <string.h>
-+#include <stdlib.h>
-+#include <unistd.h>
-+#include <fcntl.h>
-+#include <inttypes.h>
-+#include <errno.h>
-+
-+#include "scandirat.h"
-+
-+#ifndef HAVE_SCANDIRAT
-+
-+int scandirat(int dir_fd, const char *dirp, struct dirent ***namelist,
-+	int (*filter)(const struct dirent *),
-+	int (*compar)(const struct dirent **, const struct dirent **))
-+{
-+	int fd;
-+	DIR *d;
-+	struct dirent *de, **names=0, **tmp;
-+	size_t cnt=0, len=0;
-+	int old_errno = errno;
-+
-+
-+	fd = openat(dir_fd, dirp, O_RDONLY|O_CLOEXEC);
-+	if (fd == -1) return -1;
-+
-+	d = fdopendir(fd);
-+
-+	if (!d) {
-+		close(fd);
-+		return -1;
-+	}
-+
-+	while ((errno=0), (de = readdir(d))) {
-+		if (filter && !filter(de)) continue;
-+		if (cnt >= len) {
-+			len = 2*len+1;
-+			if (len > SIZE_MAX/sizeof *names) break;
-+			tmp = realloc(names, len * sizeof *names);
-+			if (!tmp) break;
-+			names = tmp;
-+		}
-+		names[cnt] = malloc(de->d_reclen);
-+		if (!names[cnt]) break;
-+		memcpy(names[cnt++], de, de->d_reclen);
-+	}
-+
-+	closedir(d);
-+
-+	if (errno) {
-+		if (names) while (cnt-->0) free(names[cnt]);
-+		free(names);
-+		return -1;
-+	}
-+	errno = old_errno;
-+
-+	if (compar) qsort(names, cnt, sizeof *names, (int (*)(const void *, const void *))compar);
-+	*namelist = names;
-+	return cnt;
-+}
-+
-+#endif
-+
-diff --git a/libraries/libapparmor/src/scandirat.h b/libraries/libapparmor/src/scandirat.h
-new file mode 100644
-index 00000000..6f4bf037
---- /dev/null
-+++ b/libraries/libapparmor/src/scandirat.h
-@@ -0,0 +1,13 @@
-+#ifndef LIBAPPARMOR_SCANDIRAT_H
-+#define LIBAPPARMOR_SCANDIRAT_H
-+
-+#include <dirent.h>
-+
-+#ifndef HAVE_SCANDIRAT
-+int scandirat(int dir_fd, const char *dirp, struct dirent ***namelist,
-+	int (*filter)(const struct dirent *),
-+	int (*compar)(const struct dirent **, const struct dirent **));
-+#endif
-+
-+#endif
-+
-diff --git a/libraries/libapparmor/src/secure_getenv.c b/libraries/libapparmor/src/secure_getenv.c
-new file mode 100644
-index 00000000..b5eb46e5
---- /dev/null
-+++ b/libraries/libapparmor/src/secure_getenv.c
-@@ -0,0 +1,15 @@
-+#include <stdlib.h>
-+#include <sys/auxv.h>
-+
-+#include "secure_getenv.h"
-+
-+#ifndef HAVE_SECURE_GETENV
-+char *secure_getenv(const char *name)
-+{
-+	if (!getauxval(AT_SECURE)) {
-+		return getenv(name);
-+	}
-+	return NULL;
-+}
-+#endif
-+
-diff --git a/libraries/libapparmor/src/secure_getenv.h b/libraries/libapparmor/src/secure_getenv.h
-new file mode 100644
-index 00000000..b6269a8f
---- /dev/null
-+++ b/libraries/libapparmor/src/secure_getenv.h
-@@ -0,0 +1,8 @@
-+#ifndef LIBAPPARMOR_SECURE_GETENV_H
-+#define LIBAPPARMOR_SECURE_GETENV_H
-+
-+#ifndef HAVE_SECURE_GETENV
-+char *secure_getenv(const char *name);
-+#endif
-+
-+#endif
--- 
-2.16.1
-
diff --git a/testing/apparmor/0001-libapparmor-fix-reallocarray-FTBFS-w-older-glibc.patch b/testing/apparmor/0001-libapparmor-fix-reallocarray-FTBFS-w-older-glibc.patch
new file mode 100644
index 0000000000..590ccd489e
--- /dev/null
+++ b/testing/apparmor/0001-libapparmor-fix-reallocarray-FTBFS-w-older-glibc.patch
@@ -0,0 +1,59 @@
+From e9b875a4b48d5a41d6c398a44ac6bec216fded5f Mon Sep 17 00:00:00 2001
+From: Steve Beattie <steve.beattie@canonical.com>
+Date: Wed, 18 Apr 2018 12:37:09 -0700
+Subject: [PATCH 01/11] libapparmor: fix reallocarray FTBFS w/older glibc
+
+The recently added overlay cache directory support added to libapparmor
+makes use of reallocarray(3) to resize memory allocations; however,
+reallocarray() was only included in glibc 2.26. This commit adds a
+configure check for reallocarray() and if it's not available, provides
+it as a wrapper around realloc(3).
+
+PR: https://gitlab.com/apparmor/apparmor/merge_requests/100
+Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
+Acked-by: John Johansen <john.johansen@canonical.com>
+
+(cherry picked from commit 8e6313761246099429e9bd12ea6db02d7052188b)
+---
+ libraries/libapparmor/configure.ac  |  2 +-
+ libraries/libapparmor/src/private.c | 11 +++++++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/libraries/libapparmor/configure.ac b/libraries/libapparmor/configure.ac
+index 479ba6dd..73d99398 100644
+--- a/libraries/libapparmor/configure.ac
++++ b/libraries/libapparmor/configure.ac
+@@ -81,7 +81,7 @@ AM_CONDITIONAL(HAVE_RUBY, test x$with_ruby = xyes)
+ AC_HEADER_STDC
+ AC_CHECK_HEADERS(unistd.h stdint.h syslog.h)
+ 
+-AC_CHECK_FUNCS([asprintf __secure_getenv secure_getenv])
++AC_CHECK_FUNCS([asprintf __secure_getenv secure_getenv reallocarray])
+ 
+ AM_PROG_CC_C_O
+ AC_C_CONST
+diff --git a/libraries/libapparmor/src/private.c b/libraries/libapparmor/src/private.c
+index bece09d1..218f6628 100644
+--- a/libraries/libapparmor/src/private.c
++++ b/libraries/libapparmor/src/private.c
+@@ -43,6 +43,17 @@
+  #endif
+ #endif
+ 
++/**
++ * Allow libapparmor to build on older glibcs and other libcs that do
++ * not support reallocarray.
++ */
++#ifndef HAVE_REALLOCARRY
++void *reallocarray(void *ptr, size_t nmemb, size_t size)
++{
++	return realloc(ptr, nmemb * size);
++}
++#endif
++
+ struct ignored_suffix_t {
+ 	const char * text;
+ 	int len;
+-- 
+2.17.1
+
diff --git a/testing/apparmor/0002-Add-missing-typedef-definitions-on-parser.patch b/testing/apparmor/0002-Add-missing-typedef-definitions-on-parser.patch
deleted file mode 100644
index 80caea6b8a..0000000000
--- a/testing/apparmor/0002-Add-missing-typedef-definitions-on-parser.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-diff --git a/parser/missingdefs.h b/parser/missingdefs.h
-new file mode 100644
-index 00000000..9b2057e7
---- /dev/null
-+++ b/parser/missingdefs.h
-@@ -0,0 +1,9 @@
-+#ifndef PARSER_MISSINGDEFS_H
-+#define PARSER_MISSINGDEFS_H
-+
-+typedef int (*__compar_fn_t) (const void *, const void *);
-+typedef __compar_fn_t comparison_fn_t;
-+typedef void (*__free_fn_t) (void *__nodep);
-+
-+#endif
-+
-diff --git a/parser/parser_alias.c b/parser/parser_alias.c
-index f5b6da4e..d50a72b5 100644
---- a/parser/parser_alias.c
-+++ b/parser/parser_alias.c
-@@ -24,6 +24,7 @@
- #include "immunix.h"
- #include "parser.h"
- #include "profile.h"
-+#include "missingdefs.h"
- 
- struct alias_rule {
- 	char *from;
-diff --git a/parser/parser_symtab.c b/parser/parser_symtab.c
-index 3e667d87..d5a82701 100644
---- a/parser/parser_symtab.c
-+++ b/parser/parser_symtab.c
-@@ -24,6 +24,7 @@
- 
- #include "immunix.h"
- #include "parser.h"
-+#include "missingdefs.h"
- 
- enum var_type {
- 	sd_boolean,
--- 
-2.16.1
-
diff --git a/testing/apparmor/0002-libapparmor-make-aa_policy_cache_add_ro_dir-function.patch b/testing/apparmor/0002-libapparmor-make-aa_policy_cache_add_ro_dir-function.patch
new file mode 100644
index 0000000000..a82d27d9cf
--- /dev/null
+++ b/testing/apparmor/0002-libapparmor-make-aa_policy_cache_add_ro_dir-function.patch
@@ -0,0 +1,46 @@
+From 8defe4bcb2f37e39d9d10300af82f8c62b7be84f Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 26 Apr 2018 14:51:43 +0100
+Subject: [PATCH 02/11] libapparmor: make `aa_policy_cache_add_ro_dir` function
+ visible
+
+While the parser makes use of the `aa_policy_cache_add_ro_dir` function,
+it is not being declared as a global function in the libapparmor.map
+file. Due to this, dynamic linking of apparmor_parser with
+libapparmor.so is not possible.
+
+[Fixed up to use 2.13.1 symbol section as when the
+ `aa_policy_cache_add_ro_dir` was introduced -- @smb]
+
+(cherry picked from commit 1506f2cf0e89b0a04154c64ec058ab0f5541692e)
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
+Acked-by: John Johansen <john.johansen@canonical.com>
+
+PR: https://gitlab.com/apparmor/apparmor/merge_requests/107
+---
+ libraries/libapparmor/src/libapparmor.map | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
+index 1ca2bd6b..f5b55836 100644
+--- a/libraries/libapparmor/src/libapparmor.map
++++ b/libraries/libapparmor/src/libapparmor.map
+@@ -108,6 +108,13 @@ APPARMOR_2.13 {
+         *;
+ } APPARMOR_2.11;
+ 
++APPARMOR_2.13.1 {
++  global:
++        aa_policy_cache_add_ro_dir;
++  local:
++        *;
++} APPARMOR_2.13;
++
+ PRIVATE {
+ 	global:
+ 		_aa_is_blacklisted;
+-- 
+2.17.1
+
diff --git a/testing/apparmor/0003-libapparmor-do-not-honor-LIBAPPARMOR_DEBUG-when-secu.patch b/testing/apparmor/0003-libapparmor-do-not-honor-LIBAPPARMOR_DEBUG-when-secu.patch
new file mode 100644
index 0000000000..71c88b8699
--- /dev/null
+++ b/testing/apparmor/0003-libapparmor-do-not-honor-LIBAPPARMOR_DEBUG-when-secu.patch
@@ -0,0 +1,53 @@
+From f55d5b3ff0be7c8e903dc367b7747324e9556dd5 Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 26 Apr 2018 14:52:17 +0100
+Subject: [PATCH 03/11] libapparmor: do not honor $LIBAPPARMOR_DEBUG when
+ `secure_getenv` is undefined
+
+The `secure_getenv` function is a non-POSIX compliant extension of
+glibc. In contrast to the POSIX `getenv`, `secure_getenv` will return
+`NULL` for all environment variables when the program is run with
+escalated privileges due to an SUID or SGID bit. Some strictly
+POSIX-compliant libc libraries, most notably musl libc, do not have this
+function and do not wish to implement it. Thus, AppArmor cannot be
+compiled on such systems.
+
+In libapparmor, `secure_getenv` is only used to determine whether the
+environment variable DEBUG_ENV_VAR has been set to enable debugging. In
+case an unprivileged user runs a SUID/SGID executable linked against
+libapparmor, we do not want that user to be able to get additional
+information via debug output.
+
+The fix here is to produce an error only in case where debug output is
+enabled by defining ENABLE_DEBUG_OUTPUT. Otherwise, we simply define
+`secure_getenv` to `NULL` to completely disable the debug output.
+
+(cherry picked from commit 778176b9d84580f2e5a3be301ef9797b34ed69b9)
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Acked-by: Steve Beattie <steve@nxnw.org>
+
+PR: https://gitlab.com/apparmor/apparmor/merge_requests/107
+---
+ libraries/libapparmor/src/private.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/libraries/libapparmor/src/private.c b/libraries/libapparmor/src/private.c
+index 218f6628..f5cc2a4c 100644
+--- a/libraries/libapparmor/src/private.c
++++ b/libraries/libapparmor/src/private.c
+@@ -38,8 +38,10 @@
+ #ifndef HAVE_SECURE_GETENV
+  #ifdef HAVE___SECURE_GETENV
+   #define secure_getenv __secure_getenv
++ #elif ENABLE_DEBUG_OUTPUT
++  #error Debug output is not possible without a secure_getenv() implementation.
+  #else
+-  #error neither secure_getenv nor __secure_getenv is available
++  #define secure_getenv(env) NULL
+  #endif
+ #endif
+ 
+-- 
+2.17.1
+
diff --git a/testing/apparmor/0004-parser-provide-typedefs-for-comparison_fn_t-and-__fr.patch b/testing/apparmor/0004-parser-provide-typedefs-for-comparison_fn_t-and-__fr.patch
new file mode 100644
index 0000000000..784fa52c77
--- /dev/null
+++ b/testing/apparmor/0004-parser-provide-typedefs-for-comparison_fn_t-and-__fr.patch
@@ -0,0 +1,53 @@
+From 2e32573574a01681b2b159016e77b0de21e9d70d Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 26 Apr 2018 14:54:05 +0100
+Subject: [PATCH 04/11] parser: provide typedefs for comparison_fn_t and
+ __free_fn_t
+
+The POSIX standard never defines the typedefs `comparison_fn_t` and
+`__free_fn_t`, but they are provided by glibc and user in the parsing
+code. Provide the typedefs ourselves to fix compiling on musl based
+systems.
+
+(cherry picked from commit 655d3e782661aa756a53b45b2235205f88e1e0d0)
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Acked-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Steve Beattie <steve@nxnw.org>
+
+PR: https://gitlab.com/apparmor/apparmor/merge_requests/107
+---
+ parser/parser_alias.c  | 2 ++
+ parser/parser_symtab.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/parser/parser_alias.c b/parser/parser_alias.c
+index f5b6da4e..b96d18f8 100644
+--- a/parser/parser_alias.c
++++ b/parser/parser_alias.c
+@@ -25,6 +25,8 @@
+ #include "parser.h"
+ #include "profile.h"
+ 
++typedef int (*comparison_fn_t)(const void *, const void *);
++
+ struct alias_rule {
+ 	char *from;
+ 	char *to;
+diff --git a/parser/parser_symtab.c b/parser/parser_symtab.c
+index 3e667d87..7b8f211b 100644
+--- a/parser/parser_symtab.c
++++ b/parser/parser_symtab.c
+@@ -25,6 +25,9 @@
+ #include "immunix.h"
+ #include "parser.h"
+ 
++typedef int (*comparison_fn_t)(const void *, const void *);
++typedef void (*__free_fn_t)(void *);
++
+ enum var_type {
+ 	sd_boolean,
+ 	sd_set,
+-- 
+2.17.1
+
diff --git a/testing/apparmor/0005-libapparmor-fix-scandirat-with-musl-libc.patch b/testing/apparmor/0005-libapparmor-fix-scandirat-with-musl-libc.patch
new file mode 100644
index 0000000000..895cd98d71
--- /dev/null
+++ b/testing/apparmor/0005-libapparmor-fix-scandirat-with-musl-libc.patch
@@ -0,0 +1,96 @@
+From 1b918a4af49ae4a2644b089ff3263018157365ab Mon Sep 17 00:00:00 2001
+From: allgdante <allan.garret@gmail.com>
+Date: Wed, 4 Jul 2018 16:50:24 +0200
+Subject: [PATCH 05/11] libapparmor: fix scandirat with musl libc
+
+This commits adds a configure check for scandirat() and if it's
+not available, provides it an implementation based on scandir()
+from musl libc
+---
+ libraries/libapparmor/configure.ac  |  2 +-
+ libraries/libapparmor/src/private.c | 56 +++++++++++++++++++++++++++++
+ 2 files changed, 57 insertions(+), 1 deletion(-)
+
+diff --git a/libraries/libapparmor/configure.ac b/libraries/libapparmor/configure.ac
+index 73d99398..699f7477 100644
+--- a/libraries/libapparmor/configure.ac
++++ b/libraries/libapparmor/configure.ac
+@@ -81,7 +81,7 @@ AM_CONDITIONAL(HAVE_RUBY, test x$with_ruby = xyes)
+ AC_HEADER_STDC
+ AC_CHECK_HEADERS(unistd.h stdint.h syslog.h)
+ 
+-AC_CHECK_FUNCS([asprintf __secure_getenv secure_getenv reallocarray])
++AC_CHECK_FUNCS([asprintf __secure_getenv secure_getenv reallocarray scandirat])
+ 
+ AM_PROG_CC_C_O
+ AC_C_CONST
+diff --git a/libraries/libapparmor/src/private.c b/libraries/libapparmor/src/private.c
+index f5cc2a4c..5c023d32 100644
+--- a/libraries/libapparmor/src/private.c
++++ b/libraries/libapparmor/src/private.c
+@@ -45,6 +45,62 @@
+  #endif
+ #endif
+ 
++/**
++ * Allow libapparmor to build on other libcs that do not support scandirat
++ */
++#ifndef HAVE_SCANDIRAT
++#include <inttypes.h>
++
++int scandirat(int dir_fd, const char *dirp, struct dirent ***namelist,
++	int (*filter)(const struct dirent *),
++	int (*compar)(const struct dirent **, const struct dirent **))
++{
++	int fd;
++	DIR *d;
++	struct dirent *de, **names=0, **tmp;
++	size_t cnt=0, len=0;
++	int old_errno = errno;
++
++
++	fd = openat(dir_fd, dirp, O_RDONLY|O_CLOEXEC);
++	if (fd == -1) return -1;
++
++	d = fdopendir(fd);
++
++	if (!d) {
++		close(fd);
++		return -1;
++	}
++
++	while ((errno=0), (de = readdir(d))) {
++		if (filter && !filter(de)) continue;
++		if (cnt >= len) {
++			len = 2*len+1;
++			if (len > SIZE_MAX/sizeof *names) break;
++			tmp = realloc(names, len * sizeof *names);
++			if (!tmp) break;
++			names = tmp;
++		}
++		names[cnt] = malloc(de->d_reclen);
++		if (!names[cnt]) break;
++		memcpy(names[cnt++], de, de->d_reclen);
++	}
++
++	closedir(d);
++
++	if (errno) {
++		if (names) while (cnt-->0) free(names[cnt]);
++		free(names);
++		return -1;
++	}
++	errno = old_errno;
++
++	if (compar) qsort(names, cnt, sizeof *names, (int (*)(const void *, const void *))compar);
++	*namelist = names;
++	return cnt;
++}
++#endif
++
+ /**
+  * Allow libapparmor to build on older glibcs and other libcs that do
+  * not support reallocarray.
+-- 
+2.17.1
+
diff --git a/testing/apparmor/0003-Link-against-gettext-library.patch b/testing/apparmor/0006-Fix-linking-against-gettext-on-musl-libc.patch
index bab5374fba..3f14d92815 100644
--- a/testing/apparmor/0003-Link-against-gettext-library.patch
+++ b/testing/apparmor/0006-Fix-linking-against-gettext-on-musl-libc.patch
@@ -1,3 +1,14 @@
+From 3a8b6738b80faa9049cdda00de86eac33aa677b8 Mon Sep 17 00:00:00 2001
+From: allgdante <allan.garret@gmail.com>
+Date: Wed, 4 Jul 2018 16:57:19 +0200
+Subject: [PATCH 06/11] Fix linking against gettext on musl libc
+
+Both parser and binutils must be linked against gettext
+---
+ binutils/Makefile | 2 +-
+ parser/Makefile   | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
 diff --git a/binutils/Makefile b/binutils/Makefile
 index 7fb71813..52e55f70 100644
 --- a/binutils/Makefile
@@ -12,10 +23,10 @@ index 7fb71813..52e55f70 100644
  ifdef USE_SYSTEM
    # Using the system libapparmor so Makefile dependencies can't be used
 diff --git a/parser/Makefile b/parser/Makefile
-index 4d370c36..0eca5702 100644
+index b18cfe41..193a30f7 100644
 --- a/parser/Makefile
 +++ b/parser/Makefile
-@@ -87,7 +87,7 @@ AAREDIR= libapparmor_re
+@@ -90,7 +90,7 @@ AAREDIR= libapparmor_re
  AAREOBJECT = ${AAREDIR}/libapparmor_re.a
  AAREOBJECTS = $(AAREOBJECT)
  AARE_LDFLAGS = -static-libgcc -static-libstdc++ -L. $(LDFLAGS)
@@ -25,5 +36,5 @@ index 4d370c36..0eca5702 100644
  ifdef USE_SYSTEM
    # Using the system libapparmor so Makefile dependencies can't be used
 -- 
-2.16.1
+2.17.1
 
diff --git a/testing/apparmor/0006-Remove-ofile-tests-for-parser.patch b/testing/apparmor/0006-Remove-ofile-tests-for-parser.patch
deleted file mode 100644
index 494487a747..0000000000
--- a/testing/apparmor/0006-Remove-ofile-tests-for-parser.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/parser/tst/simple_tests/rlimits/ok_rlimit_09.sd b/parser/tst/simple_tests/rlimits/ok_rlimit_09.sd
-deleted file mode 100644
-index 6510ae72..00000000
---- a/parser/tst/simple_tests/rlimits/ok_rlimit_09.sd
-+++ /dev/null
-@@ -1,7 +0,0 @@
--#
--#=DESCRIPTION simple max open file (same as nofile) rlimit test
--#=EXRESULT PASS
--
--profile rlimit {
--  set rlimit ofile <= 1234,
--}
--- 
-2.16.1
-
diff --git a/testing/apparmor/0004-Remove-vim-from-default-utils-build.patch b/testing/apparmor/0007-utils-remove-vim-from-the-default-build.patch
index 56845739c4..14ea3ea499 100644
--- a/testing/apparmor/0004-Remove-vim-from-default-utils-build.patch
+++ b/testing/apparmor/0007-utils-remove-vim-from-the-default-build.patch
@@ -1,3 +1,13 @@
+From 09cfa1f321a306429390a8ed2b347d5335f75126 Mon Sep 17 00:00:00 2001
+From: allgdante <allan.garret@gmail.com>
+Date: Wed, 4 Jul 2018 17:02:34 +0200
+Subject: [PATCH 07/11] utils: remove vim from the default build
+
+We will build the vim utils as a separate target
+---
+ utils/Makefile | 4 ----
+ 1 file changed, 4 deletions(-)
+
 diff --git a/utils/Makefile b/utils/Makefile
 index 68f8c376..01604796 100644
 --- a/utils/Makefile
@@ -32,5 +42,5 @@ index 68f8c376..01604796 100644
  	$(MAKE) -C test check
 -	$(MAKE) -C vim check
 -- 
-2.16.1
+2.17.1
 
diff --git a/testing/apparmor/0005-Remove-parser-test-against-rttime.patch b/testing/apparmor/0008-parser-remove-specific-tests-for-rttime.patch
index 5d9f2450f3..7f7c51ec5d 100644
--- a/testing/apparmor/0005-Remove-parser-test-against-rttime.patch
+++ b/testing/apparmor/0008-parser-remove-specific-tests-for-rttime.patch
@@ -1,3 +1,18 @@
+From 965304dcdd7bc69f861a8d796dccbf807cbec5f9 Mon Sep 17 00:00:00 2001
+From: allgdante <allan.garret@gmail.com>
+Date: Wed, 4 Jul 2018 17:05:10 +0200
+Subject: [PATCH 08/11] parser: remove specific tests for rttime
+
+musl libc doesn't implement this feature, so the tests fail.
+We must find a way to skip those tests instead of removing them
+---
+ parser/tst/equality.sh                         | 18 +++++++++---------
+ .../tst/simple_tests/rlimits/ok_rlimit_13.sd   |  7 -------
+ .../tst/simple_tests/rlimits/ok_rlimit_18.sd   |  7 -------
+ 3 files changed, 9 insertions(+), 23 deletions(-)
+ delete mode 100644 parser/tst/simple_tests/rlimits/ok_rlimit_13.sd
+ delete mode 100644 parser/tst/simple_tests/rlimits/ok_rlimit_18.sd
+
 diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh
 index 029eec46..3b2f0f9f 100755
 --- a/parser/tst/equality.sh
@@ -54,5 +69,5 @@ index f2747f10..00000000
 -  set rlimit rttime <= 60minutes,
 -}
 -- 
-2.16.1
+2.17.1
 
diff --git a/testing/apparmor/0009-parser-remove-specific-tests-for-ofile.patch b/testing/apparmor/0009-parser-remove-specific-tests-for-ofile.patch
new file mode 100644
index 0000000000..9c19130cf5
--- /dev/null
+++ b/testing/apparmor/0009-parser-remove-specific-tests-for-ofile.patch
@@ -0,0 +1,28 @@
+From baf1eeb398d0201260a11a9ba9270461da7a0dc3 Mon Sep 17 00:00:00 2001
+From: allgdante <allan.garret@gmail.com>
+Date: Wed, 4 Jul 2018 17:08:11 +0200
+Subject: [PATCH 09/11] parser: remove specific tests for ofile
+
+musl libc doesn't implement this feature, so the test fail.
+We must find a way to skip this test instead of removing it
+---
+ parser/tst/simple_tests/rlimits/ok_rlimit_09.sd | 7 -------
+ 1 file changed, 7 deletions(-)
+ delete mode 100644 parser/tst/simple_tests/rlimits/ok_rlimit_09.sd
+
+diff --git a/parser/tst/simple_tests/rlimits/ok_rlimit_09.sd b/parser/tst/simple_tests/rlimits/ok_rlimit_09.sd
+deleted file mode 100644
+index 6510ae72..00000000
+--- a/parser/tst/simple_tests/rlimits/ok_rlimit_09.sd
++++ /dev/null
+@@ -1,7 +0,0 @@
+-#
+-#=DESCRIPTION simple max open file (same as nofile) rlimit test
+-#=EXRESULT PASS
+-
+-profile rlimit {
+-  set rlimit ofile <= 1234,
+-}
+-- 
+2.17.1
+
diff --git a/testing/apparmor/0007-Adjust-several-utils-test-to-Alpine.patch b/testing/apparmor/0010-utils-adjust-tests-to-match-the-Alpine-layout.patch
index 84f213a7ec..ef89db63d3 100644
--- a/testing/apparmor/0007-Adjust-several-utils-test-to-Alpine.patch
+++ b/testing/apparmor/0010-utils-adjust-tests-to-match-the-Alpine-layout.patch
@@ -1,5 +1,16 @@
+From 775861e7dc083c1fdab3cfb2d2b710b6091ac424 Mon Sep 17 00:00:00 2001
+From: allgdante <allan.garret@gmail.com>
+Date: Wed, 4 Jul 2018 17:11:42 +0200
+Subject: [PATCH 10/11] utils: adjust tests to match the Alpine layout
+
+Here we need to adjust several utilities path with the ones used by
+Alpine
+---
+ utils/test/test-aa.py | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
 diff --git a/utils/test/test-aa.py b/utils/test/test-aa.py
-index 94d29f91..5c5645fa 100644
+index 243283a9..41693830 100644
 --- a/utils/test/test-aa.py
 +++ b/utils/test/test-aa.py
 @@ -154,12 +154,12 @@ class AaTest_get_interpreter_and_abstraction(AATest):
@@ -20,5 +31,5 @@ index 94d29f91..5c5645fa 100644
          ('#!/usr/bin/python2.7',    ('/usr/bin/python2.7',  'abstractions/python')),
          ('#!/usr/bin/python3',      ('/usr/bin/python3',    'abstractions/python')),
 -- 
-2.16.1
+2.17.1
 
diff --git a/testing/apparmor/0008-Adjust-apparmor-functions-path.patch b/testing/apparmor/0011-utils-adjust-rc-functions-for-aa-remove-unknown.patch
index 6065154c05..36c6cd8b93 100644
--- a/testing/apparmor/0008-Adjust-apparmor-functions-path.patch
+++ b/testing/apparmor/0011-utils-adjust-rc-functions-for-aa-remove-unknown.patch
@@ -1,3 +1,15 @@
+From 10def67d03ac5ae5cdd4a9b82f643869deb43f60 Mon Sep 17 00:00:00 2001
+From: allgdante <allan.garret@gmail.com>
+Date: Thu, 5 Jul 2018 17:32:46 +0200
+Subject: [PATCH 11/11] utils: adjust rc functions for aa-remove-unknown
+
+Update the path to the rc.apparmor.functions file to the one we can find
+inside Alpine.
+No intended functional changes
+---
+ utils/aa-remove-unknown | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
 diff --git a/utils/aa-remove-unknown b/utils/aa-remove-unknown
 index d3bd9144..0b9ead7d 100644
 --- a/utils/aa-remove-unknown
@@ -11,3 +23,6 @@ index d3bd9144..0b9ead7d 100644
  APPARMORFS=/sys/kernel/security/apparmor
  PROFILES="${APPARMORFS}/profiles"
  REMOVE="${APPARMORFS}/.remove"
+-- 
+2.17.1
+
diff --git a/testing/apparmor/APKBUILD b/testing/apparmor/APKBUILD
index be81cd95cd..9cfa120d69 100644
--- a/testing/apparmor/APKBUILD
+++ b/testing/apparmor/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Allan Garret <allan.garret@gmail.com>
 # Maintainer: Allan Garret <allan.garret@gmail.com>
 pkgname=apparmor
-pkgver=2.12
+pkgver=2.13
 pkgrel=0
 pkgdesc="Linux application security framework - mandatory access control for programs"
 url="https://gitlab.com/apparmor/apparmor/wikis/home"
@@ -31,14 +31,17 @@ source="
 
 	apparmor.initd
 
-	0001-Add-missing-secure_getenv-and-scandirat-functions.patch
-	0002-Add-missing-typedef-definitions-on-parser.patch
-	0003-Link-against-gettext-library.patch
-	0004-Remove-vim-from-default-utils-build.patch
-	0005-Remove-parser-test-against-rttime.patch
-	0006-Remove-ofile-tests-for-parser.patch
-	0007-Adjust-several-utils-test-to-Alpine.patch
-	0008-Adjust-apparmor-functions-path.patch
+	0001-libapparmor-fix-reallocarray-FTBFS-w-older-glibc.patch
+	0002-libapparmor-make-aa_policy_cache_add_ro_dir-function.patch
+	0003-libapparmor-do-not-honor-LIBAPPARMOR_DEBUG-when-secu.patch
+	0004-parser-provide-typedefs-for-comparison_fn_t-and-__fr.patch
+	0005-libapparmor-fix-scandirat-with-musl-libc.patch
+	0006-Fix-linking-against-gettext-on-musl-libc.patch
+	0007-utils-remove-vim-from-the-default-build.patch
+	0008-parser-remove-specific-tests-for-rttime.patch
+	0009-parser-remove-specific-tests-for-ofile.patch
+	0010-utils-adjust-tests-to-match-the-Alpine-layout.patch
+	0011-utils-adjust-rc-functions-for-aa-remove-unknown.patch
 	"
 
 builddir="$srcdir"/$pkgname-$pkgver
@@ -208,13 +211,16 @@ _apparmor_vim() {
 
 
 
-sha512sums="d85fd47c66333fe5658ee5e977b32142697f6e36c575550712ee2ace2ad0fbf2aa59c8fd3b82ad8821c0190adf8cc150cf623ea09a84d5b32bde050a03dd6e9a  apparmor-2.12.tar.gz
+sha512sums="f98914713153d4c823a3ea7e96291cc4528bf7c8d3a139286ae0ecd806613e9c34b0ad81f2b258df2193cf6f3157d3252ef72d32d339427948a3fd8ba5651827  apparmor-2.13.tar.gz
 1a57cc577ba3aedfbe10ef6148c1e8f5d0bbf65c99e60eec80c52409c9dab59ae002024500c6e4fd0e01e8c7aeb0c85e3e6b41cacee08c17fdd869d31bca614e  apparmor.initd
-8e9f9914a3d0f5368811324a2be34ffebcb2d33add7289a37f2710497b8df0d95d7c33c792a844bae1e2fc320ff91e09313271aef1ad2bf5a37f2b634c652f73  0001-Add-missing-secure_getenv-and-scandirat-functions.patch
-e26fcb2f68fdba1cce076fdf37803175ab42ae2df4fccea74275bea7d0937e2992fd1e0dcb521b11f6c44a73bcf2819579f34a26e4e62e618e8259fee81cf302  0002-Add-missing-typedef-definitions-on-parser.patch
-949af1827ef533f60065fbbcdd72f15cb367ad69b0922a56011a31cd740f63c4834ba675c3686823f1f8319d2455498edb8fc626c02d2c8dfd0843e52ce0dbde  0003-Link-against-gettext-library.patch
-11b51b046c3acd83b6b0978ac3806ad3a65e5a678dd8ea01b910cd50c51c36a31c8e0f20223f4715dfe28d80e7d2b1d578dc632de8092d8700723af8188a4bf4  0004-Remove-vim-from-default-utils-build.patch
-b73fb44dc4649178d4aea8e491f74b025bde75bbdcf7b8fc1d17af30b562f58a743d7bde2a21db5c9dd71d863d1eb84d6b62143c90fff7ec7124d7b0ec590287  0005-Remove-parser-test-against-rttime.patch
-2e169df847af74c2bf8906a595afa785dbf293b4d753fbfbb8cc0c2c0d2e5f6a8dd63b2400df57ad1f03330e5d5a39d4f893a3ca0aedf7bc832db48da7d4e67c  0006-Remove-ofile-tests-for-parser.patch
-8949df983f36af91f887f13795681213758cf54a59c1ee710f7e2936a7a2e1e7551a1268c8abe0b95d852d24097ba52a39befd890126aa4d4c8e55656af64d2f  0007-Adjust-several-utils-test-to-Alpine.patch
-bd8a4ac30c6803e2bc219db925f0d577a56cf29f08a9b109d593b06d833351d49eeba67a243f0e1e696c94958b7df9afb0f4be02453c197892fde3b99803c89f  0008-Adjust-apparmor-functions-path.patch"
+1707a2b51d354f9c0e9f0212e414ae1c95de13fdb084892ab17a75ca957681c48830db204683e86daa464ed022dc9dbce7fa471dc1abb64c0723a029f146bc29  0001-libapparmor-fix-reallocarray-FTBFS-w-older-glibc.patch
+2f6aa09b0cd93475d498d2d7f7b492849abc115d5ff5046cc565c1c0a6d0cb514cb2e3a5a51ee7d98878a40c7163304f431ffda0af40033666383abb9d8e6533  0002-libapparmor-make-aa_policy_cache_add_ro_dir-function.patch
+20a5c5faa16b42005fc48499c8a270c5e84b5aff47c9be0daf8ba837e9012617a27a0c577a0b777e62c602f355237257f71b4acf07937594a7ca027b8a257f86  0003-libapparmor-do-not-honor-LIBAPPARMOR_DEBUG-when-secu.patch
+8ccc41ef3363b3639f9809607c047e6da0dd1f784fabc9117b14726642c5a9015de95d64cb49f238b56ab80ee699dd8fe978c3265220728e220e90aaccab5ede  0004-parser-provide-typedefs-for-comparison_fn_t-and-__fr.patch
+f86fc232671721f22452496d61b591a651a427d073168f58da29f2134b3dc561815011e182ed1d065c2309bc0200e33410687c666a2063a8b1e5b5f0a8223a2c  0005-libapparmor-fix-scandirat-with-musl-libc.patch
+e3b6193f343cf8c288b914c4f9517117c570a3e3a172a44d8225be09d3215ed4ffd521e63a5dc5ca328179626e9f2f5e8e733943eac4feff5d4825097daca564  0006-Fix-linking-against-gettext-on-musl-libc.patch
+9a273ba5c92c84acfda45d5e177b8bab13a42a6b803b20ac5d55f800d1da95d5fa2fd91312062125b80b20eeb548d5c2d879b072927103d3aeafb90d3530b51f  0007-utils-remove-vim-from-the-default-build.patch
+8970817ef17137f8a2d79e66d778e15184bac45523afeaaed858b49fbfe6a4d1476121ed952c6c0219509212cca5fc87d03bd70ec669a460937723db7582acaf  0008-parser-remove-specific-tests-for-rttime.patch
+ed245911d743eb1bf13cc6cef947c0a82791226068ad91436918f1ddb039173b82ecaa1300e2655d5748af57a3c8cd9b27a1d6a66f411320765683474c8eafb5  0009-parser-remove-specific-tests-for-ofile.patch
+e4d50f89fbdda916af3ea0bc7d574ccba3d252ec1506d07e744fd35b556fb6ae6307f2c856135963f810e10ce8b866e67708cc48e06afbd9f5a7e3e68acea9fc  0010-utils-adjust-tests-to-match-the-Alpine-layout.patch
+4a1477e8c9ac22901809eb95b813ca6a7065dbae25f977cb6e7a819be6e2a450db9432f1b15137dc3b8daf83f4d54f85bbfed9001a891a20aa603ff2a64deeb7  0011-utils-adjust-rc-functions-for-aa-remove-unknown.patch"