Added manpages for the tools, fixes from rev 59..62, some fixes from rev 58

Tools/aa-audit

@@ -5,7 +5,7 @@ import argparse
 import apparmor.tools
 
 parser = argparse.ArgumentParser(description='Switch the given programs to audit mode')
-parser.add_argument('-d', type=str, help='path to profiles')
+parser.add_argument('-d', '--dir', type=str, help='path to profiles')
 parser.add_argument('-r', '--remove', action='store_true', help='remove audit mode')
 parser.add_argument('program', type=str, nargs='+', help='name of program')
 args = parser.parse_args()

Tools/aa-autodep

@@ -6,7 +6,7 @@ import apparmor.tools
 
 parser = argparse.ArgumentParser(description='')
 parser.add_argument('--force', type=str, help='override existing profile')
-parser.add_argument('-d', type=str, help='path to profiles')
+parser.add_argument('-d', '--dir', type=str, help='path to profiles')
 parser.add_argument('program', type=str, nargs='+', help='name of program')
 args = parser.parse_args()
 

Tools/aa-cleanprof

@@ -5,7 +5,7 @@ import argparse
 import apparmor.tools
 
 parser = argparse.ArgumentParser(description='Cleanup the profiles for the given programs')
-parser.add_argument('-d', type=str, help='path to profiles')
+parser.add_argument('-d', '--dir', type=str, help='path to profiles')
 parser.add_argument('program', type=str, nargs='+', help='name of program')
 args = parser.parse_args()
 

Tools/aa-complain

@@ -5,7 +5,7 @@ import argparse
 import apparmor.tools
 
 parser = argparse.ArgumentParser(description='Switch the given program to complain mode')
-parser.add_argument('-d', type=str, help='path to profiles')
+parser.add_argument('-d', '--dir', type=str, help='path to profiles')
 parser.add_argument('-r', '--remove', action='store_true', help='remove complain mode')
 parser.add_argument('program', type=str, nargs='+', help='name of program')
 args = parser.parse_args()

Tools/aa-disable

@@ -5,7 +5,7 @@ import argparse
 import apparmor.tools
 
 parser = argparse.ArgumentParser(description='Disable the profile for the given programs')
-parser.add_argument('-d', type=str, help='path to profiles')
+parser.add_argument('-d', '--dir', type=str, help='path to profiles')
 parser.add_argument('-r', '--revert', action='store_true', help='enable the profile for the given programs')
 parser.add_argument('program', type=str, nargs='+', help='name of program')
 args = parser.parse_args()

Tools/aa-enforce

@@ -5,7 +5,7 @@ import argparse
 import apparmor.tools
 
 parser = argparse.ArgumentParser(description='Switch the given program to enforce mode')
-parser.add_argument('-d', type=str, help='path to profiles')
+parser.add_argument('-d', '--dir', type=str, help='path to profiles')
 parser.add_argument('-r', '--remove', action='store_true', help='switch to complain mode')
 parser.add_argument('program', type=str, nargs='+', help='name of program')
 args = parser.parse_args()

Tools/aa-genprof

@@ -34,8 +34,8 @@ def restore_ratelimit():
     sysctl_write(ratelimit_sysctl, ratelimit_saved)
 
 parser = argparse.ArgumentParser(description='Generate profile for the given program')
-parser.add_argument('-d', type=str, help='path to profiles')
-parser.add_argument('-f', type=str, help='path to logfile')
+parser.add_argument('-d', '--dir', type=str, help='path to profiles')
+parser.add_argument('-f', '--file', type=str, help='path to logfile')
 parser.add_argument('program', type=str, help='name of program to profile')
 args = parser.parse_args()
 

Tools/aa-logprof

@@ -6,8 +6,8 @@ import os
 import apparmor.aa as apparmor
 
 parser = argparse.ArgumentParser(description='Process log entries to generate profiles')
-parser.add_argument('-d', type=str, help='path to profiles')
-parser.add_argument('-f', type=str, help='path to logfile')
+parser.add_argument('-d', '--dir', type=str, help='path to profiles')
+parser.add_argument('-f', '--file', type=str, help='path to logfile')
 parser.add_argument('-m', type=str, help='mark in the log to start processing after')
 args = parser.parse_args()
 

Tools/aa-mergeprof

@@ -2,16 +2,16 @@
 
 import argparse
 import sys
-import cleanprof
 
 import apparmor.aa as apparmor
 import apparmor.cleanprofile as cleanprofile
+
 parser = argparse.ArgumentParser(description='Perform a 3way merge on the given profiles')
 ##parser.add_argument('profiles', type=str, nargs=3, help='MINE BASE OTHER')
 parser.add_argument('mine', type=str, help='Your profile')
 parser.add_argument('base', type=str, help='The base profile')
 parser.add_argument('other', type=str, help='Other profile')
-parser.add_argument('-d', type=str, help='path to profiles')
+parser.add_argument('-d', '--dir', type=str, help='path to profiles')
 parser.add_argument('-auto', action='store_true', help='Automatically merge profiles, exits incase of *x conflicts')
 args = parser.parse_args()
 
@@ -514,5 +514,3 @@ class Merge(object):
 # m3 = Merge3(base, a, b)
 # 
 # sys.stdout.write(m3.merge_annotated())
-
-

Tools/aa-unconfined

@@ -6,8 +6,8 @@ import re
 
 import apparmor.aa as apparmor
 
-parser = argparse.ArgumentParser(description='')
-parser.add_argument('--paranoid', action='store_true')
+parser = argparse.ArgumentParser(description='Lists unconfined processes having tcp or udp ports')
+parser.add_argument('--paranoid', action='store_true', help='scan all processes from /proc')
 args = parser.parse_args()
 
 paranoid = args.paranoid

Tools/manpages/aa-audit.pod

@@ -0,0 +1,39 @@
+=pod
+
+=head1 NAME
+
+aa-audit - set a AppArmor security profile to I<audit> mode.
+
+=head1 SYNOPSIS
+
+B<aa-audit I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-r>]>
+
+=head1 OPTIONS
+
+B<-d --dir  /path/to/profiles>
+
+   Specifies where to look for the AppArmor security profile set.
+   Defaults to /etc/apparmor.d.
+
+B<-r --remove>
+
+   Removes the audit mode for the profile.  
+
+=head1 DESCRIPTION
+
+B<aa-audit> is used to set the audit mode for one or more profiles to audit.
+In this mode security policy is enforced and all access (successes and failures) are logged to the system log.
+
+The I<--remove> option can be used to remove the audit mode for the profile.
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L<https://bugs.launchpad.net/apparmor-profile-tools/+filebug>.
+
+=head1 SEE ALSO
+
+apparmor(7), apparmor.d(5), aa-enforce(1), aa-complain(1), aa-disable(1),
+aa_change_hat(2), and L<http://wiki.apparmor.net>.
+
+=cut

Tools/manpages/aa-autodep.pod

@@ -0,0 +1,66 @@
+# This publication is intellectual property of Novell Inc. and Canonical
+# Ltd. Its contents can be duplicated, either in part or in whole, provided
+# that a copyright label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators
+# shall be held liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. SUSE LINUX GmbH
+# and Canonical Ltd. essentially adhere to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa-autodep - guess basic AppArmor profile requirements
+
+=head1 SYNOPSIS
+
+B<aa-autodep I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-f>]>
+
+=head1 OPTIONS
+
+B<-d --dir  /path/to/profiles>
+
+   Specifies where to look for the AppArmor security profile set.
+   Defaults to /etc/apparmor.d.
+
+B<-f --force>
+
+   Overrides any existing AppArmor profile for the executable with the generated minimal AppArmor profile.
+
+=head1 DESCRIPTION
+
+B<aa-autodep> is used to generate a minimal AppArmor profile for a set of
+executables. This program will generate a profile for binary executable
+as well as interpreted script programs. At a minimum aa-autodep will provide
+a base profile containing a base include directive which includes basic
+profile entries needed by most programs.  The profile is generated by
+recursively calling ldd(1) on the executables listed on the command line.
+
+The I<--force> option will override any existing profile for the executable with
+the newly generated minimal AppArmor profile.
+
+=head1 BUGS
+
+This program does not perform full static analysis of executables, so
+the profiles generated are necessarily incomplete. If you find any bugs,
+please report them at
+L<https://bugs.launchpad.net/apparmor-profile-tools/+filebug>.
+
+=head1 SEE ALSO
+
+apparmor(7), apparmor.d(5), aa-complain(1), aa-enforce(1), aa-disable(1),
+aa_change_hat(2), and L<http://wiki.apparmor.net>.
+
+=cut

Tools/manpages/aa-cleanprof.pod

@@ -0,0 +1,34 @@
+=pod
+
+=head1 NAME
+
+aa-cleanprof - clean an existing AppArmor security profile.
+
+=head1 SYNOPSIS
+
+B<aa-cleanprof I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>]>
+
+=head1 OPTIONS
+
+B<-d --dir  /path/to/profiles>
+
+   Specifies where to look for the AppArmor security profile set.
+   Defaults to /etc/apparmor.d.
+
+=head1 DESCRIPTION
+
+B<aa-cleanprof> is used to perform a cleanup on one or more profiles.
+The tool removes any existing superfluous rules, reorders the rules to group 
+similar rules together and removes all comments.
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L<https://bugs.launchpad.net/apparmor-profile-tools/+filebug>.
+
+=head1 SEE ALSO
+
+apparmor(7), apparmor.d(5), aa-enforce(1), aa-complain(1), aa-disable(1),
+aa_change_hat(2), and L<http://wiki.apparmor.net>.
+
+=cut

Tools/manpages/aa-complain.pod

@@ -0,0 +1,61 @@
+# This publication is intellectual property of Novell Inc. and Canonical
+# Ltd. Its contents can be duplicated, either in part or in whole, provided
+# that a copyright label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators
+# shall be held liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. SUSE LINUX GmbH
+# and Canonical Ltd. essentially adhere to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa-complain - set a AppArmor security profile to I<complain> mode.
+
+=head1 SYNOPSIS
+
+B<aa-complain I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-r>]>
+
+=head1 OPTIONS
+
+B<-d --dir  /path/to/profiles>
+
+   Specifies where to look for the AppArmor security profile set.
+   Defaults to /etc/apparmor.d.
+
+B<-r --remove>
+
+   Removes the complain mode for the profile.  
+
+=head1 DESCRIPTION
+
+B<aa-complain> is used to set the enforcement mode for one or more profiles to
+complain. In this mode security policy is not enforced but rather access
+violations are logged to the system log.
+
+The I<--remove> option can be used to remove the complain mode for the profile,
+setting it to enforce mode by default.
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L<https://bugs.launchpad.net/apparmor-profile-tools/+filebug>.
+
+=head1 SEE ALSO
+
+apparmor(7), apparmor.d(5), aa-enforce(1), aa-disable(1),
+aa_change_hat(2), and L<http://wiki.apparmor.net>.
+
+=cut

Tools/manpages/aa-disable.pod

@@ -0,0 +1,62 @@
+# This publication is intellectual property of Novell Inc. and Canonical
+# Ltd. Its contents can be duplicated, either in part or in whole, provided
+# that a copyright label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators
+# shall be held liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. SUSE LINUX GmbH
+# and Canonical Ltd. essentially adhere to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa-disable - disable an AppArmor security profile
+
+=head1 SYNOPSIS
+
+B<aa-disable I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-r>]>
+
+=head1 OPTIONS
+
+B<-d --dir  /path/to/profiles>
+
+   Specifies where to look for the AppArmor security profile set.
+   Defaults to /etc/apparmor.d.
+
+B<-r --revert>
+
+   Enables the profile and loads it.  
+
+=head1 DESCRIPTION
+
+B<aa-disable> is used to disable the enforcement mode for one or more
+profiles. This command will unload the profile from the kernel and
+prevent the profile from being loaded on AppArmor startup. The
+I<aa-enforce> and I<aa-complain> utilities may be used to to change this
+behavior.
+
+The I<--revert> option can be used to enable the profile.
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L<https://bugs.launchpad.net/apparmor-profile-tools/+filebug>.
+
+=head1 SEE ALSO
+
+apparmor(7), apparmor.d(5), aa-enforce(1), aa-complain(1),
+aa_change_hat(2), and L<http://wiki.apparmor.net>.
+
+=cut

Tools/manpages/aa-enforce.pod

@@ -0,0 +1,65 @@
+# This publication is intellectual property of Novell Inc. and Canonical
+# Ltd. Its contents can be duplicated, either in part or in whole, provided
+# that a copyright label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators
+# shall be held liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. SUSE LINUX GmbH
+# and Canonical Ltd. essentially adhere to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa-enforce - set an AppArmor security profile to I<enforce> mode from
+being disabled or I<complain> mode.
+
+=head1 SYNOPSIS
+
+B<aa-enforce I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-r>]>
+
+=head1 OPTIONS
+
+B<-d --dir / path/to/profiles>
+
+   Specifies where to look for the AppArmor security profile set.
+   Defaults to /etc/apparmor.d.
+
+B<-r --remove>
+
+   Removes the enforce mode for the profile.  
+
+=head1 DESCRIPTION
+
+B<aa-enforce> is used to set the enforcement mode for one or more profiles
+to I<enforce>.  This command is only relevant in conjunction with the
+I<aa-complain> utility which sets a profile to complain mode and the
+I<aa-disable> utility which unloads and disables a profile. The default
+mode for a security policy is enforce and the I<aa-complain> utility must
+be run to change this behavior.
+
+The I<--remove> option can be used to remove the enforce mode for the profile,
+setting it to complain mode.
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L<https://bugs.launchpad.net/apparmor-profile-tools/+filebug>.
+
+=head1 SEE ALSO
+
+apparmor(7), apparmor.d(5), aa-complain(1), aa-disable(1),
+aa_change_hat(2), and L<http://wiki.apparmor.net>.
+
+=cut

Tools/manpages/aa-genprof.pod

@@ -0,0 +1,92 @@
+# This publication is intellectual property of Novell Inc. and Canonical
+# Ltd. Its contents can be duplicated, either in part or in whole, provided
+# that a copyright label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators
+# shall be held liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. SUSE LINUX GmbH
+# and Canonical Ltd. essentially adhere to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa-genprof - profile generation utility for AppArmor
+
+=head1 SYNOPSIS
+
+B<aa-genprof I<E<lt>executableE<gt>> [I<-d /path/to/profiles>] [I<-f /path/to/logfile>]>
+
+=head1 OPTIONS
+
+B<-d --dir  /path/to/profiles>
+
+   Specifies where to look for the AppArmor security profile set.
+   Defaults to /etc/apparmor.d.
+
+B<-f --file  /path/to/logfile>
+	
+	Specifies the location of logfile.
+	Default locations are read from F</etc/apparmor/logprof.conf>.
+	Typical defaults are:
+		 /var/log/audit/audit.log
+		 /var/log/syslog
+		 /var/log/messages
+
+=head1 DESCRIPTION
+
+When running aa-genprof, you must specify a program to profile.  If the
+specified program is not a fully-qualified path, aa-genprof will search $PATH
+in order to find the program.
+
+If a profile does not exist for the program, aa-genprof will create one using
+aa-autodep(1).
+
+Genprof will then:
+
+   - set the profile to complain mode 
+
+   - write a mark to the system log
+
+   - instruct the user to start the application to
+     be profiled in another window and exercise its functionality
+
+It then presents the user with two options, (S)can system log for entries 
+to add to profile and (F)inish.
+
+If the user selects (S)can or hits return, aa-genprof will parse
+the complain mode logs and iterate through generated violations
+using aa-logprof(1). 
+
+After the user finishes selecting profile entries based on violations 
+that were detected during the program execution, aa-genprof will reload
+the updated profiles in complain mode and again prompt the user for (S)can and 
+(D)one. This cycle can then be repeated as necessary until all application 
+functionality has been exercised without generating access violations.
+
+When the user eventually hits (F)inish, aa-genprof will set the main profile,
+and any other profiles that were generated, into enforce mode and exit.
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L<https://bugs.launchpad.net/apparmor-profile-tools/+filebug>.
+
+=head1 SEE ALSO
+
+apparmor(7), apparmor.d(5), aa-enforce(1), aa-complain(1), aa-disable(1),
+aa_change_hat(2), aa-logprof(1), logprof.conf(5), and
+L<http://wiki.apparmor.net>.
+
+=cut

Tools/manpages/aa-logprof.pod

@@ -0,0 +1,171 @@
+# This publication is intellectual property of Novell Inc. and Canonical
+# Ltd. Its contents can be duplicated, either in part or in whole, provided
+# that a copyright label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators
+# shall be held liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. SUSE LINUX GmbH
+# and Canonical Ltd. essentially adhere to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa-logprof - utility program for managing AppArmor security profiles
+
+=head1 SYNOPSIS
+
+B<aa-logprof [I<-d  /path/to/profiles>] [I<-f /path/to/logfile>] [I<-m E<lt>mark in logfileE<gt>>]>
+
+=head1 OPTIONS
+
+B<-d --dir   /path/to/profiles>
+   
+   Specifies where to look for the AppArmor security profile set.
+   Defaults to /etc/apparmor.d.
+
+B<-f --file   /path/to/logfile>
+   
+    Specifies the location of logfile that contains AppArmor security events.
+	Default locations are read from F</etc/apparmor/logprof.conf>.
+	Typical defaults are:
+		 /var/log/audit/audit.log
+		 /var/log/syslog
+		 /var/log/messages
+
+B< -m --logmark    "mark">
+    
+   aa-logprof will ignore all events in the system log before the
+   specified mark is seen.  If the mark contains spaces, it must 
+   be surrounded with quotes to work correctly.
+
+=head1 DESCRIPTION
+
+B<aa-logprof> is an interactive tool used to review AppArmor's
+complain mode output and generate new entries for AppArmor security
+profiles.
+
+Running aa-logprof will scan the log file and if there are new AppArmor
+events that are not covered by the existing profile set, the user will
+be prompted with suggested modifications to augment the profile.
+
+When aa-logprof exits profile changes are saved to disk.  If AppArmor is
+running, the updated profiles are reloaded and if any processes that
+generated AppArmor events are still running in the null-complain-profile,
+those processes are set to run under their proper profiles.
+
+=head2 Responding to AppArmor Events
+
+B<aa-logprof> will generate a list of suggested profile changes that
+the user can choose from, or they can create their own, to modifiy the
+permission set of the profile so that the generated access violation
+will not re-occur.
+
+The user is then presented with info about the access including profile,
+path, old mode if there was a previous entry in the profile for this path,
+new mode, the suggestion list, and given these options:
+
+   (A)llow, (D)eny, (N)ew, (G)lob last piece, (Q)uit
+
+If the AppArmor profile was in complain mode when the event was generated,
+the default for this option is (A)llow, otherwise, it's (D)eny.
+
+The suggestion list is presented as a numbered list with includes
+at the top, the literal path in the middle, and the suggested globs
+at the bottom.  If any globs are being suggested, the shortest glob
+is the selected option, otherwise, the literal path is selected.
+Picking includes from the list must be done manually.
+
+Hitting a numbered key will change the selected option to the
+corresponding numbered entry in the list.
+
+If the user selects (N)ew, they'll be prompted to enter their own globbed
+entry to match the path.  If the user-entered glob does not match the
+path for this event, they'll be informed and have the option to fix it.
+
+If the user selects (G)lob last piece then, taking the currently selected
+option, aa-logprof will remove the last path element and replace it with /*.
+
+If the last path element already was /*, aa-logprof will go up a directory
+level and replace it with /**.
+
+This new globbed entry is then added to the suggestion list and marked
+as the selected option.
+
+So /usr/share/themes/foo/bar/baz.gif can be turned into
+/usr/share/themes/** by hitting "g" three times.
+
+If the user selects (A)llow, aa-logprof will take the current selection
+and add it to the profile, deleting other entries in the profile that
+are matched by the new entry.
+
+Adding r access to /usr/share/themes/** would delete an entry for r
+access to /usr/share/themes/foo/*.gif if it exists in the profile.
+
+If (Q)uit is selected at this point, aa-logprof will ignore all new pending
+capability and path accesses.
+
+After all of the path accesses have been handled, logrof will write all
+updated profiles to the disk and reload them if AppArmor is running.
+
+=head2 New Process (Execution) Events
+
+If there are unhandled x accesses generated by the execve(2) of a
+new process, aa-logprof will display the parent profile and the target
+program that's being executed and prompt the user to select and execute
+modifier. These modifiers will allow a choice for the target to: have it's
+own profile (px), inherit the parent's profile (ix), run unconstrained
+(ux), or deny access for the target. See apparmor.d(5) for details.
+
+If there is a corresponding entry for the target in the qualifiers
+section of /etc/apparmor/logprof.conf, the presented list will contain only the
+allowed modes.
+
+The default option for this question is selected using this logic--
+
+  # if px mode is allowed and profile exists for the target
+  #   px is default.
+  # else if ix mode is allowed
+  #   ix is default
+  # else
+  #   deny is default
+
+aa-logprof will never suggest "ux" as the default.
+
+=head2 ChangeHat Events
+
+If unknown aa_change_hat(2) events are found, the user is prompted to add a new
+hat, if the events should go into the default hat for this profile based
+on the corresponding entry in the defaulthat section of logprof.conf,
+or if the following events that run under that hat should be denied
+altogether.
+
+=head2 Capability Events
+
+If there are capability accesses, the user is shown each capability
+access and asked if the capability should be allowed, denied, or if the
+user wants to quit. See capability(7) for details.
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L<https://bugs.launchpad.net/apparmor-profile-tools/+filebug>.
+
+=head1 SEE ALSO
+
+klogd(8), auditd(8), apparmor(7), apparmor.d(5), aa_change_hat(2),
+logprof.conf(5), aa-genprof(1), aa-enforce(1), aa-complain(1),
+aa-disable(1), and L<http://wiki.apparmor.net>.
+
+=cut

Tools/manpages/aa-mergeprof.pod

@@ -0,0 +1,33 @@
+=pod
+
+=head1 NAME
+
+aa-mergeprof - merge AppArmor security profiles.
+
+=head1 SYNOPSIS
+
+B<aa-mergeprof I<E<lt>mineE<gt>> I<E<lt>userE<gt>> I<E<lt>otherE<gt>> [I<-d /path/to/profiles>]>
+
+=head1 OPTIONS
+
+B<-d --dir  /path/to/profiles>
+
+   Specifies where to look for the AppArmor security profile set.
+   Defaults to /etc/apparmor.d.
+
+=head1 DESCRIPTION
+
+B<aa-mergeprof>
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L<https://bugs.launchpad.net/apparmor-profile-tools/+filebug>.
+
+=head1 SEE ALSO
+
+apparmor(7), apparmor.d(5), aa_change_hat(2), aa-genprof(1), 
+aa-logprof(1), aa-enforce(1), aa-audit(1), aa-complain(1),
+aa-disable(1), and L<http://wiki.apparmor.net>.
+
+=cut

Tools/manpages/aa-unconfined.pod

@@ -0,0 +1,64 @@
+# This publication is intellectual property of Novell Inc. and Canonical
+# Ltd. Its contents can be duplicated, either in part or in whole, provided
+# that a copyright label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators
+# shall be held liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. SUSE LINUX GmbH
+# and Canonical Ltd. essentially adhere to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa-unconfined - output a list of processes with tcp or udp ports that do
+not have AppArmor profiles loaded
+
+=head1 SYNOPSIS
+
+B<aa-unconfined [I<--paranoid>]>
+
+=head1 OPTIONS
+
+B<--paranoid>
+
+   Displays all processes from F</proc> filesystem with tcp or udp ports that 
+   do no have AppArmor profiles loaded.
+
+=head1 DESCRIPTION
+
+B<aa-unconfined> will use netstat(8) to determine which processes have open
+network sockets and do not have AppArmor profiles loaded into the kernel.
+
+=head1 BUGS
+
+B<aa-unconfined> must be run as root to retrieve the process executable
+link from the F</proc> filesystem. This program is susceptible to race
+conditions of several flavours: an unlinked executable will be mishandled;
+an executable started before a AppArmor profile is loaded will not
+appear in the output, despite running without confinement; a process that dies
+between the netstat(8) and further checks will be mishandled. This
+program only lists processes using TCP and UDP. In short, this
+program is unsuitable for forensics use and is provided only as an aid
+to profiling all network-accessible processes in the lab.
+
+If you find any bugs, please report them at
+L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+
+=head1 SEE ALSO
+
+netstat(8), apparmor(7), apparmor.d(5), aa_change_hat(2), and
+L<http://wiki.apparmor.net>.
+
+=cut

apparmor/__init__.py

@@ -3,11 +3,8 @@ import locale
 
 def init_localisation():
     locale.setlocale(locale.LC_ALL, '')
-    cur_locale = locale.getlocale()
-    filename = ''
-    #If a correct locale has been provided set filename else let a IOError be raised by '' path
-    if cur_locale[0]:
-        filename = '/usr/share/locale/%s/LC_MESSAGES/apparmor-utils.mo' % locale.getlocale()[0][0:2]
+    #If a correct locale has been provided set filename else let an IOError be raised
+    filename = '/usr/share/locale/%s/LC_MESSAGES/apparmor-utils.mo' % locale.getlocale()[0]
     try:
         trans = gettext.GNUTranslations(open(filename, 'rb'))
     except IOError:

apparmor/aa.py

@@ -1515,8 +1515,8 @@ def ask_the_questions():
                     
                     audit_toggle = 0
                     
-                    q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_AUDIT_NEW',
-                                      'CMD_ABORT', 'CMD_FINISHED', 'CMD_IGNORE_ENTRY']
+                    q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW',
+                                      'CMD_ABORT', 'CMD_FINISHED']
                     
                     # In complain mode: events default to allow
                     # In enforce mode: events default to deny
@@ -1538,12 +1538,12 @@ def ask_the_questions():
                             audit_toggle = not audit_toggle
                             audit = ''
                             if audit_toggle:
-                                q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_AUDIT_OFF',
-                                                  'CMD_ABORT', 'CMD_FINISHED', 'CMD_IGNORE_ENTRY']
+                                q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_OFF',
+                                                  'CMD_ABORT', 'CMD_FINISHED']
                                 audit = 'audit'
                             else:
-                                q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_AUDIT_NEW',
-                                                  'CMD_ABORT', 'CMD_FINISHED', 'CMD_IGNORE_ENTRY']
+                                q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW',
+                                                  'CMD_ABORT', 'CMD_FINISHED', ]
                             
                             q['headers'] = [_('Profile'), combine_name(profile, hat),
                                             _('Capability'), audit + capability,
@@ -1762,9 +1762,9 @@ def ask_the_questions():
                             q['headers'] += [_('Severity'), severity]
                             q['options'] = options
                             q['selected'] = default_option - 1
-                            q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_GLOB',
+                            q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB',
                                               'CMD_GLOBEXT', 'CMD_NEW', 'CMD_ABORT',
-                                              'CMD_FINISHED', 'CMD_OTHER', 'CMD_IGNORE_ENTRY']
+                                              'CMD_FINISHED', 'CMD_OTHER']
                             q['default'] = 'CMD_DENY'
                             if aamode == 'PERMITTING':
                                 q['default'] = 'CMD_ALLOW'
@@ -1915,8 +1915,8 @@ def ask_the_questions():
                         q['headers'] += [_('Socket Type'), sock_type]
                         
                         audit_toggle = 0
-                        q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_AUDIT_NEW',
-                                          'CMD_ABORT', 'CMD_FINISHED', 'CMD_IGNORE_ENTRY']
+                        q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW',
+                                          'CMD_ABORT', 'CMD_FINISHED']
                         q['default'] = 'CMD_DENY'
                         
                         if aamode == 'PERMITTING':
@@ -2078,34 +2078,25 @@ def delete_duplicates(profile, incname):
     deleted = 0
     # Allow rules covered by denied rules shouldn't be deleted
     # only a subset allow rules may actually be denied
-#     deleted += delete_net_duplicates(profile['allow']['netdomain'], include[incname][incname]['allow']['netdomain'])
-#     
-#     deleted += delete_net_duplicates(profile['deny']['netdomain'], include[incname][incname]['deny']['netdomain'])
-#     
-#     deleted += delete_cap_duplicates(profile['allow']['capability'], include[incname][incname]['allow'])
-#     
-#     deleted += delete_cap_duplicates(profile['deny']['capability'], include[incname][incname]['deny']['capability'])
-#     
-#     deleted += delete_path_duplicates(profile, incname, 'allow')
-#     deleted += delete_path_duplicates(profile, incname, 'deny')
 
     if include.get(incname, False):
         deleted += delete_net_duplicates(profile['allow']['netdomain'], include[incname][incname]['allow']['netdomain'])
          
         deleted += delete_net_duplicates(profile['deny']['netdomain'], include[incname][incname]['deny']['netdomain'])
          
-        deleted += delete_cap_duplicates(profile['allow']['capability'], include[incname][incname]['allow'])
+        deleted += delete_cap_duplicates(profile['allow']['capability'], include[incname][incname]['allow']['capability'])
          
         deleted += delete_cap_duplicates(profile['deny']['capability'], include[incname][incname]['deny']['capability'])
          
         deleted += delete_path_duplicates(profile, incname, 'allow')
         deleted += delete_path_duplicates(profile, incname, 'deny')
+        
     elif filelist.get(incname, False):
         deleted += delete_net_duplicates(profile['allow']['netdomain'], filelist[incname][incname]['allow']['netdomain'])
          
         deleted += delete_net_duplicates(profile['deny']['netdomain'], filelist[incname][incname]['deny']['netdomain'])
          
-        deleted += delete_cap_duplicates(profile['allow']['capability'], filelist[incname][incname]['allow'])
+        deleted += delete_cap_duplicates(profile['allow']['capability'], filelist[incname][incname]['allow']['capability'])
          
         deleted += delete_cap_duplicates(profile['deny']['capability'], filelist[incname][incname]['deny']['capability'])
          
@@ -2114,9 +2105,6 @@ def delete_duplicates(profile, incname):
     
     return deleted
 
-    
-    return deleted
-
 def match_net_include(incname, family, type):
     includelist = incname[:]
     checked = []

apparmor/ui.py

@@ -410,7 +410,7 @@ def Text_PromptUser(question):
             
             elif options and re.search('^\d$', ans):
                 ans = int(ans)
-                if ans > 0 and ans < len(options):
+                if ans > 0 and ans <= len(options):
                     selected = ans - 1
                 ans = 'XXXINVALIDXXX'