Merge Partial fix for regression tests if parent directory contains spaces

Most `tests/regression/apparmor/*.sh` scripts contain . $bin/prologue.inc This will explode if one of the parent directories contains a space. Minimized reproducer: ``` # cat test.sh pwd=`dirname $0` pwd=`cd $pwd ; /bin/pwd` bin=$pwd echo "pwd: $bin" . $bin/prologue.inc # ./test.sh pwd: /tmp/foo bar ./test.sh: line 9: /tmp/foo: No such file or directory ``` Notice that test.sh tries to source `/tmp/foo` instead of `/tmp/foo bar/prologue.inc`. The fix is to quote the prologue.inc path: . "$bin/prologue.inc" While on it, also fix other uses of $bin - directly and indirectly - by quoting them. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1418 Approved-by: Ryan Lee <rlee287@yahoo.com> Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-03-04 08:24:42 +01:00 · 2024-11-15 00:46:04 +00:00 · 2024-11-15 00:46:04 +00:00 · a422d2ea17
commit a422d2ea17
parent 015b41aeb4 55db4af979
76 changed files with 265 additions and 265 deletions
--- a/tests/regression/apparmor/aa_exec.sh
+++ b/tests/regression/apparmor/aa_exec.sh
@ -19,7 +19,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 ns=aa_exec_ns

@ -42,7 +42,7 @@ $1 ${mode}{
 EOF
 }

-settest aa_exec_profile ${bin}/aa_exec_wrapper.sh
+settest aa_exec_profile "${bin}/aa_exec_wrapper.sh"

 genprofile_aa_exec "$test" 0
 runchecktest "unconfined" pass "$aa_exec" "unconfined"
--- a/tests/regression/apparmor/aa_policy_cache.sh
+++ b/tests/regression/apparmor/aa_policy_cache.sh
@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 # cacheloc is the top level directory of cache directories
 cacheloc="$tmpdir/cache"
--- a/tests/regression/apparmor/access.sh
+++ b/tests/regression/apparmor/access.sh
@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 file=$tmpdir/file

--- a/tests/regression/apparmor/at_secure.sh
+++ b/tests/regression/apparmor/at_secure.sh
@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 settest transition
 at_secure=$pwd/at_secure
--- a/tests/regression/apparmor/attach_disconnected.sh
+++ b/tests/regression/apparmor/attach_disconnected.sh
@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 settest unix_fd_server
 disk_img=$tmpdir/disk_img
@ -28,7 +28,7 @@ file=$tmpdir/file
 socket=$tmpdir/unix_fd_test
 att_dis_client=$pwd/attach_disconnected

-. $bin/mount.inc
+. "$bin/mount.inc"

 attach_disconnected_cleanup() {
 	if [ ! -z "$loop_device" ]; then
--- a/tests/regression/apparmor/capabilities.sh
+++ b/tests/regression/apparmor/capabilities.sh
@ -27,7 +27,7 @@ pwd=`dirname $0`
 pwd=`cd $pwd ; /bin/pwd`
 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 TESTS="syscall_ptrace syscall_sethostname \
       syscall_setdomainname syscall_setpriority syscall_setscheduler \
@ -139,18 +139,18 @@ for TEST in ${TESTS} ; do
 	# okay, now check to see if the capability functions from within
 	# a subprofile.
 	settest ${testwrapper}
-	genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} ${my_entries}
+	genprofile "hat:$bin/${TEST}" "addimage:${bin}/${TEST}" ${my_entries}
 	if [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ] ; then
 	    # ptrace between profiles confining tasks of same pid is controlled by the ptrace rule
 	    # capability + ptrace rule needed between pids
-	    runchecktest "${TEST} changehat -- no caps" pass $bin/${TEST} ${my_arg}
+	    runchecktest "${TEST} changehat -- no caps" pass "$bin/${TEST}" ${my_arg}
 	else
-	    runchecktest "${TEST} changehat -- no caps" fail $bin/${TEST} ${my_arg}
+	    runchecktest "${TEST} changehat -- no caps" fail "$bin/${TEST}" ${my_arg}
 	fi

 	# all capabilities allowed
-	genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} cap:ALL ${my_entries}
-	runchecktest "${TEST} changehat -- all caps" ${expected} $bin/${TEST} ${my_arg}
+	genprofile "hat:$bin/${TEST}" "addimage:${bin}/${TEST}" cap:ALL ${my_entries}
+	runchecktest "${TEST} changehat -- all caps" ${expected} "$bin/${TEST}" ${my_arg}

 	for cap in ${CAPABILITIES} ; do
 		if [ ${expected} = "fail" ]; then
@ -162,8 +162,8 @@ for TEST in ${TESTS} ; do
 		else
 			expected_result=fail
 		fi
-		genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} cap:${cap} ${my_entries}
-		runchecktest "${TEST} changehat -- capability ${cap}" ${expected_result} $bin/${TEST} ${my_arg}
+		genprofile "hat:$bin/${TEST}" "addimage:${bin}/${TEST}" cap:${cap} ${my_entries}
+		runchecktest "${TEST} changehat -- capability ${cap}" ${expected_result} "$bin/${TEST}" ${my_arg}
 	done

 done
--- a/tests/regression/apparmor/changehat.sh
+++ b/tests/regression/apparmor/changehat.sh
@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 file=$tmpdir/file
 subfile=$tmpdir/file2
--- a/tests/regression/apparmor/changehat_fork.sh
+++ b/tests/regression/apparmor/changehat_fork.sh
@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 file=$tmpdir/file
 subfile=$tmpdir/file2
--- a/tests/regression/apparmor/changehat_misc.sh
+++ b/tests/regression/apparmor/changehat_misc.sh
@ -18,7 +18,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 file=$tmpdir/file
 subfile=$tmpdir/file2
@ -77,7 +77,7 @@ runchecktest "CHANGEHAT (bad token)" signal9 ${subtest}

 settest changehat_wrapper

-genprofile hat:open addimage:${bin}/open ${file}:${okperm}
+genprofile hat:open "addimage:${bin}/open" ${file}:${okperm}

 runchecktest "CHANGEHAT (noexit subprofile (token=0))" pass --token=0 open ${file}
 runchecktest "CHANGEHAT (exit noexit subprofile (token=0))" fail --token=0 --exit_hat open ${file}
--- a/tests/regression/apparmor/changeprofile.sh
+++ b/tests/regression/apparmor/changeprofile.sh
@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 file=$tmpdir/file
 subfile=$tmpdir/file2
--- a/tests/regression/apparmor/chdir.sh
+++ b/tests/regression/apparmor/chdir.sh
@ -18,7 +18,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 dir=$tmpdir/tmpdir

--- a/tests/regression/apparmor/clone.sh
+++ b/tests/regression/apparmor/clone.sh
@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 # TEST1 unconfined

--- a/tests/regression/apparmor/coredump.sh
+++ b/tests/regression/apparmor/coredump.sh
@ -63,7 +63,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 coreperm=r
 nocoreperm=ix
--- a/tests/regression/apparmor/dbus_eavesdrop.sh
+++ b/tests/regression/apparmor/dbus_eavesdrop.sh
@ -17,10 +17,10 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"
 requires_kernel_features dbus
 requires_parser_support "dbus,"
-. $bin/dbus.inc
+. "$bin/dbus.inc"

 args="--session"

--- a/tests/regression/apparmor/dbus_message.sh
+++ b/tests/regression/apparmor/dbus_message.sh
@ -17,10 +17,10 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"
 requires_kernel_features dbus
 requires_parser_support "dbus,"
-. $bin/dbus.inc
+. "$bin/dbus.inc"

 listnames="--type=method_call --session --name=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames"

--- a/tests/regression/apparmor/dbus_service.sh
+++ b/tests/regression/apparmor/dbus_service.sh
@ -16,10 +16,10 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"
 requires_kernel_features dbus
 requires_parser_support "dbus,"
-. $bin/dbus.inc
+. "$bin/dbus.inc"

 service="--$bus --name=$dest $path $iface"
 unconfined_log="${tmpdir}/unconfined.log"
--- a/tests/regression/apparmor/dbus_unrequested_reply.sh
+++ b/tests/regression/apparmor/dbus_unrequested_reply.sh
@ -16,10 +16,10 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"
 requires_kernel_features dbus
 requires_parser_support "dbus,"
-. $bin/dbus.inc
+. "$bin/dbus.inc"

 service="--$bus --name=$dest $path $iface"
 unconfined_log="${tmpdir}/unconfined.log"
--- a/tests/regression/apparmor/deleted.sh
+++ b/tests/regression/apparmor/deleted.sh
@ -20,7 +20,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 file=$tmpdir/file
 file2="$tmpdir/file (deleted)"
--- a/tests/regression/apparmor/e2e.sh
+++ b/tests/regression/apparmor/e2e.sh
@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 # load_and_verify - Generate and load a profile, then verify that raw_data
 #                            matches the generated cached policy
--- a/tests/regression/apparmor/environ.sh
+++ b/tests/regression/apparmor/environ.sh
@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 helper=$pwd/env_check
 setuid_helper=${tmpdir}/env_check
--- a/tests/regression/apparmor/exec.sh
+++ b/tests/regression/apparmor/exec.sh
@ -14,7 +14,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 cp -pL /bin/true ${tmpdir}/true
 file=${tmpdir}/true
--- a/tests/regression/apparmor/exec_qual.sh
+++ b/tests/regression/apparmor/exec_qual.sh
@ -19,7 +19,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 file=/etc/group

@ -72,71 +72,71 @@ local_runchecktest()
 #	  child profile grants access
 #	  expected behaviour: child should be able to access resource

-genprofile $test2:px $file:$fileperm signal:receive:peer=unconfined -- image=$test2 $file:$fileperm signal:receive
-local_runchecktest "enforce px case1" pass $test2 $test2 $file
+genprofile "$test2:px" $file:$fileperm signal:receive:peer=unconfined -- "image=$test2" $file:$fileperm signal:receive
+local_runchecktest "enforce px case1" pass "$test2" "$test2" $file

 # case 2: parent profile grants access (should be irrelevant)
 #	  child profile disallows access
 #	  expected behaviour: child should be unable to access resource

-genprofile $test2:px $file:$fileperm signal:receive:peer=unconfined -- image=$test2 signal:receive
-local_runchecktest "enforce px case2" fail $test2 $test2 $file
+genprofile "$test2:px" $file:$fileperm signal:receive:peer=unconfined -- "image=$test2" signal:receive
+local_runchecktest "enforce px case2" fail "$test2" "$test2" $file

 # case 3: parent profile disallows access (should be irrelevant)
 #	  child profile allows access
 #	  expected behaviour: child should be able to access resource

-genprofile $test2:px signal:receive:peer=unconfined -- image=$test2 $file:$fileperm signal:receive
-local_runchecktest "enforce px case3" pass $test2 $test2 $file
+genprofile "$test2:px" signal:receive:peer=unconfined -- "image=$test2" $file:$fileperm signal:receive
+local_runchecktest "enforce px case3" pass "$test2" "$test2" $file

 # case 4: parent profile grants access (should be irrelevant)
 #	  missing child profile
 #	  expected behaviour: exec of child fails

-genprofile $test2:px $file:$fileperm signal:receive:peer=unconfined
-local_runchecktest "enforce px case4" fail "n/a" $test2 $file
+genprofile "$test2:px" $file:$fileperm signal:receive:peer=unconfined
+local_runchecktest "enforce px case4" fail "n/a" "$test2" $file

 # confined parent, exec child with 'ix'
 # case 1: parent profile grants access
 #	  child profile grants access (should be irrelevant)
 #	  expected behaviour: child should be able to access resource

-genprofile $test2:rix $file:$fileperm signal:receive:peer=unconfined -- image=$test2 $file:$fileperm signal:receive
-local_runchecktest "enforce ix case1" pass $test1 $test2 $file
+genprofile "$test2:rix" $file:$fileperm signal:receive:peer=unconfined -- "image=$test2" $file:$fileperm signal:receive
+local_runchecktest "enforce ix case1" pass "$test1" "$test2" $file

 # case 2: parent profile grants access
 #	  child profile disallows access (should be irrelevant)
 #	  expected behaviour: child should be able to access resource

-genprofile $test2:rix $file:$fileperm signal:receive:peer=unconfined -- image=$test2 signal:receive
-local_runchecktest "enforce ix case2" pass $test1 $test2 $file
+genprofile "$test2:rix" $file:$fileperm signal:receive:peer=unconfined -- "image=$test2" signal:receive
+local_runchecktest "enforce ix case2" pass "$test1" "$test2" $file

 # case 3: parent profile disallows access
 #	  child profile allows access (should be irrelevant)
 #	  expected behaviour: child should be unable to access resource

-genprofile $test2:rix signal:receive:peer=unconfined -- image=$test2 $file:$fileperm signal:receive
-local_runchecktest "enforce ix case3" fail $test1 $test2 $file
+genprofile "$test2:rix" signal:receive:peer=unconfined -- "image=$test2" $file:$fileperm signal:receive
+local_runchecktest "enforce ix case3" fail "$test1" "$test2" $file

 # case 4: parent profile grants access
 #	  missing child profile (irrelevant)
 #	  expected behaviour: child should be able to access resource

-genprofile $test2:rix $file:$fileperm signal:receive:peer=unconfined
-local_runchecktest "enforce ix case4" pass $test1 $test2 $file
+genprofile "$test2:rix" $file:$fileperm signal:receive:peer=unconfined
+local_runchecktest "enforce ix case4" pass "$test1" "$test2" $file

 # confined parent, exec child with 'ux'
 # case 1: parent profile grants access (should be irrelevant)
 #	  expected behaviour, child should be able to access resource

 genprofile $test2:ux $file:$fileperm signal:receive:peer=unconfined
-local_runchecktest "enforce ux case1" pass "unconfined" $test2 $file
+local_runchecktest "enforce ux case1" pass "unconfined" "$test2" $file

 # case 2: parent profile denies access (should be irrelevant)
 #	  expected behaviour, child should be able to access resource

 genprofile $test2:ux signal:receive:peer=unconfined
-local_runchecktest "enforce ux case1" pass "unconfined" $test2 $file
+local_runchecktest "enforce ux case1" pass "unconfined" "$test2" $file

 # confined parent, exec child with conflicting exec qualifiers
 # that overlap in such away that px is preferred (ix is glob, px is exact
@ -144,27 +144,27 @@ local_runchecktest "enforce ux case1" pass "unconfined" $test2 $file
 # case 1: 
 #	  expected behaviour: exec of child passes

-genprofile $test2:px $test2_rex1:ix signal:receive:peer=unconfined -- image=$test2 $file:$fileperm signal:receive
-local_runchecktest "enforce conflicting exec qual" pass $test2 $test2 $file
+genprofile "$test2:px" "$test2_rex1:ix" signal:receive:peer=unconfined -- "image=$test2" $file:$fileperm signal:receive
+local_runchecktest "enforce conflicting exec qual" pass "$test2" "$test2" $file

 # unconfined parent
 # case 1: child profile exists, child profile grants access
 #	  expected behaviour: child should be able to access resource

-genprofile image=$test2 $file:$fileperm signal:receive:peer=unconfined
-local_runchecktest "enforce unconfined case1" pass $test2 $test2 $file
+genprofile "image=$test2" $file:$fileperm signal:receive:peer=unconfined
+local_runchecktest "enforce unconfined case1" pass "$test2" "$test2" $file

 # case 2: child profile exists, child profile denies access
 #	  expected behaviour: child should be unable to access resource

-genprofile image=$test2 signal:receive:peer=unconfined
-local_runchecktest "enforce unconfined case2" fail $test2 $test2 $file
+genprofile "image=$test2" signal:receive:peer=unconfined
+local_runchecktest "enforce unconfined case2" fail "$test2" "$test2" $file

 # case 3: no child profile exists, unconfined
 #	  expected behaviour: child should be able to access resource

 removeprofile
-local_runchecktest "enforce unconfined case3" pass "unconfined" $test2 $file
+local_runchecktest "enforce unconfined case3" pass "unconfined" "$test2" $file

 # -----------------------------------------------------------------------

--- a/tests/regression/apparmor/exec_stack.sh
+++ b/tests/regression/apparmor/exec_stack.sh
@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 requires_kernel_features domain/stack
 settest transition
--- a/tests/regression/apparmor/fchdir.sh
+++ b/tests/regression/apparmor/fchdir.sh
@ -18,7 +18,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 dir=$tmpdir/tmpdir/

--- a/tests/regression/apparmor/fd_inheritance.sh
+++ b/tests/regression/apparmor/fd_inheritance.sh
@ -29,7 +29,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 file=$tmpdir/file
 inheritor=$bin/fd_inheritor
@ -43,34 +43,34 @@ d3e773e2a4a0cc9d7e28eb217a4241ce
 1437d6c55ef788d3bcd27ab14e9382a9
 EOF

-runchecktest "fd inheritance; unconfined -> unconfined" pass $file $inheritor
+runchecktest "fd inheritance; unconfined -> unconfined" pass $file "$inheritor"

-genprofile $file:$okperm $inheritor:Ux
-runchecktest "fd inheritance; confined -> unconfined" pass $file $inheritor
+genprofile $file:$okperm "$inheritor:Ux"
+runchecktest "fd inheritance; confined -> unconfined" pass $file "$inheritor"

-genprofile $file:$badperm $inheritor:Ux
-runchecktest "fd inheritance; confined (bad perm) -> unconfined" fail $file $inheritor
+genprofile $file:$badperm "$inheritor:Ux"
+runchecktest "fd inheritance; confined (bad perm) -> unconfined" fail $file "$inheritor"

-genprofile $inheritor:Ux
-runchecktest "fd inheritance; confined (no perm) -> unconfined" fail $file $inheritor
+genprofile "$inheritor:Ux"
+runchecktest "fd inheritance; confined (no perm) -> unconfined" fail $file "$inheritor"

-genprofile image=$inheritor $file:$okperm
-runchecktest "fd inheritance; unconfined -> confined" pass $file $inheritor
+genprofile "image=$inheritor" $file:$okperm
+runchecktest "fd inheritance; unconfined -> confined" pass $file "$inheritor"

-genprofile image=$inheritor
-runchecktest "fd inheritance; unconfined -> confined (no perm)" pass $file $inheritor
+genprofile "image=$inheritor"
+runchecktest "fd inheritance; unconfined -> confined (no perm)" pass $file "$inheritor"

-genprofile $file:$okperm $inheritor:Px -- image=$inheritor $file:$okperm
-runchecktest "fd inheritance; confined -> confined" pass $file $inheritor
+genprofile $file:$okperm "$inheritor:Px" -- "image=$inheritor" $file:$okperm
+runchecktest "fd inheritance; confined -> confined" pass $file "$inheritor"

-genprofile $file:$badperm $inheritor:Px -- image=$inheritor $file:$okperm
-runchecktest "fd inheritance; confined (bad perm) -> confined" fail $file $inheritor
+genprofile $file:$badperm "$inheritor:Px" -- "image=$inheritor" $file:$okperm
+runchecktest "fd inheritance; confined (bad perm) -> confined" fail $file "$inheritor"

-genprofile $inheritor:Px -- image=$inheritor $file:$okperm
-runchecktest "fd inheritance; confined (no perm) -> confined" fail $file $inheritor
+genprofile "$inheritor:Px" -- "image=$inheritor" $file:$okperm
+runchecktest "fd inheritance; confined (no perm) -> confined" fail $file "$inheritor"

-genprofile $file:$okperm $inheritor:Px -- image=$inheritor $file:$badperm
-runchecktest "fd inheritance; confined -> confined (bad perm)" fail $file $inheritor
+genprofile $file:$okperm "$inheritor:Px" -- "image=$inheritor" $file:$badperm
+runchecktest "fd inheritance; confined -> confined (bad perm)" fail $file "$inheritor"

-genprofile $file:$okperm $inheritor:Px -- image=$inheritor
-runchecktest "fd inheritance; confined -> confined (no perm)" fail $file $inheritor
+genprofile $file:$okperm "$inheritor:Px" -- "image=$inheritor"
+runchecktest "fd inheritance; confined -> confined (no perm)" fail $file "$inheritor"
--- a/tests/regression/apparmor/fork.sh
+++ b/tests/regression/apparmor/fork.sh
@ -19,7 +19,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 file1=$tmpdir/file1
 file2=$tmpdir/file2
--- a/tests/regression/apparmor/i18n.sh
+++ b/tests/regression/apparmor/i18n.sh
@ -20,7 +20,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 okperm=rw
 badperm1=r
--- a/tests/regression/apparmor/introspect.sh
+++ b/tests/regression/apparmor/introspect.sh
@ -14,7 +14,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 ok_ix_perm=rix
 badperm=r
--- a/tests/regression/apparmor/io_uring.sh
+++ b/tests/regression/apparmor/io_uring.sh
@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 requires_kernel_features io_uring
 requires_parser_support "io_uring,"
--- a/tests/regression/apparmor/link.sh
+++ b/tests/regression/apparmor/link.sh
@ -20,7 +20,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 target=$tmpdir/target
 linkfile=$tmpdir/linkfile
--- a/tests/regression/apparmor/link_subset.sh
+++ b/tests/regression/apparmor/link_subset.sh
@ -20,13 +20,13 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 target=$tmpdir/target_
 linkfile=$tmpdir/link_

-tfiles=`$bin/link_subset --filenames $target`
-lfiles=`$bin/link_subset --filenames $linkfile`
+tfiles=`"$bin/link_subset" --filenames $target`
+lfiles=`"$bin/link_subset" --filenames $linkfile`

 # unconfined test - no target file
 #runchecktest "unconfined - no target" fail $target $linkfile
--- a/tests/regression/apparmor/longpath.sh
+++ b/tests/regression/apparmor/longpath.sh
@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 genrandname()
 {
--- a/tests/regression/apparmor/mkdir.sh
+++ b/tests/regression/apparmor/mkdir.sh
@ -14,7 +14,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 dir=$tmpdir/tmpdir/
 perms=w
--- a/tests/regression/apparmor/mmap.sh
+++ b/tests/regression/apparmor/mmap.sh
@ -21,7 +21,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 file=$tmpdir/src
 okperm=rw
--- a/tests/regression/apparmor/mount.sh
+++ b/tests/regression/apparmor/mount.sh
@ -20,7 +20,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 ##
 ## A. MOUNT
@ -33,7 +33,7 @@ mount_bad=$tmpdir/mountbad
 loop_device="unset" 
 fstype="ext2"

-. $bin/mount.inc
+. "$bin/mount.inc"

 setup_mnt() {
 	/bin/mount -n -t${fstype} ${loop_device} ${mount_point}
--- a/tests/regression/apparmor/mult_mount.sh
+++ b/tests/regression/apparmor/mult_mount.sh
@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 cleandir()
 {
--- a/tests/regression/apparmor/named_pipe.sh
+++ b/tests/regression/apparmor/named_pipe.sh
@ -20,7 +20,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 fifo=${tmpdir}/pipe

--- a/tests/regression/apparmor/namespaces.sh
+++ b/tests/regression/apparmor/namespaces.sh
@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"
 requires_namespace_interface

 # unique_ns - Print a randomly generated, unused namespace identifier to stdout
--- a/tests/regression/apparmor/net_inet.sh
+++ b/tests/regression/apparmor/net_inet.sh
@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 requires_kernel_features network_v8/af_inet
 requires_parser_support "network ip=::1,"
@ -67,11 +67,11 @@ do_tests()

 	settest net_inet_rcv
 	$generate_profile
-	do_test "$prefix - root" $expect_rcv --bind_ip $bind_ip --bind_port $bind_port --remote_ip $remote_ip --remote_port $remote_port --protocol $protocol --timeout 5 --sender $sender
+	do_test "$prefix - root" $expect_rcv --bind_ip $bind_ip --bind_port $bind_port --remote_ip $remote_ip --remote_port $remote_port --protocol $protocol --timeout 5 --sender "$sender"

 	settest -u "foo" net_inet_rcv
 	$generate_profile
-	do_test "$prefix - user" $expect_rcv --bind_ip $bind_ip --bind_port $bind_port --remote_ip $remote_ip --remote_port $remote_port --protocol $protocol --timeout 5 --sender $sender
+	do_test "$prefix - user" $expect_rcv --bind_ip $bind_ip --bind_port $bind_port --remote_ip $remote_ip --remote_port $remote_port --protocol $protocol --timeout 5 --sender "$sender"


 }
--- a/tests/regression/apparmor/net_raw.sh
+++ b/tests/regression/apparmor/net_raw.sh
@ -17,7 +17,7 @@ pwd=$(cd $pwd ; /bin/pwd)

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 dir=$tmpdir/tmpdir

--- a/tests/regression/apparmor/nfs.sh
+++ b/tests/regression/apparmor/nfs.sh
@ -18,7 +18,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 srcdir=$tmpdir/src
 mntdir=$tmpdir/mnt
--- a/tests/regression/apparmor/nnp.sh
+++ b/tests/regression/apparmor/nnp.sh
@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 settest transition

--- a/tests/regression/apparmor/onexec.sh
+++ b/tests/regression/apparmor/onexec.sh
@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 settest transition
 file=$tmpdir/file
@ -53,75 +53,75 @@ do_test()


 # ONEXEC from UNCONFINED - don't change profile
-do_test "" unconfined nochange pass $bin/open $file
+do_test "" unconfined nochange pass "$bin/open" $file

 # ONEXEC from UNCONFINED - target does NOT exist
-genprofile image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
-do_test "" unconfined noexist fail $bin/open $file
+genprofile "image=$bin/rw" "$bin/open:rix" $file:rw  -- "image=$bin/open"
+do_test "" unconfined noexist fail "$bin/open" $file

 # ONEXEC from UNCONFINED - change to rw profile, no exec profile to override
-genprofile image=$bin/rw $bin/open:rix $file:rw
-do_test "no px profile" unconfined $bin/rw pass $bin/open $file
+genprofile "image=$bin/rw" "$bin/open:rix" $file:rw
+do_test "no px profile" unconfined "$bin/rw" pass "$bin/open" $file

 # ONEXEC from UNCONFINED - don't change profile, make sure exec profile is applied
-genprofile image=$bin/rw $bin/open:px $file:rw  -- image=$bin/open $file:rw
-do_test "nochange px" unconfined nochange pass $bin/open $file
+genprofile "image=$bin/rw" "$bin/open:px" $file:rw  -- "image=$bin/open" $file:rw
+do_test "nochange px" unconfined nochange pass "$bin/open" $file

 # ONEXEC from UNCONFINED - change to rw profile, override regular exec profile, exec profile doesn't have perms
-genprofile image=$bin/rw $bin/open:px $file:rw  -- image=$bin/open
-do_test "override px" unconfined $bin/rw pass $bin/open $file
+genprofile "image=$bin/rw" "$bin/open:px" $file:rw  -- "image=$bin/open"
+do_test "override px" unconfined "$bin/rw" pass "$bin/open" $file

 #------

 # ONEXEC from CONFINED - don't change profile, open can't exec
-genprofile 'change_profile->':$bin/rw $exec_w $attrs_r
-do_test "no px perm" $test nochange fail $bin/open $file
+genprofile "change_profile->:$bin/rw" $exec_w $attrs_r
+do_test "no px perm" $test nochange fail "$bin/open" $file

 # ONEXEC from CONFINED - don't change profile, open is run unconfined
-genprofile 'change_profile->':$bin/rw $bin/open:rux $exec_w $attrs_r
-do_test "nochange rux" $test nochange pass $bin/open $file
+genprofile "change_profile->:$bin/rw" "$bin/open:rux" $exec_w $attrs_r
+do_test "nochange rux" $test nochange pass "$bin/open" $file

 # ONEXEC from CONFINED - don't change profile, open is run confined without necessary perms
-genprofile 'change_profile->':$bin/rw $exec_w $attrs_r -- image=$bin/open $file:rw
-do_test "nochange px - no px perm" $test nochange fail $bin/open $file
+genprofile "change_profile->:$bin/rw" $exec_w $attrs_r -- "image=$bin/open" $file:rw
+do_test "nochange px - no px perm" $test nochange fail "$bin/open" $file

 # ONEXEC from CONFINED - don't change profile, open is run confined without necessary perms
-genprofile 'change_profile->':$bin/rw $bin/open:rpx $exec_w $attrs_r -- image=$bin/open
-do_test "nochange px - no file perm" $test nochange fail $bin/open $file
+genprofile "change_profile->:$bin/rw" "$bin/open:rpx" $exec_w $attrs_r -- "image=$bin/open"
+do_test "nochange px - no file perm" $test nochange fail "$bin/open" $file

 # ONEXEC from CONFINED - target does NOT exist
-genprofile 'change_profile->':$bin/open $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
-do_test "noexist px" $test noexist fail $bin/open $file
+genprofile "change_profile->:$bin/open" $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw  -- "image=$bin/open"
+do_test "noexist px" $test noexist fail "$bin/open" $file

 # ONEXEC from CONFINED - change to rw profile, no exec profile to override
-genprofile 'change_profile->':$bin/rw $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw
-do_test "change profile - override rix" $test $bin/rw pass $bin/open $file
+genprofile "change_profile->:$bin/rw" $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw
+do_test "change profile - override rix" $test "$bin/rw" pass "$bin/open" $file

 # ONEXEC from CONFINED - change to rw profile, no exec profile to override, no explicit write access to /proc/*/attr/exec
-genprofile 'change_profile->':$bin/rw $attrs_r -- image=$bin/rw $bin/open:rix $file:rw
-do_test "change profile - no exec_w" $test $bin/rw pass $bin/open $file
+genprofile "change_profile->:$bin/rw" $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw
+do_test "change profile - no exec_w" $test "$bin/rw" pass "$bin/open" $file

 # ONEXEC from CONFINED - don't change profile, make sure exec profile is applied
-genprofile 'change_profile->':$bin/rw $exec_w $attrs_r $bin/open:rpx -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open $file:rw
-do_test "nochange px" $test nochange pass $bin/open $file
+genprofile "change_profile->:$bin/rw" $exec_w $attrs_r "$bin/open:rpx" -- "image=$bin/rw" "$bin/open:rix" $file:rw  -- "image=$bin/open" $file:rw
+do_test "nochange px" $test nochange pass "$bin/open" $file

 # ONEXEC from CONFINED - change to rw profile, override regular exec profile, exec profile doesn't have perms
-genprofile 'change_profile->':$bin/rw $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
-do_test "override px" $test $bin/rw pass $bin/open $file
+genprofile "change_profile->:$bin/rw" $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw  -- "image=$bin/open"
+do_test "override px" $test "$bin/rw" pass "$bin/open" $file

 # ONEXEC from - change to rw profile, override regular exec profile, exec profile has perms, rw doesn't
-genprofile 'change_profile->':$bin/rw $exec_w $attrs_r -- image=$bin/rw $bin/open:rix  -- image=$bin/open $file:rw
-do_test "override px" $test $bin/rw fail $bin/open $file
+genprofile "change_profile->:$bin/rw" $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix"  -- "image=$bin/open" $file:rw
+do_test "override px" $test "$bin/rw" fail "$bin/open" $file

 # ONEXEC from COFINED - change to rw profile via glob rule, override exec profile, exec profile doesn't have perms
-genprofile 'change_profile->':/** $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
-do_test "glob override px" $test $bin/rw pass $bin/open $file
+genprofile 'change_profile->':/** $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw  -- "image=$bin/open"
+do_test "glob override px" $test "$bin/rw" pass "$bin/open" $file

 # ONEXEC from COFINED - change to exec profile via glob rule, override exec profile, exec profile doesn't have perms
-genprofile 'change_profile->':/** $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
-do_test "glob override px" $test $bin/open fail $bin/open $file
+genprofile 'change_profile->':/** $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw  -- "image=$bin/open"
+do_test "glob override px" $test "$bin/open" fail "$bin/open" $file

 # ONEXEC from COFINED - change to exec profile via glob rule, override exec profile, exec profile has perms
-genprofile 'change_profile->':/** $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open $file:rw
-do_test "glob override px" $test $bin/rw pass $bin/open $file
+genprofile 'change_profile->':/** $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw  -- "image=$bin/open" $file:rw
+do_test "glob override px" $test "$bin/rw" pass "$bin/open" $file

--- a/tests/regression/apparmor/open.sh
+++ b/tests/regression/apparmor/open.sh
@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 file=$tmpdir/file
 okperm=rw
--- a/tests/regression/apparmor/openat.sh
+++ b/tests/regression/apparmor/openat.sh
@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 dir=${tmpdir}
 subdir=deleteme
--- a/tests/regression/apparmor/owlsm.sh
+++ b/tests/regression/apparmor/owlsm.sh
@ -26,7 +26,7 @@ pwd=$(cd ${pwd} ; /bin/pwd)

 bin=${pwd}

-. ${bin}/prologue.inc
+. "${bin}/prologue.inc"

 target=file1
 source=file2
--- a/tests/regression/apparmor/pipe.sh
+++ b/tests/regression/apparmor/pipe.sh
@ -21,7 +21,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 subtest=sub

--- a/tests/regression/apparmor/pivot_root.sh
+++ b/tests/regression/apparmor/pivot_root.sh
@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 disk_img=$tmpdir/disk_img
 new_root=$tmpdir/new_root/
@ -26,7 +26,7 @@ bad=$tmpdir/BAD/
 proc=$new_root/proc
 fstype="ext2"

-. $bin/mount.inc
+. "$bin/mount.inc"

 pivot_root_cleanup() {
 	mountpoint -q "$proc"
--- a/tests/regression/apparmor/posix_mq.sh
+++ b/tests/regression/apparmor/posix_mq.sh
@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 requires_kernel_features ipc/posix_mqueue
 requires_parser_support "mqueue,"
@ -35,8 +35,8 @@ echo "$user:password" | sudo chpasswd
 userid=$(id -u $user)

 # workaround to not have to set o+x
-chmod 6755 $receiver
-setcap cap_dac_read_search+pie $receiver
+chmod 6755 "$receiver"
+setcap cap_dac_read_search+pie "$receiver"

 cleanup()
 {
@ -65,16 +65,16 @@ do_tests()
    all_args=("$@")
    rest_args=("${all_args[@]:5}")

-    do_test "$prefix" "$expect_send" $sender "$expect_recv" -c $sender -k $queuename "${rest_args[@]}"
+    do_test "$prefix" "$expect_send" "$sender" "$expect_recv" -c "$sender" -k $queuename "${rest_args[@]}"

    # notify requires netlink permissions
-    do_test "$prefix : mq_notify" "$expect_send" $sender "$expect_recv" -c $sender -k $queuename -n mq_notify -p $pipe "${rest_args[@]}"
+    do_test "$prefix : mq_notify" "$expect_send" "$sender" "$expect_recv" -c "$sender" -k $queuename -n mq_notify -p $pipe "${rest_args[@]}"

-    do_test "$prefix : select" "$expect_open" -c $sender -k $queuename -n select "${rest_args[@]}"
+    do_test "$prefix : select" "$expect_open" -c "$sender" -k $queuename -n select "${rest_args[@]}"

-    do_test "$prefix : poll" "$expect_open" -c $sender -k $queuename -n poll "${rest_args[@]}"
+    do_test "$prefix : poll" "$expect_open" -c "$sender" -k $queuename -n poll "${rest_args[@]}"

-    do_test "$prefix : epoll" "$expect_open" -c $sender -k $queuename -n epoll "${rest_args[@]}"
+    do_test "$prefix : epoll" "$expect_open" -c "$sender" -k $queuename -n epoll "${rest_args[@]}"
 }


@ -88,15 +88,15 @@ for username in "root" "$userid" ; do
    do_tests "unconfined $username" pass pass pass pass $usercmd

    # No mqueue perms
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "$sender:px" "$pipe:rw" -- image=$sender "$pipe:rw"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "$sender:px" "$pipe:rw" -- "image=$sender" "$pipe:rw"
    do_tests "confined $username - no perms" fail fail fail fail $usercmd


-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" "$pipe:rw" -- image=$sender "deny mqueue" "$pipe:rw"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" "$pipe:rw" -- "image=$sender" "deny mqueue" "$pipe:rw"
    do_tests "confined $username - deny perms" fail fail fail fail $usercmd

    if [ "$(parser_supports 'all,')" = "true" ]; then
-	genprofile "all" -- image=$sender "all"
+	genprofile "all" -- "image=$sender" "all"
 	do_tests "confined $username - allow all" pass pass pass pass $usercmd
    fi

@ -108,50 +108,50 @@ for username in "root" "$userid" ; do
    #   apparmor when doing "root" username tests
    # * if doing the $userid set of tests and you see
    #   Permission denied in the test output
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue" "$sender:px" "$pipe:rw" -- image=$sender "mqueue" "$pipe:rw"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue" "$pipe:rw"
    do_tests "confined $username - mqueue" pass pass pass pass $usercmd

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:type=posix" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:type=posix" "$pipe:rw"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:type=posix" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:type=posix" "$pipe:rw"
    do_tests "confined $username - mqueue type=posix" pass pass pass pass $usercmd

    # queue name
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:$queuename" "$pipe:rw"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:$queuename" "$pipe:rw"
    do_tests "confined $username - mqueue /name 1" pass pass pass pass $usercmd

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:$queuename" "$pipe:rw"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:$queuename" "$pipe:rw"
    do_tests "confined $username - mqueue /name 2" pass pass pass pass $usercmd

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" "$pipe:rw" -- image=$sender "mqueue" "$pipe:rw"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue" "$pipe:rw"
    do_tests "confined $username - mqueue /name 3" pass pass pass pass $usercmd

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:$queuename2" "$pipe:rw"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:$queuename2" "$pipe:rw"
    do_tests "confined $username - mqueue /name 4" fail fail fail fail $usercmd -t 1


    # specific permissions
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:write" "$pipe:rw"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:write" "$pipe:rw"
    do_tests "confined $username - specific 1" pass pass pass pass $usercmd

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(read,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:write" "$pipe:rw"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(read,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:write" "$pipe:rw"
    do_tests "confined $username - specific 2" fail fail fail fail $usercmd -t 1

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:write" "$pipe:rw"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:write" "$pipe:rw"
    do_tests "confined $username - specific 3" fail fail fail fail $usercmd -t 1

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,getattr,setattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:write" "$pipe:rw"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,getattr,setattr)" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:write" "$pipe:rw"
    do_tests "confined $username - specific 4" fail fail fail fail $usercmd -t 1

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,setattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:write" "$pipe:rw"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,setattr)" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:write" "$pipe:rw"
    do_tests "confined $username - specific 5" pass pass pass pass $usercmd

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:write" "$pipe:rw"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr)" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:write" "$pipe:rw"
    do_tests "confined $username - specific 6" pass pass pass pass $usercmd

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:read" "$pipe:rw"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:read" "$pipe:rw"
    do_tests "confined $username - specific 7" fail fail fail fail $usercmd -t 1

    # unconfined receiver
-    genprofile image=$sender "mqueue"
+    genprofile "image=$sender" "mqueue"
    do_tests "confined sender $username - unconfined receiver" pass pass pass pass $usercmd


@ -161,12 +161,12 @@ for username in "root" "$userid" ; do


    # queue label
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:label=$receiver" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:label=$receiver" "$pipe:rw"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:label=$receiver" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:label=$receiver" "$pipe:rw"
    do_tests "confined $username - mqueue label 1" xpass xpass xpass xpass $usercmd


    # queue name and label
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete):type=posix:label=$receiver:$queuename" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:(open,write):type=posix:label=$receiver:$queuename" "$pipe:rw"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete):type=posix:label=$receiver:$queuename" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:(open,write):type=posix:label=$receiver:$queuename" "$pipe:rw"
    do_tests "confined $username - mqueue label 2" xpass xpass xpass xpass $usercmd

    # ensure we are cleaned up for next pass
--- a/tests/regression/apparmor/ptrace.sh
+++ b/tests/regression/apparmor/ptrace.sh
@ -21,7 +21,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 # Read permission was required for a confined process to be able to be traced 
 # using ptrace.  This stopped being required or functioning correctly 
@ -56,7 +56,7 @@ runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper ${bin_true}


 if [ "$(kernel_features ptrace)" = "true" -a "$(parser_supports 'ptrace,')" = "true" ] ; then
-	. $bin/ptrace_v6.inc
+	. "$bin/ptrace_v6.inc"
 else
-	. $bin/ptrace_v5.inc
+	. "$bin/ptrace_v5.inc"
 fi
--- a/tests/regression/apparmor/pwrite.sh
+++ b/tests/regression/apparmor/pwrite.sh
@ -14,7 +14,7 @@ pwd=`cd $pwd ; pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 file=${tmpdir}/pwrite
 okperm=rw
--- a/tests/regression/apparmor/query_label.sh
+++ b/tests/regression/apparmor/query_label.sh
@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"
 requires_query_interface

 settest query_label
--- a/tests/regression/apparmor/readdir.sh
+++ b/tests/regression/apparmor/readdir.sh
@ -18,7 +18,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 dir=$tmpdir/tmpdir
 # x is not really needed, see chdir.sh
--- a/tests/regression/apparmor/regex.sh
+++ b/tests/regression/apparmor/regex.sh
@ -22,7 +22,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 file=$tmpdir/file
 file2=$tmpdir/filealpha
--- a/tests/regression/apparmor/rename.sh
+++ b/tests/regression/apparmor/rename.sh
@ -18,7 +18,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 file1=$tmpdir/file1
 file2=$tmpdir/file2
--- a/tests/regression/apparmor/rw.sh
+++ b/tests/regression/apparmor/rw.sh
@ -21,7 +21,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 file=$tmpdir/src
 okperm=rw
--- a/tests/regression/apparmor/sd_flags.sh
+++ b/tests/regression/apparmor/sd_flags.sh
@ -14,7 +14,7 @@ pwd=$(cd $pwd ; /bin/pwd)

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 settest open

@ -58,56 +58,56 @@ settest changehat_wrapper

 # audit alone
 # PASS TEST (noflags)
-genprofile hat:open addimage:${bin}/open $file:$okperm
+genprofile hat:open "addimage:${bin}/open" $file:$okperm
 runchecktest "SD_FLAGS HAT/OPEN RW (noflags)" pass open $file

 # PASS TEST 1 (audit)
-genprofile flag:audit hat:open addimage:${bin}/open $file:$okperm
+genprofile flag:audit hat:open "addimage:${bin}/open" $file:$okperm
 runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file

 # PASS TEST 2 (audit)
-genprofile hat:open addimage:${bin}/open $file:$okperm flag:audit
+genprofile hat:open "addimage:${bin}/open" $file:$okperm flag:audit
 runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file

 # PASS TEST 3 (audit)
-genprofile flag:audit hat:open addimage:${bin}/open $file:$okperm flag:audit
+genprofile flag:audit hat:open "addimage:${bin}/open" $file:$okperm flag:audit
 runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file

 # FAILURE TEST 1 (audit)
-genprofile flag:audit  hat:open addimage:${bin}/open $file:$badperm1
+genprofile flag:audit  hat:open "addimage:${bin}/open" $file:$badperm1
 runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file

 # FAILURE TEST 2 (audit)
-genprofile hat:open addimage:${bin}/open $file:$badperm1 flag:audit
+genprofile hat:open "addimage:${bin}/open" $file:$badperm1 flag:audit
 runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file

 # FAILURE TEST 3 (audit)
-genprofile flag:audit hat:open addimage:${bin}/open $file:$badperm1 flag:audit
+genprofile flag:audit hat:open "addimage:${bin}/open" $file:$badperm1 flag:audit
 runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file

 # complain alone
 # PASS TEST 1 (complain)
-genprofile flag:complain hat:open addimage:${bin}/open $file:$okperm
+genprofile flag:complain hat:open "addimage:${bin}/open" $file:$okperm
 runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file

 # PASS TEST 2 (complain)
-genprofile hat:open addimage:${bin}/open $file:$okperm flag:complain
+genprofile hat:open "addimage:${bin}/open" $file:$okperm flag:complain
 runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file

 # PASS TEST 3 (complain)
-genprofile flag:complain hat:open addimage:${bin}/open $file:$okperm flag:complain
+genprofile flag:complain hat:open "addimage:${bin}/open" $file:$okperm flag:complain
 runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file

 # FAILURE TEST 1 (complain)
-genprofile flag:complain  hat:open addimage:${bin}/open $file:$badperm1
+genprofile flag:complain  hat:open "addimage:${bin}/open" $file:$badperm1
 runchecktest "SD_FLAGS HAT/OPEN R (complain)" fail open $file

 # PASS TEST 4 (complain)
-genprofile hat:open addimage:${bin}/open $file:$badperm1 flag:complain
+genprofile hat:open "addimage:${bin}/open" $file:$badperm1 flag:complain
 runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file

 # PASS TEST 5 (complain)
-genprofile flag:complain hat:open addimage:${bin}/open $file:$badperm1 flag:complain
+genprofile flag:complain hat:open "addimage:${bin}/open" $file:$badperm1 flag:complain
 runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file

 # PASS TEST 6 (complain) no hat defined
@ -116,10 +116,10 @@ runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file

 # audit + complain
 # PASS TEST 3 (audit+complain)
-genprofile flag:audit hat:open addimage:${bin}/open $file:$badperm1 flag:complain
+genprofile flag:audit hat:open "addimage:${bin}/open" $file:$badperm1 flag:complain
 runchecktest "SD_FLAGS HAT/OPEN RW (audit+complain)" pass open $file

 # FAILURE TEST 3 (complain+audit)
-genprofile flag:complain hat:open addimage:${bin}/open $file:$badperm1 flag:audit
+genprofile flag:complain hat:open "addimage:${bin}/open" $file:$badperm1 flag:audit
 runchecktest "SD_FLAGS HAT/OPEN R (complain+audit)" fail open $file

--- a/tests/regression/apparmor/setattr.sh
+++ b/tests/regression/apparmor/setattr.sh
@ -47,7 +47,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 file=$tmpdir/file
 dir="$tmpdir/dir/"
--- a/tests/regression/apparmor/socketpair.sh
+++ b/tests/regression/apparmor/socketpair.sh
@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 requires_kernel_features network/af_unix

--- a/tests/regression/apparmor/stackonexec.sh
+++ b/tests/regression/apparmor/stackonexec.sh
@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 requires_kernel_features domain/stack
 settest transition
--- a/tests/regression/apparmor/stackprofile.sh
+++ b/tests/regression/apparmor/stackprofile.sh
@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 requires_kernel_features domain/stack
 settest transition
--- a/tests/regression/apparmor/swap.sh
+++ b/tests/regression/apparmor/swap.sh
@ -21,7 +21,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 ##
 ## A. SWAP
--- a/tests/regression/apparmor/symlink.sh
+++ b/tests/regression/apparmor/symlink.sh
@ -14,7 +14,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 src=$tmpdir/src1
 target=$tmpdir/target
--- a/tests/regression/apparmor/syscall.sh
+++ b/tests/regression/apparmor/syscall.sh
@ -20,7 +20,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 ##
 ## A. PTRACE
--- a/tests/regression/apparmor/syscall_sysctl.sh
+++ b/tests/regression/apparmor/syscall_sysctl.sh
@ -20,7 +20,7 @@ sysctlbad=/proc/sys/kernel/sysrq

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 ##
 ## C. SYSCTL
--- a/tests/regression/apparmor/sysv_mq.sh
+++ b/tests/regression/apparmor/sysv_mq.sh
@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 requires_kernel_features ipc/sysv_mqueue
 requires_parser_support "mqueue,"
@ -35,8 +35,8 @@ echo "$user:password" | sudo chpasswd
 userid=$(id -u $user)

 # workaround to not have to set o+x
-chmod 6755 $receiver
-setcap cap_dac_read_search+pie $receiver
+chmod 6755 "$receiver"
+setcap cap_dac_read_search+pie "$receiver"

 cleanup()
 {
@ -62,7 +62,7 @@ do_tests()
    all_args=("$@")
    rest_args=("${all_args[@]:2}")

-    do_test "$prefix" "$expect_send" -c $sender -k $qkey -s $semaphore "${rest_args[@]}"
+    do_test "$prefix" "$expect_send" -c "$sender" -k $qkey -s $semaphore "${rest_args[@]}"
 }

 for username in "root" "$userid" ; do
@ -75,10 +75,10 @@ for username in "root" "$userid" ; do
    do_tests "unconfined $username" pass $usercmd

    # No mqueue perms
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "$sender:px" -- image=$sender
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "$sender:px" -- "image=$sender"
    do_tests "confined $username - no perms" fail $usercmd

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" -- image=$sender "deny mqueue"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" -- "image=$sender" "deny mqueue"
    do_tests "confined $username - deny perms" fail $usercmd

    # generic mqueue
@ -89,56 +89,56 @@ for username in "root" "$userid" ; do
    #   apparmor when doing "root" username tests
    # * if doing the $userid set of tests and you see
    #   Permission denied in the test output
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue" "$sender:px" -- image=$sender "mqueue"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue" "$sender:px" -- "image=$sender" "mqueue"
    do_tests "confined $username - mqueue" pass $usercmd

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:type=sysv" "$sender:px" -- image=$sender "mqueue:type=sysv"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:type=sysv" "$sender:px" -- "image=$sender" "mqueue:type=sysv"
    do_tests "confined $username - mqueue type=sysv" pass $usercmd

    # queue name
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:$qkey" "$sender:px" -- image=$sender "mqueue:$qkey"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:$qkey" "$sender:px" -- "image=$sender" "mqueue:$qkey"
    do_tests "confined $username - mqueue /name 1" pass $usercmd

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue" "$sender:px" -- image=$sender "mqueue:$qkey"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue" "$sender:px" -- "image=$sender" "mqueue:$qkey"
    do_tests "confined $username - mqueue /name 2" pass $usercmd

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:$qkey" "$sender:px" -- image=$sender "mqueue"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:$qkey" "$sender:px" -- "image=$sender" "mqueue"
    do_tests "confined $username - mqueue /name 3" pass $usercmd

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:$qkey" "$sender:px" -- image=$sender "mqueue:$qkey2"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:$qkey" "$sender:px" -- "image=$sender" "mqueue:$qkey2"
    do_tests "confined $username - mqueue /name 4" fail $usercmd -t 1


    # specific permissions
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- "image=$sender" "mqueue:(open,write)"
    do_tests "confined $username - specific 1" pass $usercmd

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(read,delete,getattr,setattr)" "$sender:px" -- "image=$sender" "mqueue:(open,write)"
    do_tests "confined $username - specific 2" fail $usercmd -t 1

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,delete,getattr,setattr)" "$sender:px" -- "image=$sender" "mqueue:(open,write)"
    do_tests "confined $username - specific 3" fail $usercmd -t 1

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,getattr,setattr)" "$sender:px" -- "image=$sender" "mqueue:(open,write)"
    do_tests "confined $username - specific 4" fail $usercmd -t 1
    # we need to remove queue since the previous test didn't
    ipcrm --queue-key $qkey >/dev/null 2>&1

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,setattr)" "$sender:px" -- "image=$sender" "mqueue:(open,write)"
    do_tests "confined $username - specific 5" pass $usercmd

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr)" "$sender:px" -- image=$sender "mqueue:(open,write)"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr)" "$sender:px" -- "image=$sender" "mqueue:(open,write)"
    do_tests "confined $username - specific 6" pass $usercmd

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,read)"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- "image=$sender" "mqueue:(open,read)"
    do_tests "confined $username - specific 7" fail $usercmd -t 1

-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:write"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- "image=$sender" "mqueue:write"
    do_tests "confined $username - specific 7" fail $usercmd -t 1


    # unconfined receiver
-    genprofile image=$sender "mqueue"
+    genprofile "image=$sender" "mqueue"
    do_tests "confined sender $username - unconfined receiver" pass $usercmd


@ -148,12 +148,12 @@ for username in "root" "$userid" ; do


    # queue label
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:label=$receiver" "$sender:px" -- image=$sender "mqueue:label=$receiver"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:label=$receiver" "$sender:px" -- "image=$sender" "mqueue:label=$receiver"
    do_tests "confined $username - mqueue label 1" xpass $usercmd


    # queue name and label
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete):type=sysv:label=$receiver:$qkey" "$sender:px" -- image=$sender "mqueue:(open,write):type=sysv:label=$receiver:$qkey"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete):type=sysv:label=$receiver:$qkey" "$sender:px" -- "image=$sender" "mqueue:(open,write):type=sysv:label=$receiver:$qkey"
    do_tests "confined $username - mqueue label 2" xpass $usercmd


--- a/tests/regression/apparmor/tcp.sh
+++ b/tests/regression/apparmor/tcp.sh
@ -20,7 +20,7 @@ bin=$pwd
 # kernel feature supported
 # need to be able to query the parser if it supports the
 # kernel feature
-. $bin/prologue.inc
+. "$bin/prologue.inc"
 requires_any_of_kernel_features network network_v8

 port=34567
--- a/tests/regression/apparmor/unix_fd_server.sh
+++ b/tests/regression/apparmor/unix_fd_server.sh
@ -18,7 +18,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 file=${tmpdir}/file
 socket=${tmpdir}/unix_fd_test
--- a/tests/regression/apparmor/unix_socket_abstract.sh
+++ b/tests/regression/apparmor/unix_socket_abstract.sh
@ -26,8 +26,8 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
-. $bin/unix_socket.inc
+. "$bin/prologue.inc"
+. "$bin/unix_socket.inc"
 requires_kernel_features policy/versions/v7
 requires_kernel_features network/af_unix
 requires_parser_support "unix,"
--- a/tests/regression/apparmor/unix_socket_autobind.sh
+++ b/tests/regression/apparmor/unix_socket_autobind.sh
@ -31,8 +31,8 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
-. $bin/unix_socket.inc
+. "$bin/prologue.inc"
+. "$bin/unix_socket.inc"
 requires_kernel_features policy/versions/v7
 requires_kernel_features network/af_unix
 requires_parser_support "unix,"
--- a/tests/regression/apparmor/unix_socket_pathname.sh
+++ b/tests/regression/apparmor/unix_socket_pathname.sh
@ -26,7 +26,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"
 requires_kernel_features policy/versions/v6
 #af_mask for downgrade test af_unix for full test
 requires_any_of_kernel_features network/af_mask network_v8/af_mask
@ -112,19 +112,19 @@ testsocktype()

 	# PASS - server w/ access to the file

-	genprofile $sockpath:$okserver $af_unix $client:Ux
+	genprofile $sockpath:$okserver $af_unix "$client:Ux"
 	runchecktest "$testdesc; confined server w/ access ($okserver)" $ex_result $args
 	removesockets $sockpath $client_sockpath

 	# FAIL - server w/o access to the file

-	genprofile $af_unix $client:Ux
+	genprofile $af_unix "$client:Ux"
 	runchecktest "$testdesc; confined server w/o access" fail $args
 	removesockets $sockpath $client_sockpath

 	# FAIL - server w/ bad access to the file

-	genprofile $sockpath:$badserver1 $af_unix $client:Ux
+	genprofile $sockpath:$badserver1 $af_unix "$client:Ux"
 	runchecktest "$testdesc; confined server w/ bad access ($badserver1)" fail $args
 	removesockets $sockpath $client_sockpath

@ -133,7 +133,7 @@ testsocktype()
 	if [ -n "$badserver2" ] ; then
 		# FAIL - server w/ bad access to the file

-		genprofile $sockpath:$badserver2 $af_unix $client:Ux
+		genprofile $sockpath:$badserver2 $af_unix "$client:Ux"
 		runchecktest "$testdesc; confined server w/ bad access ($badserver2)" fail $args
 		removesockets $sockpath $client_sockpath

@ -142,7 +142,7 @@ testsocktype()
 	if [ -n "$af_unix_okserver" ] ; then
 		# FAIL - server w/o af_unix access

-		genprofile $sockpath:$okserver $client:Ux
+		genprofile $sockpath:$okserver "$client:Ux"
 		runchecktest "$testdesc; confined server w/o af_unix" fail $args
 		removesockets $sockpath $client_sockpath

@ -152,7 +152,7 @@ testsocktype()
 		for access in ${af_unix_okserver//,/ }; do
 			# FAIL - server w/ a missing af_unix access

-			genprofile $sockpath:$okserver "unix:(${af_unix_okserver//$access/})" $client:Ux
+			genprofile $sockpath:$okserver "unix:(${af_unix_okserver//$access/})" "$client:Ux"
 			runchecktest "$testdesc; confined server w/ a missing af_unix access ($access)" fail $args
 			removesockets $sockpath $client_sockpath
 		done
@ -170,32 +170,32 @@ testsocktype()

 	# PASS - client w/ access to the file

-	genprofile $server -- image=$client $sockpath:$okclient $af_unix
+	genprofile $server -- "image=$client" $sockpath:$okclient $af_unix
 	runchecktest "$testdesc; confined client w/ access ($okclient)" $ex_result $args
 	removesockets $sockpath $client_sockpath

 	# FAIL - client w/o access to the file

-	genprofile $server -- image=$client $af_unix
+	genprofile $server -- "image=$client" $af_unix
 	runchecktest "$testdesc; confined client w/o access" fail $args
 	removesockets $sockpath $client_sockpath

 	# FAIL - client w/ bad access to the file

-	genprofile $server -- image=$client $sockpath:$badclient1 $af_unix
+	genprofile $server -- "image=$client" $sockpath:$badclient1 $af_unix
 	runchecktest "$testdesc; confined client w/ bad access ($badclient1)" fail $args
 	removesockets $sockpath $client_sockpath

 	# FAIL - client w/ bad access to the file

-	genprofile $server -- image=$client $sockpath:$badclient2
+	genprofile $server -- "image=$client" $sockpath:$badclient2
 	runchecktest "$testdesc; confined client w/ bad access ($badclient2)" fail $args
 	removesockets $sockpath $client_sockpath

 	if [ -n "$af_unix_okclient" ] ; then
 		# FAIL - client w/o af_unix access

-		genprofile $server -- image=$client $sockpath:$okclient
+		genprofile $server -- "image=$client" $sockpath:$okclient
 		runchecktest "$testdesc; confined client w/o af_unix" fail $args
 		removesockets $sockpath $client_sockpath

@ -205,7 +205,7 @@ testsocktype()
 		for access in ${af_unix_okclient//,/ }; do
 			# FAIL - client w/ a missing af_unix access

-			genprofile $server -- image=$client $sockpath:$okclient "unix:(${af_unix_okclient//$access/})"
+			genprofile $server -- "image=$client" $sockpath:$okclient "unix:(${af_unix_okclient//$access/})"
 			runchecktest "$testdesc; confined client w/ a missing af_unix access ($access)" fail $args
 			removesockets $sockpath $client_sockpath
 		done
--- a/tests/regression/apparmor/unix_socket_unnamed.sh
+++ b/tests/regression/apparmor/unix_socket_unnamed.sh
@ -26,8 +26,8 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
-. $bin/unix_socket.inc
+. "$bin/prologue.inc"
+. "$bin/unix_socket.inc"
 requires_kernel_features policy/versions/v7
 requires_kernel_features network/af_unix
 requires_parser_support "unix,"
--- a/tests/regression/apparmor/unlink.sh
+++ b/tests/regression/apparmor/unlink.sh
@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 file=$tmpdir/file
 okperm=rwix
--- a/tests/regression/apparmor/userns.sh
+++ b/tests/regression/apparmor/userns.sh
@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 requires_kernel_features namespaces/mask/userns_create
 requires_parser_support "userns,"
@ -68,7 +68,7 @@ do_test()
 	runchecktest "$desc unshare - root" $expect_root -u # unshare

 	$generate_setns_profile
-	runchecktest "$desc setns - root" $expect_setns_root -s $userns_setns_bin -p $pipe # setns
+	runchecktest "$desc setns - root" $expect_setns_root -s "$userns_setns_bin" -p $pipe # setns

 	settest -u "foo" userns # run tests as user foo
 	$generate_profile # settest removes the profile, so load it here
@ -76,7 +76,7 @@ do_test()
 	runchecktest "$desc unshare - user" $expect_user -u # unshare

 	$generate_setns_profile
-	runchecktest "$desc setns - user" $expect_setns_user -s $userns_setns_bin -p $pipe # setns
+	runchecktest "$desc setns - user" $expect_setns_user -s "$userns_setns_bin" -p $pipe # setns
 }

 if [ -e $unprivileged_userns_clone_path ] && [ $unprivileged_userns_clone -eq 0 ]; then
@ -152,9 +152,9 @@ detail="apparmor_restrict_unprivileged_userns enabled"
 do_test "unconfined $detail" pass $user_testresult pass pass

 # it should work when running as user with cap_sys_admin
-setcap cap_sys_admin+pie $bin/userns
+setcap cap_sys_admin+pie "$bin/userns"
 do_test "unconfined cap_sys_admin $detail" pass pass pass pass
 # remove cap_sys_admin from binary
-setcap cap_sys_admin= $bin/userns
+setcap cap_sys_admin= "$bin/userns"

 run_confined_tests "$detail"
--- a/tests/regression/apparmor/xattrs.sh
+++ b/tests/regression/apparmor/xattrs.sh
@ -34,7 +34,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 requires_kernel_features file/xattr

--- a/tests/regression/apparmor/xattrs_profile.sh
+++ b/tests/regression/apparmor/xattrs_profile.sh
@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd`

 bin=$pwd

-. $bin/prologue.inc
+. "$bin/prologue.inc"

 file="$bin/xattrs_profile"

@ -26,14 +26,14 @@ requires_kernel_features policy/outofband
 # Clean up existing xattrs
 clean_xattr()
 {
-    setfattr --remove=user.foo $file 2> /dev/null || true
-    setfattr --remove=user.bar $file 2> /dev/null || true
-    setfattr --remove=user.spam $file 2> /dev/null || true
+    setfattr --remove=user.foo "$file" 2> /dev/null || true
+    setfattr --remove=user.bar "$file "2> /dev/null || true
+    setfattr --remove=user.spam "$file "2> /dev/null || true
 }

 set_xattr()
 {
-    setfattr --name="$1" --value="$2" $file
+    setfattr --name="$1" --value="$2" "$file"
 }

 clean_xattr