policy: update to use 4.0 abi

Begin preparing policy for the 4.0 release. This may result in new
denials. This is expected and needed to make sure policy is ready
for the 4.0 release.

Signed-off-by: John Johansen <john.johansen@canonical.com>

profiles/Makefile

@@ -132,7 +132,7 @@ check-parser: test-dependencies local
 	@echo "*** Checking abstractions from ${ABSTRACTIONS_SOURCE} against apparmor_parser"
 	$(Q)for abstraction in ${CHECK_ABSTRACTIONS} ; do \
 	        [ -n "${VERBOSE}" ] && echo "Testing $${abstraction}" ; \
-		echo "abi <abi/3.0>, #include <tunables/global> profile test { #include <$${abstraction}> }" \
+		echo "abi <abi/4.0>, #include <tunables/global> profile test { #include <$${abstraction}> }" \
 		| ${PARSER} --config-file=../parser/tst/parser.conf -S -b ${PWD}/apparmor.d -I ${PWD} > /dev/null \
 		|| exit 1; \
 	done

profiles/apparmor.d/abi/4.0

@@ -0,0 +1,91 @@
+capability {0xffffff
+}
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore
+}
+}
+dbus {mask {acquire send receive
+}
+}
+domain {attach_conditions {xattr {yes
+}
+}
+change_hat {yes
+}
+change_hatv {yes
+}
+change_onexec {yes
+}
+change_profile {yes
+}
+computed_longest_left {yes
+}
+fix_binfmt_elf_mmap {yes
+}
+post_nnp_subset {yes
+}
+stack {yes
+}
+version {1.2
+}
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+ipc {posix_mqueue {create read write open delete setattr getattr
+}
+}
+mount {mask {mount umount pivot_root
+}
+}
+namespaces {mask {userns_create
+}
+pivot_root {no
+}
+profile {yes
+}
+}
+network {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
+}
+af_unix {yes
+}
+}
+network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
+}
+}
+policy {outofband {0x000001
+}
+permstable32 {allow deny subtree cond kill complain prompt audit quiet hide xindex tag label
+}
+permstable32_version {0x000002
+}
+set_load {yes
+}
+versions {v5 {yes
+}
+v6 {yes
+}
+v7 {yes
+}
+v8 {yes
+}
+v9 {yes
+}
+}
+}
+ptrace {mask {read trace
+}
+}
+query {label {data {yes
+}
+multi_transaction {yes
+}
+perms {allow deny audit quiet
+}
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
+}
+}

profiles/apparmor.d/abstractions/X

@@ -10,7 +10,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   include <abstractions/dri-common>
 

profiles/apparmor.d/abstractions/apache2-common

@@ -2,7 +2,7 @@
 
 # This file contains basic permissions for Apache and every vHost
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   include <abstractions/nameservice>
 

profiles/apparmor.d/abstractions/apparmor_api/change_profile

@@ -6,7 +6,7 @@
 #
 # ------------------------------------------------------------------
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <abstractions/apparmor_api/introspect>
 

profiles/apparmor.d/abstractions/apparmor_api/examine

@@ -9,6 +9,6 @@
 # Make sure to include at least tunables/proc and tunables/kernelvars
 # when using this abstraction, if not tunables/global.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 @{PROC}/@{pids}/attr/{apparmor/,}{current,prev,exec} r,

profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint

@@ -6,7 +6,7 @@
 #
 # ------------------------------------------------------------------
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 #permissions needed for aa_find_mountpoint
 

profiles/apparmor.d/abstractions/apparmor_api/introspect

@@ -6,7 +6,7 @@
 #
 # ------------------------------------------------------------------
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 # Make sure to include at least tunables/proc and tunables/kernelvars
 # when using this abstraction, if not tunables/global.

profiles/apparmor.d/abstractions/apparmor_api/is_enabled

@@ -6,7 +6,7 @@
 #
 # ------------------------------------------------------------------
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 # permissions needed for aa_is_enabled
 

profiles/apparmor.d/abstractions/aspell

@@ -1,7 +1,7 @@
 # vim:syntax=apparmor
 # aspell permissions
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # per-user settings and dictionaries
   owner @{HOME}/.aspell.*.{pws,prepl} rwk,

profiles/apparmor.d/abstractions/audio

@@ -10,7 +10,7 @@
 #
 # ------------------------------------------------------------------
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 
 /dev/admmidi*   rw,

profiles/apparmor.d/abstractions/authentication

@@ -10,7 +10,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
 
   # Some services need to perform authentication of users

profiles/apparmor.d/abstractions/base

@@ -10,7 +10,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   include <abstractions/crypto>
 

profiles/apparmor.d/abstractions/bash

@@ -8,7 +8,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # user-specific bash files
   @{HOMEDIRS}                      r,

profiles/apparmor.d/abstractions/consoles

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
 
   # there are three common ways to refer to consoles

profiles/apparmor.d/abstractions/crypto

@@ -11,7 +11,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   @{etc_ro}/gcrypt/hwf.deny r,
   @{etc_ro}/gcrypt/random.conf r,

profiles/apparmor.d/abstractions/cups-client

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # discoverable system configuration for non-local cupsd
   /etc/cups/client.conf   r,

profiles/apparmor.d/abstractions/dbus

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # This abstraction grants full system bus access. Consider using the
   # dbus-strict abstraction for fine-grained bus mediation.

profiles/apparmor.d/abstractions/dbus-accessibility

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # This abstraction grants full accessibility bus access. Consider using the
   # dbus-accessibility-strict abstraction for fine-grained bus mediation.

profiles/apparmor.d/abstractions/dbus-accessibility-strict

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   dbus send
        bus=accessibility

profiles/apparmor.d/abstractions/dbus-network-manager-strict

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   dbus send
        bus=system

profiles/apparmor.d/abstractions/dbus-session

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # This abstraction grants full session bus access. Consider using the
   # dbus-session-strict abstraction for fine-grained bus mediation.

profiles/apparmor.d/abstractions/dbus-session-strict

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # unique per-machine identifier
   /etc/machine-id r,

profiles/apparmor.d/abstractions/dbus-strict

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   @{run}/dbus/system_bus_socket rw,
 

profiles/apparmor.d/abstractions/dconf

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
 # permissions for querying dconf settings; granting write access should
 # be specified in a specific application's profile.

profiles/apparmor.d/abstractions/dovecot-common

@@ -9,7 +9,7 @@
 # ------------------------------------------------------------------
 # used with dovecot/*
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   capability setgid,
 

profiles/apparmor.d/abstractions/dri-common

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
 # This file contains common DRI-specific rules useful for GUI applications
 # (needed by libdrm and similar).

profiles/apparmor.d/abstractions/dri-enumerate

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
 # This file contains common DRI-specific rules useful for GUI applications that
 # needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from

profiles/apparmor.d/abstractions/enchant

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # abstraction for Enchant spellchecking frontend
 

profiles/apparmor.d/abstractions/exo-open

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
 # This abstraction is designed to be used in a child profile to limit what
 # confined application can invoke via exo-open helper.

profiles/apparmor.d/abstractions/fcitx

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   include <abstractions/fcitx-strict>
   dbus bus=fcitx,

profiles/apparmor.d/abstractions/fcitx-strict

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   include <abstractions/dbus-session-strict>
 

profiles/apparmor.d/abstractions/fonts

@@ -10,7 +10,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   /usr/share/AbiSuite/fonts/**          r,
 

profiles/apparmor.d/abstractions/freedesktop.org

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # system configuration
   @{system_share_dirs}/applications/{**,} r,

profiles/apparmor.d/abstractions/gio-open

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
 # This abstraction is designed to be used in a child profile to limit what
 # confined application can invoke via gio helper.

profiles/apparmor.d/abstractions/gnome

@@ -10,7 +10,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   include <abstractions/base>
   include <abstractions/fonts>

profiles/apparmor.d/abstractions/gnupg

@@ -1,7 +1,7 @@
 # vim:syntax=apparmor
 # gnupg sub-process running permissions
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # user configurations
   owner @{HOME}/.gnupg/options     r,

profiles/apparmor.d/abstractions/gtk

@@ -7,7 +7,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   /usr/share/themes/{,**} r,
 

profiles/apparmor.d/abstractions/gvfs-open

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
 # This abstraction is designed to be used in a child profile to limit what
 # confined application can invoke via gvfs-open helper.

profiles/apparmor.d/abstractions/hosts_access

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   /etc/hosts.deny r,
   /etc/hosts.allow r,

profiles/apparmor.d/abstractions/ibus

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # abstraction for ibus input methods
   owner @{HOME}/.config/ibus/ r,

profiles/apparmor.d/abstractions/kde

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <abstractions/base>
 include <abstractions/fonts>

profiles/apparmor.d/abstractions/kde-globals-write

@@ -1,7 +1,7 @@
 # vim:syntax=apparmor
 # Rules for changing KDE settings (for KFileDialog and other).
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # User files
  

profiles/apparmor.d/abstractions/kde-icon-cache-write

@@ -1,7 +1,7 @@
 # vim:syntax=apparmor
 # Rules for writing KDE icon cache
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # User files
 

profiles/apparmor.d/abstractions/kde-language-write

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
 # Rules for changing per-application language settings on KDE. Some KDE
 # applications have "Help -> Switch Application Language..." option, that needs

profiles/apparmor.d/abstractions/kde-open5

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
 # This abstraction is designed to be used in a child profile to limit what
 # confined application can invoke via kde-open5 helper.

profiles/apparmor.d/abstractions/kerberosclient

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # files required by kerberos client programs
   /usr/lib{,32,64}/krb5/plugins/libkrb5/ r,

profiles/apparmor.d/abstractions/ldapclient

@@ -8,7 +8,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # files required by LDAP clients (e.g. nss_ldap/pam_ldap)
   /etc/ldap.conf            r,

profiles/apparmor.d/abstractions/libpam-systemd

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
 include <abstractions/dbus-strict>
 

profiles/apparmor.d/abstractions/likewise

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   /tmp/.lwidentity/pipe       rw,
   /var/lib/likewise-open/lwidentity_privileged/pipe rw,

profiles/apparmor.d/abstractions/mdns

@@ -8,7 +8,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # mdnsd
   /etc/mdns.allow r,

profiles/apparmor.d/abstractions/mesa

@@ -1,7 +1,7 @@
 # vim:syntax=apparmor
 # Rules for Mesa implementation of the OpenGL API
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # System files
   /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()

profiles/apparmor.d/abstractions/mir

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # mir libraries sometimes do not have a lib prefix
   # see LP: #1422521

profiles/apparmor.d/abstractions/mozc

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   unix (connect, receive, send) type=stream peer=(addr="@tmp/.mozc.*"),
 

profiles/apparmor.d/abstractions/mysql

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
    /var/lib/mysql{,d}/mysql{,d}.sock rw,
    @{run}/mysql{,d}/mysql{,d}.sock rw,

profiles/apparmor.d/abstractions/nameservice

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # Many programs wish to perform nameservice-like operations, such as
   # looking up users by name or id, groups by name or id, hosts by name

profiles/apparmor.d/abstractions/nis

@@ -8,7 +8,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # NIS rules
   /var/yp/binding/*           r,

profiles/apparmor.d/abstractions/nss-systemd

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
 # libnss-systemd
   #

profiles/apparmor.d/abstractions/nvidia

@@ -1,7 +1,7 @@
 # vim:syntax=apparmor
 # nvidia access requirements
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # configuration queries
   capability ipc_lock,

profiles/apparmor.d/abstractions/opencl

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
 # OpenCL access requirements
 

profiles/apparmor.d/abstractions/opencl-common

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
 # implementation-independent OpenCL access requirements
 

profiles/apparmor.d/abstractions/opencl-intel

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
 # OpenCL access requirements for Intel implementation
 

profiles/apparmor.d/abstractions/opencl-mesa

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
 # OpenCL access requirements for Mesa implementation
 

profiles/apparmor.d/abstractions/opencl-nvidia

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
 # OpenCL access requirements for NVIDIA implementation
 

profiles/apparmor.d/abstractions/opencl-pocl

@@ -1,7 +1,7 @@
 # vim:syntax=apparmor
 # OpenCL access requirements for POCL implementation
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   include <abstractions/opencl-common>
 

profiles/apparmor.d/abstractions/openssl

@@ -8,7 +8,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   /etc/ssl/openssl.cnf r,
   /etc/ssl/openssl-*.cnf r,

profiles/apparmor.d/abstractions/orbit2

@@ -1,7 +1,7 @@
 # vim:syntax=apparmor
 # orbit2 permissions
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # system library
   /usr/lib/orbit-2.0/*.so mr,

profiles/apparmor.d/abstractions/p11-kit

@@ -8,7 +8,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   /etc/pkcs11/ r,
   /etc/pkcs11/pkcs11.conf r,

profiles/apparmor.d/abstractions/perl

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # a few files typically required for perl scripts
   /usr/bin/perl                  rmix,

profiles/apparmor.d/abstractions/php

@@ -10,7 +10,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # shared snippets for config files
   /etc/php{,5,7,8}/** r,

profiles/apparmor.d/abstractions/php-worker

@@ -2,7 +2,7 @@
 
 # This file contains basic permissions for php-fpm workers
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # load common libraries and their support files
   include <abstractions/base>

profiles/apparmor.d/abstractions/php5

@@ -1,6 +1,6 @@
 #backwards compatibility include, actual abstraction moved from php5 to php
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   include <abstractions/php>
 

profiles/apparmor.d/abstractions/postfix-common

@@ -11,7 +11,7 @@
 # ------------------------------------------------------------------
 # used with postfix/*
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
 
   capability            setuid,

profiles/apparmor.d/abstractions/private-files

@@ -2,7 +2,7 @@
 # privacy-violations contains rules for common files that you want to
 # explicitly deny access
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # privacy violations (don't audit files under $HOME otherwise get a
   # lot of false positives when reading contents of directories)

profiles/apparmor.d/abstractions/private-files-strict

@@ -2,7 +2,7 @@
 # privacy-violations-strict contains additional rules for sensitive
 # files that you want to explicitly deny access
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   include <abstractions/private-files>
 

profiles/apparmor.d/abstractions/python

@@ -10,7 +10,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   /{usr/,}bin/ r,
   /{usr/,}bin/python{2.[4-7],3,3.[0-9],3.1[0-9]} r,

profiles/apparmor.d/abstractions/qt5

@@ -1,7 +1,7 @@
 # vim:syntax=apparmor
 # Common rules for Qt5-based applications
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # Additional libraries
 

profiles/apparmor.d/abstractions/qt5-compose-cache-write

@@ -1,7 +1,7 @@
 # vim:syntax=apparmor
 # Allow writing cache for Qt5 "platforminputcontexts" plugins
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # User files
 

profiles/apparmor.d/abstractions/qt5-settings-write

@@ -1,7 +1,7 @@
 # vim:syntax=apparmor
 # Allow writing shared settings for Qt-based applications
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # User files
 

profiles/apparmor.d/abstractions/recent-documents-write

@@ -1,7 +1,7 @@
 # vim:syntax=apparmor
 # Allow updating recent documents
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # User files
 

profiles/apparmor.d/abstractions/ruby

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/ r,
   /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/**.rb r,

profiles/apparmor.d/abstractions/samba

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   /etc/samba/* r,
   /usr/lib*/ldb/*.so mr,

profiles/apparmor.d/abstractions/samba-rpcd

@@ -11,7 +11,7 @@
 
 # This file contains basic permissions for samba rpcd_xyz services
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   include <abstractions/base>
   include <abstractions/nameservice>

profiles/apparmor.d/abstractions/smbpass

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # libpam-smbpass/pam_smbpass.so permissions
   /var/lib/samba/*.[lt]db rwk,

profiles/apparmor.d/abstractions/ssl_certs

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   /etc/ca-certificates/{,**} r,
   /etc/{,libre}ssl/ r,

profiles/apparmor.d/abstractions/ssl_keys

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # private ssl permissions
 

profiles/apparmor.d/abstractions/svn-repositories

@@ -8,7 +8,7 @@
 #
 # ------------------------------------------------------------------
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # This little snippet should abstract the read/write access to a repository.
   # it is intended to be included in profiles for svnserve/apache2 and maybe

profiles/apparmor.d/abstractions/trash

@@ -1,4 +1,4 @@
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 # requires <tunables/home>
 

profiles/apparmor.d/abstractions/ubuntu-bittorrent-clients

@@ -6,7 +6,7 @@
 # in the toplevel profile. Eg:
 #   include <abstractions/ubuntu-helpers>
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   /usr/bin/azureus Cxr -> sanitized_helper,
   /usr/bin/bitstormlite Cxr -> sanitized_helper,

profiles/apparmor.d/abstractions/ubuntu-browsers

@@ -6,7 +6,7 @@
 # in the toplevel profile. Eg:
 #   include <abstractions/ubuntu-helpers>
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   /usr/bin/arora Cx -> sanitized_helper,
   /usr/bin/dillo Cx -> sanitized_helper,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser

@@ -13,7 +13,7 @@
 # For site-specific adjustments, please see:
 # /etc/apparmor.d/local/chromium-browser
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <abstractions/ubuntu-browsers.d/plugins-common>
 include <abstractions/ubuntu-browsers.d/mailto>

profiles/apparmor.d/abstractions/ubuntu-browsers.d/java

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # Java plugin
   owner @{HOME}/.java/deployment/deployment.properties k,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde

@@ -3,7 +3,7 @@
 # in the toplevel profile. Eg:
 #   include <abstractions/ubuntu-helpers>
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   include <abstractions/kde>
   /usr/bin/kde4-config Cx -> sanitized_helper,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/mailto

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # for mailto:
   include <abstractions/ubuntu-email>

profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia

@@ -3,7 +3,7 @@
 # in the toplevel profile. Eg:
 #   include <abstractions/ubuntu-helpers>
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   include <abstractions/X>
 

profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   #
   # Plugins/helpers

profiles/apparmor.d/abstractions/ubuntu-browsers.d/productivity

@@ -3,7 +3,7 @@
 # in the toplevel profile. Eg:
 #   include <abstractions/ubuntu-helpers>
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # Openoffice.org
   /usr/bin/ooffice Cxr -> sanitized_helper,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors

@@ -3,7 +3,7 @@
 # in the toplevel profile. Eg:
 #   include <abstractions/ubuntu-helpers>
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # Text editors (It's All Text [https://addons.mozilla.org/en-US/firefox/addon/4125])
   /usr/bin/emacsclient.emacs-snapshot Cxr -> sanitized_helper,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration

@@ -3,7 +3,7 @@
 # in the toplevel profile. Eg:
 #   include <abstractions/ubuntu-helpers>
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # Apport
   /usr/bin/apport-bug Cx -> sanitized_helper,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 
-  abi <abi/3.0>,
+  abi <abi/4.0>,
 
   # firefox-notify
   include <abstractions/python>