[PR PATCH] [WIP] apparmor: update to 3.0.0

[PR PATCH] [WIP] apparmor: update to 3.0.0

[PaperMountainStudio]

[-- Attachment #1: Type: text/plain, Size: 705 bytes --]

There is a new pull request by PaperMountainStudio against master on the void-packages repository

https://github.com/PaperMountainStudio/void-packages 0001-apparmor-update-to-3.0.0.patch
https://github.com/void-linux/void-packages/pull/25967

[WIP] apparmor: update to 3.0.0
+ builds and works fine for x86_64-glibc

- [ ] doesn't build for musl yet and I am not experienced enough to fix it
- [ ] should I bump libapparmor.so in common/shlibs?
- [ ] this update breaks compatibility with older apparmor profiles, are there any which have to be fixed?

If anyone wants to adopt this PR, feel free to do so.

A patch file from https://github.com/void-linux/void-packages/pull/25967.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-0001-apparmor-update-to-3.0.0.patch-25967.patch --]
[-- Type: text/x-diff, Size: 7111 bytes --]

From 8582335d9cbf93b6426813be41b0ffc50338affe Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Wed, 21 Oct 2020 17:25:50 +0200
Subject: [PATCH] apparmor: update to 3.0.0

---
 .../apparmor/files/profiles/usr.bin.dhcpcd    |  2 +-
 srcpkgs/apparmor/files/profiles/usr.bin.nginx |  2 +-
 .../apparmor/files/profiles/usr.bin.php-fpm   |  2 +-
 .../files/profiles/usr.bin.pulseaudio         |  2 +-
 srcpkgs/apparmor/files/profiles/usr.bin.uuidd |  2 +-
 .../files/profiles/usr.bin.wpa_supplicant     |  2 +-
 .../patches/correct_paths_logprofconf.patch   | 60 ++++++++++++++-----
 srcpkgs/apparmor/template                     | 10 ++--
 8 files changed, 58 insertions(+), 24 deletions(-)

diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
index 26364f36385..f4e0501ebf0 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
@@ -58,5 +58,5 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   owner @{PROC}/@{pid}/stat r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.dhcpcd>
+  include if exists <local/usr.bin.dhcpcd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
index 5e4854d9032..1d06fecfc18 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
@@ -30,5 +30,5 @@
   /var/log/nginx/* w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.nginx>
+  include if exists <local/usr.bin.nginx>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
index 98366dcaabf..67a29f7bdc7 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
@@ -38,7 +38,7 @@
   /var/log/php-fpm.log w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.php-fpm>
+  include if exists <local/usr.bin.php-fpm>
 
 }
 
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
index 4b17e6edc08..4ce35f699f9 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
@@ -118,6 +118,6 @@ profile pulseaudio /usr/bin/pulseaudio {
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.pulseaudio>
+  include if exists <local/usr.bin.pulseaudio>
 }
 
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
index 8c00a903611..bea18d5bff7 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
@@ -13,5 +13,5 @@
   /run/uuidd/request rw,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.uuidd>
+  include if exists <local/usr.bin.uuidd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
index df53acc82d6..d2336a6564e 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
@@ -45,5 +45,5 @@
        bus=system
        path=/fi/epitest/hostap/WPASupplicant/**,
 
-  #include <local/usr.bin.wpa_supplicant>
+  include if exists <local/usr.bin.wpa_supplicant>
 }
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
index 0f25758486a..fb6ce53ffdc 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
@@ -1,5 +1,14 @@
+From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
+From: Paper <paper@tilde.institute>
+Date: Wed, 21 Oct 2020 10:20:47 +0200
+Subject: [PATCH] correct paths in logprof.conf
+
+---
+ utils/logprof.conf | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
 diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a3d7a31..296dd8b 100644
+index a778792..a9f7b79 100644
 --- a/utils/logprof.conf
 +++ b/utils/logprof.conf
 @@ -14,7 +14,7 @@
@@ -11,19 +20,42 @@ index a3d7a31..296dd8b 100644
    ldd = /usr/bin/ldd
    logger = /bin/logger /usr/bin/logger
  
-@@ -36,10 +36,10 @@
-   custom_includes =
- 
+@@ -51,12 +51,10 @@
+   /bin/mount    = u
+   /usr/bin/mount = u
+   /etc/init.d/subdomain = u
+-  /sbin/cardmgr = u
+-  /usr/sbin/cardmgr = u
+-  /sbin/subdomain_parser = u
+-  /usr/sbin/subdomain_parser = u
+-  /usr/sbin/genprof = u
+-  /usr/sbin/logprof = u
++  /usr/bin/cardmgr = u
++  /usr/bin/subdomain_parser = u
++  /usr/bin/genprof = u
++  /usr/bin/logprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_logprof = u
  
--[repository]
--  distro         = ubuntu-intrepid
--  url            = http://apparmor.test.opensuse.org/backend/api
--  preferred_user = ubuntu
-+#[repository]
-+#  distro         = ubuntu-intrepid
-+#  url            = http://apparmor.test.opensuse.org/backend/api
-+#  preferred_user = ubuntu
+@@ -97,8 +95,7 @@
+   /usr/bin/sed  = icn
+   /bin/touch    = icn
+   /usr/bin/touch = icn
+-  /sbin/killall5 = icn
+-  /usr/sbin/killall5 = icn
++  /usr/bin/killall5 = icn
+   /usr/bin/find = icn
+   /usr/bin/killall = icn
+   /usr/bin/nice = icn
+@@ -112,6 +109,8 @@
+   /usr/bin/python3.5    = icn
+   /usr/bin/python3.6    = icn
+   /usr/bin/python3.7    = icn
++  /usr/bin/python3.8    = icn
++  /usr/bin/python3.9    = icn
+   /usr/bin/tr   = icn
  
- [qualifiers]
-   # things will be painfully broken if bash has a profile
+ [required_hats]
+-- 
+2.29.0
 
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index b064f78086e..ea2e82742d9 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
-version=2.13.4
-revision=6
+version=3.0.0
+revision=1
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
@@ -16,7 +16,7 @@ maintainer="Olivier Mauras <olivier@mauras.ch>"
 license="GPL-2.0-only, LGPL-2.1-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=4f45e5a5de59b72039c6cf218bb61cb4fc42eeb7f47ca109a58238896394a33b
+checksum=8c440ab1848e723483a8550ed2889e18f322e9d7ee9eb4e2e712152ea61da68f
 patch_args="-Np1"
 
 if [ -z "$CROSS_BUILD" ]; then
@@ -47,7 +47,9 @@ pre_build() {
 
 post_build() {
 	cd ${wrksrc}
-	sed -i 's#$(DESTDIR)/sbin#$(DESTDIR)/usr/bin#g' parser/Makefile
+	sed -i 's#SBINDIR=${DESTDIR}/usr/sbin#SBINDIR=${DESTDIR}/usr/bin#' binutils/Makefile
+	sed -i 's#SBINDIR=${DESTDIR}/usr/sbin#SBINDIR=${DESTDIR}/usr/bin#' utils/Makefile
+	sed -i 's#/sbin#/usr/bin#g' parser/Makefile
 	make ${makejobs} -C binutils
 	make ${makejobs} -C utils
 	make ${makejobs} -C parser

Re: [WIP] apparmor: update to 3.0.0

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 207 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/pull/25967#issuecomment-718755035

Comment:
@CameronNemo 

I can try and track down the musl breakage later.

Re: [WIP] apparmor: update to 3.0.0

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 864 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/pull/25967#issuecomment-718807910

Comment:
```diff
diff --git a/binutils/aa_status.c b/binutils/aa_status.c
index 78b0340..56ecac3 100644
--- a/binutils/aa_status.c
+++ b/binutils/aa_status.c
@@ -17,6 +17,7 @@
 #include <errno.h>
 #include <ctype.h>
 #include <dirent.h>
+#include <limits.h>
 
 #include <sys/apparmor.h>
 #include <sys/apparmor_private.h>
diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
index 32892d0..dad7664 100644
--- a/libraries/libapparmor/include/sys/apparmor.h
+++ b/libraries/libapparmor/include/sys/apparmor.h
@@ -22,6 +22,7 @@
 #include <stdint.h>
 #include <unistd.h>
 #include <sys/types.h>
+#include <sys/socket.h>
 
 #ifdef __cplusplus
 extern "C" {
```

Re: [PR REVIEW] [WIP] apparmor: update to 3.0.0

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 189 bytes --]

New review comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/pull/25967#discussion_r514449938

Comment:
is this necessary or just recommended?

Re: [PR REVIEW] [WIP] apparmor: update to 3.0.0

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 233 bytes --]

New review comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/pull/25967#discussion_r514450824

Comment:
probably want to use `vsed` here to check sed lines that no longer make changes (s

Re: [PR REVIEW] [WIP] apparmor: update to 3.0.0

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 267 bytes --]

New review comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/pull/25967#discussion_r514450824

Comment:
probably want to use `vsed` here to check sed lines that no longer make changes (see Manual.md for more information)

Re: [PR REVIEW] [WIP] apparmor: update to 3.0.0

[PaperMountainStudio]

[-- Attachment #1: Type: text/plain, Size: 428 bytes --]

New review comment by PaperMountainStudio on void-packages repository

https://github.com/void-linux/void-packages/pull/25967#discussion_r514573974

Comment:
\# has been optional for a while, I think we should match the style prefered by upstream, syntax with # is still valid (I don't even know if they are planning to ever remove support for it). Using the version without # should allow me to remove the post_patch function.

Re: [PR PATCH] [Updated] [WIP] apparmor: update to 3.0.0

[PaperMountainStudio]

[-- Attachment #1: Type: text/plain, Size: 922 bytes --]

There is an updated pull request by PaperMountainStudio against master on the void-packages repository

https://github.com/PaperMountainStudio/void-packages 0001-apparmor-update-to-3.0.0.patch
https://github.com/void-linux/void-packages/pull/25967

[WIP] apparmor: update to 3.0.0
+ builds and works fine for x86_64-glibc

- [ ] doesn't build for musl yet and I am not experienced enough to fix it
- [ ] should I bump libapparmor.so in common/shlibs?
- [ ] this update breaks compatibility with older apparmor profiles, are there any which have to be fixed?
    - [ ] akonadi5
    - [ ] brillo
    - [ ] firejail
    - [ ] gammastep
    - [ ] ippusbxd
    - [ ] libvirt
    - [ ] lightdm
    - [ ] lxc
    - [ ] mako
    - [ ] onionshare
    - [ ] torbrowser

If anyone wants to adopt this PR, feel free to do so.

A patch file from https://github.com/void-linux/void-packages/pull/25967.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-0001-apparmor-update-to-3.0.0.patch-25967.patch --]
[-- Type: text/x-diff, Size: 10212 bytes --]

From ffeac6cad19b1a735b1b54b9f1ec1e0c4dc1587a Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Wed, 21 Oct 2020 17:25:50 +0200
Subject: [PATCH] apparmor: update to 3.0.0

---
 .../apparmor/files/profiles/usr.bin.dhcpcd    |  2 +-
 srcpkgs/apparmor/files/profiles/usr.bin.nginx |  2 +-
 .../apparmor/files/profiles/usr.bin.php-fpm   |  2 +-
 .../files/profiles/usr.bin.pulseaudio         |  2 +-
 srcpkgs/apparmor/files/profiles/usr.bin.uuidd |  2 +-
 .../files/profiles/usr.bin.wpa_supplicant     |  2 +-
 .../patches/correct_paths_logprofconf.patch   | 60 ++++++++++++++-----
 srcpkgs/apparmor/patches/fix-musl.patch       | 24 ++++++++
 srcpkgs/apparmor/template                     | 48 +++++++--------
 9 files changed, 100 insertions(+), 44 deletions(-)
 create mode 100644 srcpkgs/apparmor/patches/fix-musl.patch

diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
index 26364f36385..f4e0501ebf0 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
@@ -58,5 +58,5 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   owner @{PROC}/@{pid}/stat r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.dhcpcd>
+  include if exists <local/usr.bin.dhcpcd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
index 5e4854d9032..1d06fecfc18 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
@@ -30,5 +30,5 @@
   /var/log/nginx/* w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.nginx>
+  include if exists <local/usr.bin.nginx>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
index 98366dcaabf..67a29f7bdc7 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
@@ -38,7 +38,7 @@
   /var/log/php-fpm.log w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.php-fpm>
+  include if exists <local/usr.bin.php-fpm>
 
 }
 
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
index 4b17e6edc08..4ce35f699f9 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
@@ -118,6 +118,6 @@ profile pulseaudio /usr/bin/pulseaudio {
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.pulseaudio>
+  include if exists <local/usr.bin.pulseaudio>
 }
 
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
index 8c00a903611..bea18d5bff7 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
@@ -13,5 +13,5 @@
   /run/uuidd/request rw,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.uuidd>
+  include if exists <local/usr.bin.uuidd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
index df53acc82d6..d2336a6564e 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
@@ -45,5 +45,5 @@
        bus=system
        path=/fi/epitest/hostap/WPASupplicant/**,
 
-  #include <local/usr.bin.wpa_supplicant>
+  include if exists <local/usr.bin.wpa_supplicant>
 }
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
index 0f25758486a..fb6ce53ffdc 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
@@ -1,5 +1,14 @@
+From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
+From: Paper <paper@tilde.institute>
+Date: Wed, 21 Oct 2020 10:20:47 +0200
+Subject: [PATCH] correct paths in logprof.conf
+
+---
+ utils/logprof.conf | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
 diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a3d7a31..296dd8b 100644
+index a778792..a9f7b79 100644
 --- a/utils/logprof.conf
 +++ b/utils/logprof.conf
 @@ -14,7 +14,7 @@
@@ -11,19 +20,42 @@ index a3d7a31..296dd8b 100644
    ldd = /usr/bin/ldd
    logger = /bin/logger /usr/bin/logger
  
-@@ -36,10 +36,10 @@
-   custom_includes =
- 
+@@ -51,12 +51,10 @@
+   /bin/mount    = u
+   /usr/bin/mount = u
+   /etc/init.d/subdomain = u
+-  /sbin/cardmgr = u
+-  /usr/sbin/cardmgr = u
+-  /sbin/subdomain_parser = u
+-  /usr/sbin/subdomain_parser = u
+-  /usr/sbin/genprof = u
+-  /usr/sbin/logprof = u
++  /usr/bin/cardmgr = u
++  /usr/bin/subdomain_parser = u
++  /usr/bin/genprof = u
++  /usr/bin/logprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_logprof = u
  
--[repository]
--  distro         = ubuntu-intrepid
--  url            = http://apparmor.test.opensuse.org/backend/api
--  preferred_user = ubuntu
-+#[repository]
-+#  distro         = ubuntu-intrepid
-+#  url            = http://apparmor.test.opensuse.org/backend/api
-+#  preferred_user = ubuntu
+@@ -97,8 +95,7 @@
+   /usr/bin/sed  = icn
+   /bin/touch    = icn
+   /usr/bin/touch = icn
+-  /sbin/killall5 = icn
+-  /usr/sbin/killall5 = icn
++  /usr/bin/killall5 = icn
+   /usr/bin/find = icn
+   /usr/bin/killall = icn
+   /usr/bin/nice = icn
+@@ -112,6 +109,8 @@
+   /usr/bin/python3.5    = icn
+   /usr/bin/python3.6    = icn
+   /usr/bin/python3.7    = icn
++  /usr/bin/python3.8    = icn
++  /usr/bin/python3.9    = icn
+   /usr/bin/tr   = icn
  
- [qualifiers]
-   # things will be painfully broken if bash has a profile
+ [required_hats]
+-- 
+2.29.0
 
diff --git a/srcpkgs/apparmor/patches/fix-musl.patch b/srcpkgs/apparmor/patches/fix-musl.patch
new file mode 100644
index 00000000000..484b67dfea4
--- /dev/null
+++ b/srcpkgs/apparmor/patches/fix-musl.patch
@@ -0,0 +1,24 @@
+diff --git a/binutils/aa_status.c b/binutils/aa_status.c
+index 78b0340..56ecac3 100644
+--- a/binutils/aa_status.c
++++ b/binutils/aa_status.c
+@@ -17,6 +17,7 @@
+ #include <errno.h>
+ #include <ctype.h>
+ #include <dirent.h>
++#include <limits.h>
+ 
+ #include <sys/apparmor.h>
+ #include <sys/apparmor_private.h>
+diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
+index 32892d0..dad7664 100644
+--- a/libraries/libapparmor/include/sys/apparmor.h
++++ b/libraries/libapparmor/include/sys/apparmor.h
+@@ -22,6 +22,7 @@
+ #include <stdint.h>
+ #include <unistd.h>
+ #include <sys/types.h>
++#include <sys/socket.h>
+ 
+ #ifdef __cplusplus
+ extern "C" {
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index b064f78086e..fe71042b85e 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
-version=2.13.4
-revision=6
+version=3.0.0
+revision=1
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
@@ -16,23 +16,13 @@ maintainer="Olivier Mauras <olivier@mauras.ch>"
 license="GPL-2.0-only, LGPL-2.1-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=4f45e5a5de59b72039c6cf218bb61cb4fc42eeb7f47ca109a58238896394a33b
+checksum=8c440ab1848e723483a8550ed2889e18f322e9d7ee9eb4e2e712152ea61da68f
 patch_args="-Np1"
 
 if [ -z "$CROSS_BUILD" ]; then
 	configure_args="--with-perl --with-python"
 fi
 
-post_patch() {
-	# Make.rules feeds some system headers to the C preprocessor to produce
-	# lists of capability and address-family names that, respectively,
-	# populate 'parser/cap_names.h' and 'parser/af_names.h'. The escaping
-	# backslash in the '\#include" directives here is seen by the
-	# preprocessor, causing it to skip the system headers and produce empty
-	# files. Removing the backslash ensures correct behavior.
-	vsed -i ${wrksrc}/common/Make.rules -e 's/\\#include </#include </'
-}
-
 pre_configure() {
 	autoreconf -if
 }
@@ -47,7 +37,10 @@ pre_build() {
 
 post_build() {
 	cd ${wrksrc}
-	sed -i 's#$(DESTDIR)/sbin#$(DESTDIR)/usr/bin#g' parser/Makefile
+
+    # fix cross compilation
+    vsed -i parser/Makefile -e 's,cpp,$(CPP),'
+
 	make ${makejobs} -C binutils
 	make ${makejobs} -C utils
 	make ${makejobs} -C parser
@@ -56,15 +49,22 @@ post_build() {
 
 post_install() {
 	cd ${wrksrc}
-	make DESTDIR=${DESTDIR} install -C binutils
-	make DESTDIR=${DESTDIR} BINDIR=${DESTDIR}/usr/bin install -C utils
-	make DESTDIR=${DESTDIR} APPARMOR_BIN_PREFIX=${DESTDIR}/usr/lib/apparmor \
-		SBINDIR=${DESTDIR}/usr/bin USR_SBINDIR=${DESTDIR}/usr/bin install -C parser
-	make DESTDIR=${DESTDIR} install -C profiles
-
-	# Put Vim syntax in the correct place
-	mkdir -p ${DESTDIR}/usr/share/vim/vim80/syntax/
-	mv ${DESTDIR}/usr/share/apparmor/apparmor.vim ${DESTDIR}/usr/share/vim/vim80/syntax/
+    make DESTDIR="${DESTDIR}" \
+        SBINDIR="${DESTDIR}/usr/bin" \
+        USR_SBINDIR="${DESTDIR}/usr/bin" \
+        install -C binutils
+    make DESTDIR="${DESTDIR}" \
+        SBINDIR="${DESTDIR}/usr/bin" \
+        USR_SBINDIR="${DESTDIR}/usr/bin" \
+        BINDIR="${DESTDIR}/usr/bin" \
+        VIM_INSTALL_PATH="${DESTDIR}/usr/share/vim/vimfiles/syntax" \
+        install -C utils
+    make DESTDIR="${DESTDIR}" \
+        SBINDIR="${DESTDIR}/usr/bin" \
+        USR_SBINDIR="${DESTDIR}/usr/bin" \
+        APPARMOR_BIN_PREFIX="${DESTDIR}/usr/lib/apparmor" \
+        install -C parser
+    make DESTDIR="${DESTDIR}" install -C profiles
 
 	# requires perl bindings not generated when cross-compiling
 	if [ "$CROSS_BUILD" ]; then
@@ -76,7 +76,7 @@ apparmor-vim_package() {
 	short_desc+=" - Vim syntax"
 	depends="vim"
 	pkg_install() {
-		vmove usr/share/vim/vim80/syntax/apparmor.vim
+		vmove usr/share/vim/vimfiles/syntax/apparmor.vim
 		vmove usr/share/man/man5/apparmor.vim.5
 	}
 }

Re: [WIP] apparmor: update to 3.0.0

[PaperMountainStudio]

[-- Attachment #1: Type: text/plain, Size: 559 bytes --]

New comment by PaperMountainStudio on void-packages repository

https://github.com/void-linux/void-packages/pull/25967#issuecomment-719041786

Comment:
- fixed cross compilation thanks to @ericonr 
- I used /usr/share/vim/vimfiles/syntax instead of /usr/share/vim/vim80/syntax/. This feels like a better place since the path does not depend on version of vim, is this ok?
- removed post_patch() because the fix in it should not be needed anymore because we swiched to #include without #.
- removed sed commands and forced make to use our variables instead

Re: [PR REVIEW] [WIP] apparmor: update to 3.0.0

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 298 bytes --]

New review comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/pull/25967#discussion_r514609849

Comment:
maybe define a variable (`args`) so that the DESTDIR, SBINDIR, and USR_SBINDIR lines do not need to be repeated for each of these three invocations

Re: [PR REVIEW] [WIP] apparmor: update to 3.0.0

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 237 bytes --]

New review comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/pull/25967#discussion_r514610065

Comment:
thanks for the information... just needed to know for some of the packages I maintain.

Re: [PR PATCH] [Updated] [WIP] apparmor: update to 3.0.0

[PaperMountainStudio]

[-- Attachment #1: Type: text/plain, Size: 922 bytes --]

There is an updated pull request by PaperMountainStudio against master on the void-packages repository

https://github.com/PaperMountainStudio/void-packages 0001-apparmor-update-to-3.0.0.patch
https://github.com/void-linux/void-packages/pull/25967

[WIP] apparmor: update to 3.0.0
+ builds and works fine for x86_64-glibc

- [x] doesn't build for musl yet and I am not experienced enough to fix it
- [ ] should I bump libapparmor.so in common/shlibs?
- [ ] this update breaks compatibility with older apparmor profiles, are there any which have to be fixed?
    - [ ] akonadi5
    - [ ] brillo
    - [ ] firejail
    - [ ] gammastep
    - [ ] ippusbxd
    - [ ] libvirt
    - [ ] lightdm
    - [ ] lxc
    - [ ] mako
    - [ ] onionshare
    - [ ] torbrowser

If anyone wants to adopt this PR, feel free to do so.

A patch file from https://github.com/void-linux/void-packages/pull/25967.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-0001-apparmor-update-to-3.0.0.patch-25967.patch --]
[-- Type: text/x-diff, Size: 13654 bytes --]

From 3faf3f930062ffc59daa37a63aaa8887f513b6f5 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Wed, 21 Oct 2020 17:25:50 +0200
Subject: [PATCH] apparmor: update to 3.0.0

---
 .../apparmor/files/profiles/usr.bin.dhcpcd    |  9 +--
 srcpkgs/apparmor/files/profiles/usr.bin.nginx | 12 ++--
 .../apparmor/files/profiles/usr.bin.php-fpm   | 12 ++--
 .../files/profiles/usr.bin.pulseaudio         | 24 ++++----
 srcpkgs/apparmor/files/profiles/usr.bin.uuidd |  8 +--
 .../files/profiles/usr.bin.wpa_supplicant     | 10 ++--
 .../patches/correct_paths_logprofconf.patch   | 60 ++++++++++++++-----
 srcpkgs/apparmor/patches/fix-musl.patch       | 24 ++++++++
 srcpkgs/apparmor/template                     | 48 +++++++--------
 9 files changed, 134 insertions(+), 73 deletions(-)
 create mode 100644 srcpkgs/apparmor/patches/fix-musl.patch

diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
index 26364f36385..f9fd40f33a6 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
@@ -1,10 +1,10 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+include <tunables/global>
 
 profile dhcpcd /{usr/,}bin/dhcpcd {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/nameservice>
 
   capability chown,
   capability fowner,
@@ -16,6 +16,7 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   capability setgid,
   capability sys_admin,
   capability sys_chroot,
+  capability bpf,
 
   network packet dgram,
   network inet raw,
@@ -58,5 +59,5 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   owner @{PROC}/@{pid}/stat r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.dhcpcd>
+  include if exists <local/usr.bin.dhcpcd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
index 5e4854d9032..46590dda151 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
@@ -4,13 +4,13 @@
 # If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
 # /path/to/your/unix/socket rw,
 
-#include <tunables/global>
+include <tunables/global>
 
 /usr/bin/nginx {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/nis>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/nis>
+  include <abstractions/openssl>
 
   capability setgid,
   capability setuid,
@@ -30,5 +30,5 @@
   /var/log/nginx/* w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.nginx>
+  include if exists <local/usr.bin.nginx>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
index 98366dcaabf..93fb02fe509 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
@@ -5,7 +5,7 @@
 # add the following permission to local/usr.bin.php-fpm
 # /path/to/your/unix/socket w,
 
-#include <tunables/global>
+include <tunables/global>
 
 # This is PHP open_basedir where script can only be executed from.
 # /home, /tmp have been removed to not open permissions too widely
@@ -13,10 +13,10 @@
 @{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
 
 /usr/bin/php-fpm {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
-  #include <abstractions/php>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/php>
 
   capability setgid,
   capability setuid,
@@ -38,7 +38,7 @@
   /var/log/php-fpm.log w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.php-fpm>
+  include if exists <local/usr.bin.php-fpm>
 
 }
 
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
index 4b17e6edc08..343be5e7ccf 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
@@ -1,12 +1,14 @@
-#include <tunables/global>
+# vim:syntax=apparmor
+
+include <tunables/global>
 
 profile pulseaudio /usr/bin/pulseaudio {
-  #include <abstractions/base>
-  #include <abstractions/audio>
-  #include <abstractions/dbus-session>
-  #include <abstractions/dbus-strict>
-  #include <abstractions/nameservice>
-  #include <abstractions/X>
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice>
+  include <abstractions/X>
 
   dbus send
        bus=system
@@ -106,9 +108,9 @@ profile pulseaudio /usr/bin/pulseaudio {
   owner /tmp/.esd-@{pid}*/socket rw,
 
   profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
-    #include <abstractions/base>
-    #include <abstractions/gnome>
-    #include <abstractions/dconf>
+    include <abstractions/base>
+    include <abstractions/gnome>
+    include <abstractions/dconf>
 
     /usr/libexec/pulse/gsettings-helper mr,
     owner /{,var/}run/user/*/dconf/user rw,
@@ -118,6 +120,6 @@ profile pulseaudio /usr/bin/pulseaudio {
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.pulseaudio>
+  include if exists <local/usr.bin.pulseaudio>
 }
 
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
index 8c00a903611..a27798f7871 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
@@ -1,10 +1,10 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+include <tunables/global>
 
 /usr/bin/uuidd {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   network inet dgram,
 
@@ -13,5 +13,5 @@
   /run/uuidd/request rw,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.uuidd>
+  include if exists <local/usr.bin.uuidd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
index df53acc82d6..847ad6cf4a2 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
@@ -1,8 +1,10 @@
-#include <tunables/global>
+# vim:syntax=apparmor
+
+include <tunables/global>
 
 /usr/bin/wpa_supplicant {
-  #include <abstractions/base>
-  #include <abstractions/dbus-strict>
+  include <abstractions/base>
+  include <abstractions/dbus-strict>
 
   capability net_admin,
   capability net_raw,
@@ -45,5 +47,5 @@
        bus=system
        path=/fi/epitest/hostap/WPASupplicant/**,
 
-  #include <local/usr.bin.wpa_supplicant>
+  include if exists <local/usr.bin.wpa_supplicant>
 }
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
index 0f25758486a..fb6ce53ffdc 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
@@ -1,5 +1,14 @@
+From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
+From: Paper <paper@tilde.institute>
+Date: Wed, 21 Oct 2020 10:20:47 +0200
+Subject: [PATCH] correct paths in logprof.conf
+
+---
+ utils/logprof.conf | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
 diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a3d7a31..296dd8b 100644
+index a778792..a9f7b79 100644
 --- a/utils/logprof.conf
 +++ b/utils/logprof.conf
 @@ -14,7 +14,7 @@
@@ -11,19 +20,42 @@ index a3d7a31..296dd8b 100644
    ldd = /usr/bin/ldd
    logger = /bin/logger /usr/bin/logger
  
-@@ -36,10 +36,10 @@
-   custom_includes =
- 
+@@ -51,12 +51,10 @@
+   /bin/mount    = u
+   /usr/bin/mount = u
+   /etc/init.d/subdomain = u
+-  /sbin/cardmgr = u
+-  /usr/sbin/cardmgr = u
+-  /sbin/subdomain_parser = u
+-  /usr/sbin/subdomain_parser = u
+-  /usr/sbin/genprof = u
+-  /usr/sbin/logprof = u
++  /usr/bin/cardmgr = u
++  /usr/bin/subdomain_parser = u
++  /usr/bin/genprof = u
++  /usr/bin/logprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_logprof = u
  
--[repository]
--  distro         = ubuntu-intrepid
--  url            = http://apparmor.test.opensuse.org/backend/api
--  preferred_user = ubuntu
-+#[repository]
-+#  distro         = ubuntu-intrepid
-+#  url            = http://apparmor.test.opensuse.org/backend/api
-+#  preferred_user = ubuntu
+@@ -97,8 +95,7 @@
+   /usr/bin/sed  = icn
+   /bin/touch    = icn
+   /usr/bin/touch = icn
+-  /sbin/killall5 = icn
+-  /usr/sbin/killall5 = icn
++  /usr/bin/killall5 = icn
+   /usr/bin/find = icn
+   /usr/bin/killall = icn
+   /usr/bin/nice = icn
+@@ -112,6 +109,8 @@
+   /usr/bin/python3.5    = icn
+   /usr/bin/python3.6    = icn
+   /usr/bin/python3.7    = icn
++  /usr/bin/python3.8    = icn
++  /usr/bin/python3.9    = icn
+   /usr/bin/tr   = icn
  
- [qualifiers]
-   # things will be painfully broken if bash has a profile
+ [required_hats]
+-- 
+2.29.0
 
diff --git a/srcpkgs/apparmor/patches/fix-musl.patch b/srcpkgs/apparmor/patches/fix-musl.patch
new file mode 100644
index 00000000000..484b67dfea4
--- /dev/null
+++ b/srcpkgs/apparmor/patches/fix-musl.patch
@@ -0,0 +1,24 @@
+diff --git a/binutils/aa_status.c b/binutils/aa_status.c
+index 78b0340..56ecac3 100644
+--- a/binutils/aa_status.c
++++ b/binutils/aa_status.c
+@@ -17,6 +17,7 @@
+ #include <errno.h>
+ #include <ctype.h>
+ #include <dirent.h>
++#include <limits.h>
+ 
+ #include <sys/apparmor.h>
+ #include <sys/apparmor_private.h>
+diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
+index 32892d0..dad7664 100644
+--- a/libraries/libapparmor/include/sys/apparmor.h
++++ b/libraries/libapparmor/include/sys/apparmor.h
+@@ -22,6 +22,7 @@
+ #include <stdint.h>
+ #include <unistd.h>
+ #include <sys/types.h>
++#include <sys/socket.h>
+ 
+ #ifdef __cplusplus
+ extern "C" {
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index b064f78086e..fe71042b85e 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
-version=2.13.4
-revision=6
+version=3.0.0
+revision=1
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
@@ -16,23 +16,13 @@ maintainer="Olivier Mauras <olivier@mauras.ch>"
 license="GPL-2.0-only, LGPL-2.1-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=4f45e5a5de59b72039c6cf218bb61cb4fc42eeb7f47ca109a58238896394a33b
+checksum=8c440ab1848e723483a8550ed2889e18f322e9d7ee9eb4e2e712152ea61da68f
 patch_args="-Np1"
 
 if [ -z "$CROSS_BUILD" ]; then
 	configure_args="--with-perl --with-python"
 fi
 
-post_patch() {
-	# Make.rules feeds some system headers to the C preprocessor to produce
-	# lists of capability and address-family names that, respectively,
-	# populate 'parser/cap_names.h' and 'parser/af_names.h'. The escaping
-	# backslash in the '\#include" directives here is seen by the
-	# preprocessor, causing it to skip the system headers and produce empty
-	# files. Removing the backslash ensures correct behavior.
-	vsed -i ${wrksrc}/common/Make.rules -e 's/\\#include </#include </'
-}
-
 pre_configure() {
 	autoreconf -if
 }
@@ -47,7 +37,10 @@ pre_build() {
 
 post_build() {
 	cd ${wrksrc}
-	sed -i 's#$(DESTDIR)/sbin#$(DESTDIR)/usr/bin#g' parser/Makefile
+
+    # fix cross compilation
+    vsed -i parser/Makefile -e 's,cpp,$(CPP),'
+
 	make ${makejobs} -C binutils
 	make ${makejobs} -C utils
 	make ${makejobs} -C parser
@@ -56,15 +49,22 @@ post_build() {
 
 post_install() {
 	cd ${wrksrc}
-	make DESTDIR=${DESTDIR} install -C binutils
-	make DESTDIR=${DESTDIR} BINDIR=${DESTDIR}/usr/bin install -C utils
-	make DESTDIR=${DESTDIR} APPARMOR_BIN_PREFIX=${DESTDIR}/usr/lib/apparmor \
-		SBINDIR=${DESTDIR}/usr/bin USR_SBINDIR=${DESTDIR}/usr/bin install -C parser
-	make DESTDIR=${DESTDIR} install -C profiles
-
-	# Put Vim syntax in the correct place
-	mkdir -p ${DESTDIR}/usr/share/vim/vim80/syntax/
-	mv ${DESTDIR}/usr/share/apparmor/apparmor.vim ${DESTDIR}/usr/share/vim/vim80/syntax/
+    make DESTDIR="${DESTDIR}" \
+        SBINDIR="${DESTDIR}/usr/bin" \
+        USR_SBINDIR="${DESTDIR}/usr/bin" \
+        install -C binutils
+    make DESTDIR="${DESTDIR}" \
+        SBINDIR="${DESTDIR}/usr/bin" \
+        USR_SBINDIR="${DESTDIR}/usr/bin" \
+        BINDIR="${DESTDIR}/usr/bin" \
+        VIM_INSTALL_PATH="${DESTDIR}/usr/share/vim/vimfiles/syntax" \
+        install -C utils
+    make DESTDIR="${DESTDIR}" \
+        SBINDIR="${DESTDIR}/usr/bin" \
+        USR_SBINDIR="${DESTDIR}/usr/bin" \
+        APPARMOR_BIN_PREFIX="${DESTDIR}/usr/lib/apparmor" \
+        install -C parser
+    make DESTDIR="${DESTDIR}" install -C profiles
 
 	# requires perl bindings not generated when cross-compiling
 	if [ "$CROSS_BUILD" ]; then
@@ -76,7 +76,7 @@ apparmor-vim_package() {
 	short_desc+=" - Vim syntax"
 	depends="vim"
 	pkg_install() {
-		vmove usr/share/vim/vim80/syntax/apparmor.vim
+		vmove usr/share/vim/vimfiles/syntax/apparmor.vim
 		vmove usr/share/man/man5/apparmor.vim.5
 	}
 }

Re: [WIP] apparmor: update to 3.0.0

[PaperMountainStudio]

[-- Attachment #1: Type: text/plain, Size: 337 bytes --]

New comment by PaperMountainStudio on void-packages repository

https://github.com/void-linux/void-packages/pull/25967#issuecomment-719068492

Comment:
- fixed some #includes
- added bpf capability to dhcpcd profile, because it stopped was complaining without it, but bpf capability is available on 5.8+, what happens on lower kernels?

Re: [PR PATCH] [Updated] [WIP] apparmor: update to 3.0.0

[PaperMountainStudio]

[-- Attachment #1: Type: text/plain, Size: 688 bytes --]

There is an updated pull request by PaperMountainStudio against master on the void-packages repository

https://github.com/PaperMountainStudio/void-packages 0001-apparmor-update-to-3.0.0.patch
https://github.com/void-linux/void-packages/pull/25967

[WIP] apparmor: update to 3.0.0
+ builds and works fine for x86_64-glibc

- [x] doesn't build for musl yet and I am not experienced enough to fix it
- [ ] should I bump libapparmor.so in common/shlibs?
- [ ] check what happens with dhcpcd profile on kernels before 5.8 (bpf cap is 5.8+)

If anyone wants to adopt this PR, feel free to do so.

A patch file from https://github.com/void-linux/void-packages/pull/25967.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-0001-apparmor-update-to-3.0.0.patch-25967.patch --]
[-- Type: text/x-diff, Size: 14555 bytes --]

From 4fb36e0c3da58358e6020de1aa3a1b07c1fe5dee Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Wed, 21 Oct 2020 17:25:50 +0200
Subject: [PATCH] apparmor: update to 3.0.0

---
 .../apparmor/files/profiles/usr.bin.dhcpcd    | 11 ++--
 srcpkgs/apparmor/files/profiles/usr.bin.nginx | 22 ++++---
 .../apparmor/files/profiles/usr.bin.php-fpm   | 17 +++---
 .../files/profiles/usr.bin.pulseaudio         | 27 +++++----
 srcpkgs/apparmor/files/profiles/usr.bin.uuidd | 12 ++--
 .../files/profiles/usr.bin.wpa_supplicant     | 14 +++--
 .../patches/correct_paths_logprofconf.patch   | 60 ++++++++++++++-----
 srcpkgs/apparmor/patches/fix-musl.patch       | 24 ++++++++
 srcpkgs/apparmor/template                     | 49 ++++++++-------
 9 files changed, 151 insertions(+), 85 deletions(-)
 create mode 100644 srcpkgs/apparmor/patches/fix-musl.patch

diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
index 26364f36385..89dd29f77e8 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
@@ -1,10 +1,12 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile dhcpcd /{usr/,}bin/dhcpcd {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/nameservice>
 
   capability chown,
   capability fowner,
@@ -16,6 +18,7 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   capability setgid,
   capability sys_admin,
   capability sys_chroot,
+  capability bpf,
 
   network packet dgram,
   network inet raw,
@@ -58,5 +61,5 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   owner @{PROC}/@{pid}/stat r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.dhcpcd>
+  include if exists <local/usr.bin.dhcpcd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
index 5e4854d9032..be769703f5d 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
@@ -1,25 +1,23 @@
 # vim:syntax=apparmor
 
+abi <abi/3.0>,
+
 # NOTE: This profile will by default work with pfp-fpm on TCP sockets.
 # If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
 # /path/to/your/unix/socket rw,
 
-#include <tunables/global>
+include <tunables/global>
 
-/usr/bin/nginx {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/nis>
-  #include <abstractions/openssl>
+profile nginx /usr/bin/nginx {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/nis>
+  include <abstractions/openssl>
 
   capability setgid,
   capability setuid,
 
-  # XXX: Maybe switch to "/etc/nginx/** r," ?
-  /etc/nginx/*.conf r,
-  /etc/nginx/*_params r,
-  /etc/nginx/conf.d/* r,
-  /etc/nginx/mime.types r,
+  /etc/nginx/** r,
 
   /run/nginx.pid rw,
 
@@ -30,5 +28,5 @@
   /var/log/nginx/* w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.nginx>
+  include if exists <local/usr.bin.nginx>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
index 98366dcaabf..0b036965da1 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
@@ -1,22 +1,24 @@
 # vim:syntax=apparmor
 
+abi <abi/3.0>,
+
 # NOTE: This profile uses TCP sockets by default
 # If you wish for php-fpm to listen to unix socket,
 # add the following permission to local/usr.bin.php-fpm
 # /path/to/your/unix/socket w,
 
-#include <tunables/global>
+include <tunables/global>
 
 # This is PHP open_basedir where script can only be executed from.
 # /home, /tmp have been removed to not open permissions too widely
 # /usr/share/pear have been removed to have its own permission
 @{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
 
-/usr/bin/php-fpm {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
-  #include <abstractions/php>
+profile php-fpm /usr/bin/php-fpm {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/php>
 
   capability setgid,
   capability setuid,
@@ -38,7 +40,6 @@
   /var/log/php-fpm.log w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.php-fpm>
+  include if exists <local/usr.bin.php-fpm>
 
 }
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
index 4b17e6edc08..e9835524bcc 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
@@ -1,12 +1,16 @@
-#include <tunables/global>
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile pulseaudio /usr/bin/pulseaudio {
-  #include <abstractions/base>
-  #include <abstractions/audio>
-  #include <abstractions/dbus-session>
-  #include <abstractions/dbus-strict>
-  #include <abstractions/nameservice>
-  #include <abstractions/X>
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice>
+  include <abstractions/X>
 
   dbus send
        bus=system
@@ -106,9 +110,9 @@ profile pulseaudio /usr/bin/pulseaudio {
   owner /tmp/.esd-@{pid}*/socket rw,
 
   profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
-    #include <abstractions/base>
-    #include <abstractions/gnome>
-    #include <abstractions/dconf>
+    include <abstractions/base>
+    include <abstractions/gnome>
+    include <abstractions/dconf>
 
     /usr/libexec/pulse/gsettings-helper mr,
     owner /{,var/}run/user/*/dconf/user rw,
@@ -118,6 +122,5 @@ profile pulseaudio /usr/bin/pulseaudio {
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.pulseaudio>
+  include if exists <local/usr.bin.pulseaudio>
 }
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
index 8c00a903611..b365c927b65 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
@@ -1,10 +1,12 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
 
-/usr/bin/uuidd {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+include <tunables/global>
+
+profile uuid /usr/bin/uuidd {
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   network inet dgram,
 
@@ -13,5 +15,5 @@
   /run/uuidd/request rw,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.uuidd>
+  include if exists <local/usr.bin.uuidd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
index df53acc82d6..c5bb67d562f 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
@@ -1,8 +1,12 @@
-#include <tunables/global>
+# vim:syntax=apparmor
 
-/usr/bin/wpa_supplicant {
-  #include <abstractions/base>
-  #include <abstractions/dbus-strict>
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile wpa_supplicant /usr/bin/wpa_supplicant {
+  include <abstractions/base>
+  include <abstractions/dbus-strict>
 
   capability net_admin,
   capability net_raw,
@@ -45,5 +49,5 @@
        bus=system
        path=/fi/epitest/hostap/WPASupplicant/**,
 
-  #include <local/usr.bin.wpa_supplicant>
+  include if exists <local/usr.bin.wpa_supplicant>
 }
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
index 0f25758486a..fb6ce53ffdc 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
@@ -1,5 +1,14 @@
+From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
+From: Paper <paper@tilde.institute>
+Date: Wed, 21 Oct 2020 10:20:47 +0200
+Subject: [PATCH] correct paths in logprof.conf
+
+---
+ utils/logprof.conf | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
 diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a3d7a31..296dd8b 100644
+index a778792..a9f7b79 100644
 --- a/utils/logprof.conf
 +++ b/utils/logprof.conf
 @@ -14,7 +14,7 @@
@@ -11,19 +20,42 @@ index a3d7a31..296dd8b 100644
    ldd = /usr/bin/ldd
    logger = /bin/logger /usr/bin/logger
  
-@@ -36,10 +36,10 @@
-   custom_includes =
- 
+@@ -51,12 +51,10 @@
+   /bin/mount    = u
+   /usr/bin/mount = u
+   /etc/init.d/subdomain = u
+-  /sbin/cardmgr = u
+-  /usr/sbin/cardmgr = u
+-  /sbin/subdomain_parser = u
+-  /usr/sbin/subdomain_parser = u
+-  /usr/sbin/genprof = u
+-  /usr/sbin/logprof = u
++  /usr/bin/cardmgr = u
++  /usr/bin/subdomain_parser = u
++  /usr/bin/genprof = u
++  /usr/bin/logprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_logprof = u
  
--[repository]
--  distro         = ubuntu-intrepid
--  url            = http://apparmor.test.opensuse.org/backend/api
--  preferred_user = ubuntu
-+#[repository]
-+#  distro         = ubuntu-intrepid
-+#  url            = http://apparmor.test.opensuse.org/backend/api
-+#  preferred_user = ubuntu
+@@ -97,8 +95,7 @@
+   /usr/bin/sed  = icn
+   /bin/touch    = icn
+   /usr/bin/touch = icn
+-  /sbin/killall5 = icn
+-  /usr/sbin/killall5 = icn
++  /usr/bin/killall5 = icn
+   /usr/bin/find = icn
+   /usr/bin/killall = icn
+   /usr/bin/nice = icn
+@@ -112,6 +109,8 @@
+   /usr/bin/python3.5    = icn
+   /usr/bin/python3.6    = icn
+   /usr/bin/python3.7    = icn
++  /usr/bin/python3.8    = icn
++  /usr/bin/python3.9    = icn
+   /usr/bin/tr   = icn
  
- [qualifiers]
-   # things will be painfully broken if bash has a profile
+ [required_hats]
+-- 
+2.29.0
 
diff --git a/srcpkgs/apparmor/patches/fix-musl.patch b/srcpkgs/apparmor/patches/fix-musl.patch
new file mode 100644
index 00000000000..484b67dfea4
--- /dev/null
+++ b/srcpkgs/apparmor/patches/fix-musl.patch
@@ -0,0 +1,24 @@
+diff --git a/binutils/aa_status.c b/binutils/aa_status.c
+index 78b0340..56ecac3 100644
+--- a/binutils/aa_status.c
++++ b/binutils/aa_status.c
+@@ -17,6 +17,7 @@
+ #include <errno.h>
+ #include <ctype.h>
+ #include <dirent.h>
++#include <limits.h>
+ 
+ #include <sys/apparmor.h>
+ #include <sys/apparmor_private.h>
+diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
+index 32892d0..dad7664 100644
+--- a/libraries/libapparmor/include/sys/apparmor.h
++++ b/libraries/libapparmor/include/sys/apparmor.h
+@@ -22,6 +22,7 @@
+ #include <stdint.h>
+ #include <unistd.h>
+ #include <sys/types.h>
++#include <sys/socket.h>
+ 
+ #ifdef __cplusplus
+ extern "C" {
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index b064f78086e..af1be2fcc40 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
-version=2.13.4
-revision=6
+version=3.0.0
+revision=1
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
@@ -16,23 +16,13 @@ maintainer="Olivier Mauras <olivier@mauras.ch>"
 license="GPL-2.0-only, LGPL-2.1-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=4f45e5a5de59b72039c6cf218bb61cb4fc42eeb7f47ca109a58238896394a33b
+checksum=8c440ab1848e723483a8550ed2889e18f322e9d7ee9eb4e2e712152ea61da68f
 patch_args="-Np1"
 
 if [ -z "$CROSS_BUILD" ]; then
 	configure_args="--with-perl --with-python"
 fi
 
-post_patch() {
-	# Make.rules feeds some system headers to the C preprocessor to produce
-	# lists of capability and address-family names that, respectively,
-	# populate 'parser/cap_names.h' and 'parser/af_names.h'. The escaping
-	# backslash in the '\#include" directives here is seen by the
-	# preprocessor, causing it to skip the system headers and produce empty
-	# files. Removing the backslash ensures correct behavior.
-	vsed -i ${wrksrc}/common/Make.rules -e 's/\\#include </#include </'
-}
-
 pre_configure() {
 	autoreconf -if
 }
@@ -40,14 +30,15 @@ pre_configure() {
 pre_build() {
 	# Replace release profiles with our own
 	cd ${wrksrc}
-
-	# Put in place our own profiles
 	cp ${FILESDIR}/profiles/* profiles/apparmor.d/
 }
 
 post_build() {
 	cd ${wrksrc}
-	sed -i 's#$(DESTDIR)/sbin#$(DESTDIR)/usr/bin#g' parser/Makefile
+
+    # fix cross compilation
+    vsed -i parser/Makefile -e 's,cpp,$(CPP),'
+
 	make ${makejobs} -C binutils
 	make ${makejobs} -C utils
 	make ${makejobs} -C parser
@@ -56,15 +47,23 @@ post_build() {
 
 post_install() {
 	cd ${wrksrc}
-	make DESTDIR=${DESTDIR} install -C binutils
-	make DESTDIR=${DESTDIR} BINDIR=${DESTDIR}/usr/bin install -C utils
-	make DESTDIR=${DESTDIR} APPARMOR_BIN_PREFIX=${DESTDIR}/usr/lib/apparmor \
-		SBINDIR=${DESTDIR}/usr/bin USR_SBINDIR=${DESTDIR}/usr/bin install -C parser
-	make DESTDIR=${DESTDIR} install -C profiles
 
-	# Put Vim syntax in the correct place
-	mkdir -p ${DESTDIR}/usr/share/vim/vim80/syntax/
-	mv ${DESTDIR}/usr/share/apparmor/apparmor.vim ${DESTDIR}/usr/share/vim/vim80/syntax/
+    make DESTDIR="${DESTDIR}" \
+        SBINDIR="${DESTDIR}/usr/bin" \
+        USR_SBINDIR="${DESTDIR}/usr/bin" \
+        install -C binutils
+    make DESTDIR="${DESTDIR}" \
+        SBINDIR="${DESTDIR}/usr/bin" \
+        USR_SBINDIR="${DESTDIR}/usr/bin" \
+        BINDIR="${DESTDIR}/usr/bin" \
+        VIM_INSTALL_PATH="${DESTDIR}/usr/share/vim/vimfiles/syntax" \
+        install -C utils
+    make DESTDIR="${DESTDIR}" \
+        SBINDIR="${DESTDIR}/usr/bin" \
+        USR_SBINDIR="${DESTDIR}/usr/bin" \
+        APPARMOR_BIN_PREFIX="${DESTDIR}/usr/lib/apparmor" \
+        install -C parser
+    make DESTDIR="${DESTDIR}" install -C profiles
 
 	# requires perl bindings not generated when cross-compiling
 	if [ "$CROSS_BUILD" ]; then
@@ -76,7 +75,7 @@ apparmor-vim_package() {
 	short_desc+=" - Vim syntax"
 	depends="vim"
 	pkg_install() {
-		vmove usr/share/vim/vim80/syntax/apparmor.vim
+		vmove usr/share/vim/vimfiles/syntax/apparmor.vim
 		vmove usr/share/man/man5/apparmor.vim.5
 	}
 }

Re: [PR PATCH] [Updated] [WIP] apparmor: update to 3.0.0

[PaperMountainStudio]

[-- Attachment #1: Type: text/plain, Size: 688 bytes --]

There is an updated pull request by PaperMountainStudio against master on the void-packages repository

https://github.com/PaperMountainStudio/void-packages 0001-apparmor-update-to-3.0.0.patch
https://github.com/void-linux/void-packages/pull/25967

[WIP] apparmor: update to 3.0.0
+ builds and works fine for x86_64-glibc

- [x] doesn't build for musl yet and I am not experienced enough to fix it
- [ ] should I bump libapparmor.so in common/shlibs?
- [ ] check what happens with dhcpcd profile on kernels before 5.8 (bpf cap is 5.8+)

If anyone wants to adopt this PR, feel free to do so.

A patch file from https://github.com/void-linux/void-packages/pull/25967.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-0001-apparmor-update-to-3.0.0.patch-25967.patch --]
[-- Type: text/x-diff, Size: 14375 bytes --]

From 53f756ba1b2b688a277809199769bc6138732933 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Wed, 21 Oct 2020 17:25:50 +0200
Subject: [PATCH] apparmor: update to 3.0.0

---
 .../apparmor/files/profiles/usr.bin.dhcpcd    | 11 ++--
 srcpkgs/apparmor/files/profiles/usr.bin.nginx | 22 ++++---
 .../apparmor/files/profiles/usr.bin.php-fpm   | 17 +++---
 .../files/profiles/usr.bin.pulseaudio         | 27 +++++----
 srcpkgs/apparmor/files/profiles/usr.bin.uuidd | 12 ++--
 .../files/profiles/usr.bin.wpa_supplicant     | 14 +++--
 .../patches/correct_paths_logprofconf.patch   | 60 ++++++++++++++-----
 srcpkgs/apparmor/patches/fix-musl.patch       | 24 ++++++++
 srcpkgs/apparmor/template                     | 44 ++++++--------
 9 files changed, 145 insertions(+), 86 deletions(-)
 create mode 100644 srcpkgs/apparmor/patches/fix-musl.patch

diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
index 26364f36385..89dd29f77e8 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
@@ -1,10 +1,12 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile dhcpcd /{usr/,}bin/dhcpcd {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/nameservice>
 
   capability chown,
   capability fowner,
@@ -16,6 +18,7 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   capability setgid,
   capability sys_admin,
   capability sys_chroot,
+  capability bpf,
 
   network packet dgram,
   network inet raw,
@@ -58,5 +61,5 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   owner @{PROC}/@{pid}/stat r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.dhcpcd>
+  include if exists <local/usr.bin.dhcpcd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
index 5e4854d9032..be769703f5d 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
@@ -1,25 +1,23 @@
 # vim:syntax=apparmor
 
+abi <abi/3.0>,
+
 # NOTE: This profile will by default work with pfp-fpm on TCP sockets.
 # If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
 # /path/to/your/unix/socket rw,
 
-#include <tunables/global>
+include <tunables/global>
 
-/usr/bin/nginx {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/nis>
-  #include <abstractions/openssl>
+profile nginx /usr/bin/nginx {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/nis>
+  include <abstractions/openssl>
 
   capability setgid,
   capability setuid,
 
-  # XXX: Maybe switch to "/etc/nginx/** r," ?
-  /etc/nginx/*.conf r,
-  /etc/nginx/*_params r,
-  /etc/nginx/conf.d/* r,
-  /etc/nginx/mime.types r,
+  /etc/nginx/** r,
 
   /run/nginx.pid rw,
 
@@ -30,5 +28,5 @@
   /var/log/nginx/* w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.nginx>
+  include if exists <local/usr.bin.nginx>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
index 98366dcaabf..0b036965da1 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
@@ -1,22 +1,24 @@
 # vim:syntax=apparmor
 
+abi <abi/3.0>,
+
 # NOTE: This profile uses TCP sockets by default
 # If you wish for php-fpm to listen to unix socket,
 # add the following permission to local/usr.bin.php-fpm
 # /path/to/your/unix/socket w,
 
-#include <tunables/global>
+include <tunables/global>
 
 # This is PHP open_basedir where script can only be executed from.
 # /home, /tmp have been removed to not open permissions too widely
 # /usr/share/pear have been removed to have its own permission
 @{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
 
-/usr/bin/php-fpm {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
-  #include <abstractions/php>
+profile php-fpm /usr/bin/php-fpm {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/php>
 
   capability setgid,
   capability setuid,
@@ -38,7 +40,6 @@
   /var/log/php-fpm.log w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.php-fpm>
+  include if exists <local/usr.bin.php-fpm>
 
 }
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
index 4b17e6edc08..e9835524bcc 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
@@ -1,12 +1,16 @@
-#include <tunables/global>
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile pulseaudio /usr/bin/pulseaudio {
-  #include <abstractions/base>
-  #include <abstractions/audio>
-  #include <abstractions/dbus-session>
-  #include <abstractions/dbus-strict>
-  #include <abstractions/nameservice>
-  #include <abstractions/X>
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice>
+  include <abstractions/X>
 
   dbus send
        bus=system
@@ -106,9 +110,9 @@ profile pulseaudio /usr/bin/pulseaudio {
   owner /tmp/.esd-@{pid}*/socket rw,
 
   profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
-    #include <abstractions/base>
-    #include <abstractions/gnome>
-    #include <abstractions/dconf>
+    include <abstractions/base>
+    include <abstractions/gnome>
+    include <abstractions/dconf>
 
     /usr/libexec/pulse/gsettings-helper mr,
     owner /{,var/}run/user/*/dconf/user rw,
@@ -118,6 +122,5 @@ profile pulseaudio /usr/bin/pulseaudio {
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.pulseaudio>
+  include if exists <local/usr.bin.pulseaudio>
 }
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
index 8c00a903611..b365c927b65 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
@@ -1,10 +1,12 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
 
-/usr/bin/uuidd {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+include <tunables/global>
+
+profile uuid /usr/bin/uuidd {
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   network inet dgram,
 
@@ -13,5 +15,5 @@
   /run/uuidd/request rw,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.uuidd>
+  include if exists <local/usr.bin.uuidd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
index df53acc82d6..c5bb67d562f 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
@@ -1,8 +1,12 @@
-#include <tunables/global>
+# vim:syntax=apparmor
 
-/usr/bin/wpa_supplicant {
-  #include <abstractions/base>
-  #include <abstractions/dbus-strict>
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile wpa_supplicant /usr/bin/wpa_supplicant {
+  include <abstractions/base>
+  include <abstractions/dbus-strict>
 
   capability net_admin,
   capability net_raw,
@@ -45,5 +49,5 @@
        bus=system
        path=/fi/epitest/hostap/WPASupplicant/**,
 
-  #include <local/usr.bin.wpa_supplicant>
+  include if exists <local/usr.bin.wpa_supplicant>
 }
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
index 0f25758486a..fb6ce53ffdc 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
@@ -1,5 +1,14 @@
+From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
+From: Paper <paper@tilde.institute>
+Date: Wed, 21 Oct 2020 10:20:47 +0200
+Subject: [PATCH] correct paths in logprof.conf
+
+---
+ utils/logprof.conf | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
 diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a3d7a31..296dd8b 100644
+index a778792..a9f7b79 100644
 --- a/utils/logprof.conf
 +++ b/utils/logprof.conf
 @@ -14,7 +14,7 @@
@@ -11,19 +20,42 @@ index a3d7a31..296dd8b 100644
    ldd = /usr/bin/ldd
    logger = /bin/logger /usr/bin/logger
  
-@@ -36,10 +36,10 @@
-   custom_includes =
- 
+@@ -51,12 +51,10 @@
+   /bin/mount    = u
+   /usr/bin/mount = u
+   /etc/init.d/subdomain = u
+-  /sbin/cardmgr = u
+-  /usr/sbin/cardmgr = u
+-  /sbin/subdomain_parser = u
+-  /usr/sbin/subdomain_parser = u
+-  /usr/sbin/genprof = u
+-  /usr/sbin/logprof = u
++  /usr/bin/cardmgr = u
++  /usr/bin/subdomain_parser = u
++  /usr/bin/genprof = u
++  /usr/bin/logprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_logprof = u
  
--[repository]
--  distro         = ubuntu-intrepid
--  url            = http://apparmor.test.opensuse.org/backend/api
--  preferred_user = ubuntu
-+#[repository]
-+#  distro         = ubuntu-intrepid
-+#  url            = http://apparmor.test.opensuse.org/backend/api
-+#  preferred_user = ubuntu
+@@ -97,8 +95,7 @@
+   /usr/bin/sed  = icn
+   /bin/touch    = icn
+   /usr/bin/touch = icn
+-  /sbin/killall5 = icn
+-  /usr/sbin/killall5 = icn
++  /usr/bin/killall5 = icn
+   /usr/bin/find = icn
+   /usr/bin/killall = icn
+   /usr/bin/nice = icn
+@@ -112,6 +109,8 @@
+   /usr/bin/python3.5    = icn
+   /usr/bin/python3.6    = icn
+   /usr/bin/python3.7    = icn
++  /usr/bin/python3.8    = icn
++  /usr/bin/python3.9    = icn
+   /usr/bin/tr   = icn
  
- [qualifiers]
-   # things will be painfully broken if bash has a profile
+ [required_hats]
+-- 
+2.29.0
 
diff --git a/srcpkgs/apparmor/patches/fix-musl.patch b/srcpkgs/apparmor/patches/fix-musl.patch
new file mode 100644
index 00000000000..484b67dfea4
--- /dev/null
+++ b/srcpkgs/apparmor/patches/fix-musl.patch
@@ -0,0 +1,24 @@
+diff --git a/binutils/aa_status.c b/binutils/aa_status.c
+index 78b0340..56ecac3 100644
+--- a/binutils/aa_status.c
++++ b/binutils/aa_status.c
+@@ -17,6 +17,7 @@
+ #include <errno.h>
+ #include <ctype.h>
+ #include <dirent.h>
++#include <limits.h>
+ 
+ #include <sys/apparmor.h>
+ #include <sys/apparmor_private.h>
+diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
+index 32892d0..dad7664 100644
+--- a/libraries/libapparmor/include/sys/apparmor.h
++++ b/libraries/libapparmor/include/sys/apparmor.h
+@@ -22,6 +22,7 @@
+ #include <stdint.h>
+ #include <unistd.h>
+ #include <sys/types.h>
++#include <sys/socket.h>
+ 
+ #ifdef __cplusplus
+ extern "C" {
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index b064f78086e..f3b28ed639f 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
-version=2.13.4
-revision=6
+version=3.0.0
+revision=1
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
@@ -16,23 +16,13 @@ maintainer="Olivier Mauras <olivier@mauras.ch>"
 license="GPL-2.0-only, LGPL-2.1-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=4f45e5a5de59b72039c6cf218bb61cb4fc42eeb7f47ca109a58238896394a33b
+checksum=8c440ab1848e723483a8550ed2889e18f322e9d7ee9eb4e2e712152ea61da68f
 patch_args="-Np1"
 
 if [ -z "$CROSS_BUILD" ]; then
 	configure_args="--with-perl --with-python"
 fi
 
-post_patch() {
-	# Make.rules feeds some system headers to the C preprocessor to produce
-	# lists of capability and address-family names that, respectively,
-	# populate 'parser/cap_names.h' and 'parser/af_names.h'. The escaping
-	# backslash in the '\#include" directives here is seen by the
-	# preprocessor, causing it to skip the system headers and produce empty
-	# files. Removing the backslash ensures correct behavior.
-	vsed -i ${wrksrc}/common/Make.rules -e 's/\\#include </#include </'
-}
-
 pre_configure() {
 	autoreconf -if
 }
@@ -40,14 +30,15 @@ pre_configure() {
 pre_build() {
 	# Replace release profiles with our own
 	cd ${wrksrc}
-
-	# Put in place our own profiles
 	cp ${FILESDIR}/profiles/* profiles/apparmor.d/
 }
 
 post_build() {
 	cd ${wrksrc}
-	sed -i 's#$(DESTDIR)/sbin#$(DESTDIR)/usr/bin#g' parser/Makefile
+
+    # fix cross compilation
+    vsed -i parser/Makefile -e 's,cpp,$(CPP),'
+
 	make ${makejobs} -C binutils
 	make ${makejobs} -C utils
 	make ${makejobs} -C parser
@@ -56,15 +47,16 @@ post_build() {
 
 post_install() {
 	cd ${wrksrc}
-	make DESTDIR=${DESTDIR} install -C binutils
-	make DESTDIR=${DESTDIR} BINDIR=${DESTDIR}/usr/bin install -C utils
-	make DESTDIR=${DESTDIR} APPARMOR_BIN_PREFIX=${DESTDIR}/usr/lib/apparmor \
-		SBINDIR=${DESTDIR}/usr/bin USR_SBINDIR=${DESTDIR}/usr/bin install -C parser
-	make DESTDIR=${DESTDIR} install -C profiles
-
-	# Put Vim syntax in the correct place
-	mkdir -p ${DESTDIR}/usr/share/vim/vim80/syntax/
-	mv ${DESTDIR}/usr/share/apparmor/apparmor.vim ${DESTDIR}/usr/share/vim/vim80/syntax/
+    commonflags="DESTDIR=\"${DESTDIR}\" SBINDIR=\"${DESTDIR}/usr/bin\" USR_SBINDIR=\"${DESTDIR}/usr/bin\""
+    make $commonflags install -C binutils
+    make $commonflags \
+        BINDIR="${DESTDIR}/usr/bin" \
+        VIM_INSTALL_PATH="${DESTDIR}/usr/share/vim/vimfiles/syntax" \
+        install -C utils
+    make $commonflags \
+        APPARMOR_BIN_PREFIX="${DESTDIR}/usr/lib/apparmor" \
+        install -C parser
+    make DESTDIR="${DESTDIR}" install -C profiles
 
 	# requires perl bindings not generated when cross-compiling
 	if [ "$CROSS_BUILD" ]; then
@@ -76,7 +68,7 @@ apparmor-vim_package() {
 	short_desc+=" - Vim syntax"
 	depends="vim"
 	pkg_install() {
-		vmove usr/share/vim/vim80/syntax/apparmor.vim
+		vmove usr/share/vim/vimfiles/syntax/apparmor.vim
 		vmove usr/share/man/man5/apparmor.vim.5
 	}
 }

Re: [PR PATCH] [Updated] [WIP] apparmor: update to 3.0.0

[PaperMountainStudio]

[-- Attachment #1: Type: text/plain, Size: 688 bytes --]

There is an updated pull request by PaperMountainStudio against master on the void-packages repository

https://github.com/PaperMountainStudio/void-packages 0001-apparmor-update-to-3.0.0.patch
https://github.com/void-linux/void-packages/pull/25967

[WIP] apparmor: update to 3.0.0
+ builds and works fine for x86_64-glibc

- [x] doesn't build for musl yet and I am not experienced enough to fix it
- [ ] should I bump libapparmor.so in common/shlibs?
- [ ] check what happens with dhcpcd profile on kernels before 5.8 (bpf cap is 5.8+)

If anyone wants to adopt this PR, feel free to do so.

A patch file from https://github.com/void-linux/void-packages/pull/25967.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-0001-apparmor-update-to-3.0.0.patch-25967.patch --]
[-- Type: text/x-diff, Size: 14375 bytes --]

From 53f756ba1b2b688a277809199769bc6138732933 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Wed, 21 Oct 2020 17:25:50 +0200
Subject: [PATCH] apparmor: update to 3.0.0

---
 .../apparmor/files/profiles/usr.bin.dhcpcd    | 11 ++--
 srcpkgs/apparmor/files/profiles/usr.bin.nginx | 22 ++++---
 .../apparmor/files/profiles/usr.bin.php-fpm   | 17 +++---
 .../files/profiles/usr.bin.pulseaudio         | 27 +++++----
 srcpkgs/apparmor/files/profiles/usr.bin.uuidd | 12 ++--
 .../files/profiles/usr.bin.wpa_supplicant     | 14 +++--
 .../patches/correct_paths_logprofconf.patch   | 60 ++++++++++++++-----
 srcpkgs/apparmor/patches/fix-musl.patch       | 24 ++++++++
 srcpkgs/apparmor/template                     | 44 ++++++--------
 9 files changed, 145 insertions(+), 86 deletions(-)
 create mode 100644 srcpkgs/apparmor/patches/fix-musl.patch

diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
index 26364f36385..89dd29f77e8 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
@@ -1,10 +1,12 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile dhcpcd /{usr/,}bin/dhcpcd {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/nameservice>
 
   capability chown,
   capability fowner,
@@ -16,6 +18,7 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   capability setgid,
   capability sys_admin,
   capability sys_chroot,
+  capability bpf,
 
   network packet dgram,
   network inet raw,
@@ -58,5 +61,5 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   owner @{PROC}/@{pid}/stat r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.dhcpcd>
+  include if exists <local/usr.bin.dhcpcd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
index 5e4854d9032..be769703f5d 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
@@ -1,25 +1,23 @@
 # vim:syntax=apparmor
 
+abi <abi/3.0>,
+
 # NOTE: This profile will by default work with pfp-fpm on TCP sockets.
 # If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
 # /path/to/your/unix/socket rw,
 
-#include <tunables/global>
+include <tunables/global>
 
-/usr/bin/nginx {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/nis>
-  #include <abstractions/openssl>
+profile nginx /usr/bin/nginx {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/nis>
+  include <abstractions/openssl>
 
   capability setgid,
   capability setuid,
 
-  # XXX: Maybe switch to "/etc/nginx/** r," ?
-  /etc/nginx/*.conf r,
-  /etc/nginx/*_params r,
-  /etc/nginx/conf.d/* r,
-  /etc/nginx/mime.types r,
+  /etc/nginx/** r,
 
   /run/nginx.pid rw,
 
@@ -30,5 +28,5 @@
   /var/log/nginx/* w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.nginx>
+  include if exists <local/usr.bin.nginx>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
index 98366dcaabf..0b036965da1 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
@@ -1,22 +1,24 @@
 # vim:syntax=apparmor
 
+abi <abi/3.0>,
+
 # NOTE: This profile uses TCP sockets by default
 # If you wish for php-fpm to listen to unix socket,
 # add the following permission to local/usr.bin.php-fpm
 # /path/to/your/unix/socket w,
 
-#include <tunables/global>
+include <tunables/global>
 
 # This is PHP open_basedir where script can only be executed from.
 # /home, /tmp have been removed to not open permissions too widely
 # /usr/share/pear have been removed to have its own permission
 @{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
 
-/usr/bin/php-fpm {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
-  #include <abstractions/php>
+profile php-fpm /usr/bin/php-fpm {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/php>
 
   capability setgid,
   capability setuid,
@@ -38,7 +40,6 @@
   /var/log/php-fpm.log w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.php-fpm>
+  include if exists <local/usr.bin.php-fpm>
 
 }
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
index 4b17e6edc08..e9835524bcc 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
@@ -1,12 +1,16 @@
-#include <tunables/global>
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile pulseaudio /usr/bin/pulseaudio {
-  #include <abstractions/base>
-  #include <abstractions/audio>
-  #include <abstractions/dbus-session>
-  #include <abstractions/dbus-strict>
-  #include <abstractions/nameservice>
-  #include <abstractions/X>
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice>
+  include <abstractions/X>
 
   dbus send
        bus=system
@@ -106,9 +110,9 @@ profile pulseaudio /usr/bin/pulseaudio {
   owner /tmp/.esd-@{pid}*/socket rw,
 
   profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
-    #include <abstractions/base>
-    #include <abstractions/gnome>
-    #include <abstractions/dconf>
+    include <abstractions/base>
+    include <abstractions/gnome>
+    include <abstractions/dconf>
 
     /usr/libexec/pulse/gsettings-helper mr,
     owner /{,var/}run/user/*/dconf/user rw,
@@ -118,6 +122,5 @@ profile pulseaudio /usr/bin/pulseaudio {
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.pulseaudio>
+  include if exists <local/usr.bin.pulseaudio>
 }
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
index 8c00a903611..b365c927b65 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
@@ -1,10 +1,12 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
 
-/usr/bin/uuidd {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+include <tunables/global>
+
+profile uuid /usr/bin/uuidd {
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   network inet dgram,
 
@@ -13,5 +15,5 @@
   /run/uuidd/request rw,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.uuidd>
+  include if exists <local/usr.bin.uuidd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
index df53acc82d6..c5bb67d562f 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
@@ -1,8 +1,12 @@
-#include <tunables/global>
+# vim:syntax=apparmor
 
-/usr/bin/wpa_supplicant {
-  #include <abstractions/base>
-  #include <abstractions/dbus-strict>
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile wpa_supplicant /usr/bin/wpa_supplicant {
+  include <abstractions/base>
+  include <abstractions/dbus-strict>
 
   capability net_admin,
   capability net_raw,
@@ -45,5 +49,5 @@
        bus=system
        path=/fi/epitest/hostap/WPASupplicant/**,
 
-  #include <local/usr.bin.wpa_supplicant>
+  include if exists <local/usr.bin.wpa_supplicant>
 }
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
index 0f25758486a..fb6ce53ffdc 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
@@ -1,5 +1,14 @@
+From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
+From: Paper <paper@tilde.institute>
+Date: Wed, 21 Oct 2020 10:20:47 +0200
+Subject: [PATCH] correct paths in logprof.conf
+
+---
+ utils/logprof.conf | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
 diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a3d7a31..296dd8b 100644
+index a778792..a9f7b79 100644
 --- a/utils/logprof.conf
 +++ b/utils/logprof.conf
 @@ -14,7 +14,7 @@
@@ -11,19 +20,42 @@ index a3d7a31..296dd8b 100644
    ldd = /usr/bin/ldd
    logger = /bin/logger /usr/bin/logger
  
-@@ -36,10 +36,10 @@
-   custom_includes =
- 
+@@ -51,12 +51,10 @@
+   /bin/mount    = u
+   /usr/bin/mount = u
+   /etc/init.d/subdomain = u
+-  /sbin/cardmgr = u
+-  /usr/sbin/cardmgr = u
+-  /sbin/subdomain_parser = u
+-  /usr/sbin/subdomain_parser = u
+-  /usr/sbin/genprof = u
+-  /usr/sbin/logprof = u
++  /usr/bin/cardmgr = u
++  /usr/bin/subdomain_parser = u
++  /usr/bin/genprof = u
++  /usr/bin/logprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_logprof = u
  
--[repository]
--  distro         = ubuntu-intrepid
--  url            = http://apparmor.test.opensuse.org/backend/api
--  preferred_user = ubuntu
-+#[repository]
-+#  distro         = ubuntu-intrepid
-+#  url            = http://apparmor.test.opensuse.org/backend/api
-+#  preferred_user = ubuntu
+@@ -97,8 +95,7 @@
+   /usr/bin/sed  = icn
+   /bin/touch    = icn
+   /usr/bin/touch = icn
+-  /sbin/killall5 = icn
+-  /usr/sbin/killall5 = icn
++  /usr/bin/killall5 = icn
+   /usr/bin/find = icn
+   /usr/bin/killall = icn
+   /usr/bin/nice = icn
+@@ -112,6 +109,8 @@
+   /usr/bin/python3.5    = icn
+   /usr/bin/python3.6    = icn
+   /usr/bin/python3.7    = icn
++  /usr/bin/python3.8    = icn
++  /usr/bin/python3.9    = icn
+   /usr/bin/tr   = icn
  
- [qualifiers]
-   # things will be painfully broken if bash has a profile
+ [required_hats]
+-- 
+2.29.0
 
diff --git a/srcpkgs/apparmor/patches/fix-musl.patch b/srcpkgs/apparmor/patches/fix-musl.patch
new file mode 100644
index 00000000000..484b67dfea4
--- /dev/null
+++ b/srcpkgs/apparmor/patches/fix-musl.patch
@@ -0,0 +1,24 @@
+diff --git a/binutils/aa_status.c b/binutils/aa_status.c
+index 78b0340..56ecac3 100644
+--- a/binutils/aa_status.c
++++ b/binutils/aa_status.c
+@@ -17,6 +17,7 @@
+ #include <errno.h>
+ #include <ctype.h>
+ #include <dirent.h>
++#include <limits.h>
+ 
+ #include <sys/apparmor.h>
+ #include <sys/apparmor_private.h>
+diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
+index 32892d0..dad7664 100644
+--- a/libraries/libapparmor/include/sys/apparmor.h
++++ b/libraries/libapparmor/include/sys/apparmor.h
+@@ -22,6 +22,7 @@
+ #include <stdint.h>
+ #include <unistd.h>
+ #include <sys/types.h>
++#include <sys/socket.h>
+ 
+ #ifdef __cplusplus
+ extern "C" {
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index b064f78086e..f3b28ed639f 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
-version=2.13.4
-revision=6
+version=3.0.0
+revision=1
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
@@ -16,23 +16,13 @@ maintainer="Olivier Mauras <olivier@mauras.ch>"
 license="GPL-2.0-only, LGPL-2.1-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=4f45e5a5de59b72039c6cf218bb61cb4fc42eeb7f47ca109a58238896394a33b
+checksum=8c440ab1848e723483a8550ed2889e18f322e9d7ee9eb4e2e712152ea61da68f
 patch_args="-Np1"
 
 if [ -z "$CROSS_BUILD" ]; then
 	configure_args="--with-perl --with-python"
 fi
 
-post_patch() {
-	# Make.rules feeds some system headers to the C preprocessor to produce
-	# lists of capability and address-family names that, respectively,
-	# populate 'parser/cap_names.h' and 'parser/af_names.h'. The escaping
-	# backslash in the '\#include" directives here is seen by the
-	# preprocessor, causing it to skip the system headers and produce empty
-	# files. Removing the backslash ensures correct behavior.
-	vsed -i ${wrksrc}/common/Make.rules -e 's/\\#include </#include </'
-}
-
 pre_configure() {
 	autoreconf -if
 }
@@ -40,14 +30,15 @@ pre_configure() {
 pre_build() {
 	# Replace release profiles with our own
 	cd ${wrksrc}
-
-	# Put in place our own profiles
 	cp ${FILESDIR}/profiles/* profiles/apparmor.d/
 }
 
 post_build() {
 	cd ${wrksrc}
-	sed -i 's#$(DESTDIR)/sbin#$(DESTDIR)/usr/bin#g' parser/Makefile
+
+    # fix cross compilation
+    vsed -i parser/Makefile -e 's,cpp,$(CPP),'
+
 	make ${makejobs} -C binutils
 	make ${makejobs} -C utils
 	make ${makejobs} -C parser
@@ -56,15 +47,16 @@ post_build() {
 
 post_install() {
 	cd ${wrksrc}
-	make DESTDIR=${DESTDIR} install -C binutils
-	make DESTDIR=${DESTDIR} BINDIR=${DESTDIR}/usr/bin install -C utils
-	make DESTDIR=${DESTDIR} APPARMOR_BIN_PREFIX=${DESTDIR}/usr/lib/apparmor \
-		SBINDIR=${DESTDIR}/usr/bin USR_SBINDIR=${DESTDIR}/usr/bin install -C parser
-	make DESTDIR=${DESTDIR} install -C profiles
-
-	# Put Vim syntax in the correct place
-	mkdir -p ${DESTDIR}/usr/share/vim/vim80/syntax/
-	mv ${DESTDIR}/usr/share/apparmor/apparmor.vim ${DESTDIR}/usr/share/vim/vim80/syntax/
+    commonflags="DESTDIR=\"${DESTDIR}\" SBINDIR=\"${DESTDIR}/usr/bin\" USR_SBINDIR=\"${DESTDIR}/usr/bin\""
+    make $commonflags install -C binutils
+    make $commonflags \
+        BINDIR="${DESTDIR}/usr/bin" \
+        VIM_INSTALL_PATH="${DESTDIR}/usr/share/vim/vimfiles/syntax" \
+        install -C utils
+    make $commonflags \
+        APPARMOR_BIN_PREFIX="${DESTDIR}/usr/lib/apparmor" \
+        install -C parser
+    make DESTDIR="${DESTDIR}" install -C profiles
 
 	# requires perl bindings not generated when cross-compiling
 	if [ "$CROSS_BUILD" ]; then
@@ -76,7 +68,7 @@ apparmor-vim_package() {
 	short_desc+=" - Vim syntax"
 	depends="vim"
 	pkg_install() {
-		vmove usr/share/vim/vim80/syntax/apparmor.vim
+		vmove usr/share/vim/vimfiles/syntax/apparmor.vim
 		vmove usr/share/man/man5/apparmor.vim.5
 	}
 }

Re: [PR PATCH] [Updated] [WIP] apparmor: update to 3.0.0

[PaperMountainStudio]

[-- Attachment #1: Type: text/plain, Size: 634 bytes --]

There is an updated pull request by PaperMountainStudio against master on the void-packages repository

https://github.com/PaperMountainStudio/void-packages 0001-apparmor-update-to-3.0.0.patch
https://github.com/void-linux/void-packages/pull/25967

[WIP] apparmor: update to 3.0.0
+ builds and works fine for x86_64-glibc

- [x] doesn't build for musl yet and I am not experienced enough to fix it
- [x] check what happens with dhcpcd profile on kernels before 5.8 (bpf cap is 5.8+)

If anyone wants to adopt this PR, feel free to do so.

A patch file from https://github.com/void-linux/void-packages/pull/25967.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-0001-apparmor-update-to-3.0.0.patch-25967.patch --]
[-- Type: text/x-diff, Size: 14500 bytes --]

From 667ddd98481d9d72d7744a48682522a0139b3205 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Wed, 21 Oct 2020 17:25:50 +0200
Subject: [PATCH] apparmor: update to 3.0.0

---
 .../apparmor/files/profiles/usr.bin.dhcpcd    | 11 ++--
 srcpkgs/apparmor/files/profiles/usr.bin.nginx | 22 ++++---
 .../apparmor/files/profiles/usr.bin.php-fpm   | 17 +++---
 .../files/profiles/usr.bin.pulseaudio         | 27 +++++----
 srcpkgs/apparmor/files/profiles/usr.bin.uuidd | 12 ++--
 .../files/profiles/usr.bin.wpa_supplicant     | 14 +++--
 .../patches/correct_paths_logprofconf.patch   | 60 ++++++++++++++-----
 srcpkgs/apparmor/patches/fix-musl.patch       | 24 ++++++++
 srcpkgs/apparmor/template                     | 47 +++++++--------
 9 files changed, 148 insertions(+), 86 deletions(-)
 create mode 100644 srcpkgs/apparmor/patches/fix-musl.patch

diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
index 26364f36385..89dd29f77e8 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
@@ -1,10 +1,12 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile dhcpcd /{usr/,}bin/dhcpcd {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/nameservice>
 
   capability chown,
   capability fowner,
@@ -16,6 +18,7 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   capability setgid,
   capability sys_admin,
   capability sys_chroot,
+  capability bpf,
 
   network packet dgram,
   network inet raw,
@@ -58,5 +61,5 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   owner @{PROC}/@{pid}/stat r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.dhcpcd>
+  include if exists <local/usr.bin.dhcpcd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
index 5e4854d9032..be769703f5d 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
@@ -1,25 +1,23 @@
 # vim:syntax=apparmor
 
+abi <abi/3.0>,
+
 # NOTE: This profile will by default work with pfp-fpm on TCP sockets.
 # If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
 # /path/to/your/unix/socket rw,
 
-#include <tunables/global>
+include <tunables/global>
 
-/usr/bin/nginx {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/nis>
-  #include <abstractions/openssl>
+profile nginx /usr/bin/nginx {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/nis>
+  include <abstractions/openssl>
 
   capability setgid,
   capability setuid,
 
-  # XXX: Maybe switch to "/etc/nginx/** r," ?
-  /etc/nginx/*.conf r,
-  /etc/nginx/*_params r,
-  /etc/nginx/conf.d/* r,
-  /etc/nginx/mime.types r,
+  /etc/nginx/** r,
 
   /run/nginx.pid rw,
 
@@ -30,5 +28,5 @@
   /var/log/nginx/* w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.nginx>
+  include if exists <local/usr.bin.nginx>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
index 98366dcaabf..0b036965da1 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
@@ -1,22 +1,24 @@
 # vim:syntax=apparmor
 
+abi <abi/3.0>,
+
 # NOTE: This profile uses TCP sockets by default
 # If you wish for php-fpm to listen to unix socket,
 # add the following permission to local/usr.bin.php-fpm
 # /path/to/your/unix/socket w,
 
-#include <tunables/global>
+include <tunables/global>
 
 # This is PHP open_basedir where script can only be executed from.
 # /home, /tmp have been removed to not open permissions too widely
 # /usr/share/pear have been removed to have its own permission
 @{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
 
-/usr/bin/php-fpm {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
-  #include <abstractions/php>
+profile php-fpm /usr/bin/php-fpm {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/php>
 
   capability setgid,
   capability setuid,
@@ -38,7 +40,6 @@
   /var/log/php-fpm.log w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.php-fpm>
+  include if exists <local/usr.bin.php-fpm>
 
 }
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
index 4b17e6edc08..e9835524bcc 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
@@ -1,12 +1,16 @@
-#include <tunables/global>
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile pulseaudio /usr/bin/pulseaudio {
-  #include <abstractions/base>
-  #include <abstractions/audio>
-  #include <abstractions/dbus-session>
-  #include <abstractions/dbus-strict>
-  #include <abstractions/nameservice>
-  #include <abstractions/X>
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice>
+  include <abstractions/X>
 
   dbus send
        bus=system
@@ -106,9 +110,9 @@ profile pulseaudio /usr/bin/pulseaudio {
   owner /tmp/.esd-@{pid}*/socket rw,
 
   profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
-    #include <abstractions/base>
-    #include <abstractions/gnome>
-    #include <abstractions/dconf>
+    include <abstractions/base>
+    include <abstractions/gnome>
+    include <abstractions/dconf>
 
     /usr/libexec/pulse/gsettings-helper mr,
     owner /{,var/}run/user/*/dconf/user rw,
@@ -118,6 +122,5 @@ profile pulseaudio /usr/bin/pulseaudio {
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.pulseaudio>
+  include if exists <local/usr.bin.pulseaudio>
 }
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
index 8c00a903611..b365c927b65 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
@@ -1,10 +1,12 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
 
-/usr/bin/uuidd {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+include <tunables/global>
+
+profile uuid /usr/bin/uuidd {
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   network inet dgram,
 
@@ -13,5 +15,5 @@
   /run/uuidd/request rw,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.uuidd>
+  include if exists <local/usr.bin.uuidd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
index df53acc82d6..c5bb67d562f 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
@@ -1,8 +1,12 @@
-#include <tunables/global>
+# vim:syntax=apparmor
 
-/usr/bin/wpa_supplicant {
-  #include <abstractions/base>
-  #include <abstractions/dbus-strict>
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile wpa_supplicant /usr/bin/wpa_supplicant {
+  include <abstractions/base>
+  include <abstractions/dbus-strict>
 
   capability net_admin,
   capability net_raw,
@@ -45,5 +49,5 @@
        bus=system
        path=/fi/epitest/hostap/WPASupplicant/**,
 
-  #include <local/usr.bin.wpa_supplicant>
+  include if exists <local/usr.bin.wpa_supplicant>
 }
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
index 0f25758486a..fb6ce53ffdc 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
@@ -1,5 +1,14 @@
+From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
+From: Paper <paper@tilde.institute>
+Date: Wed, 21 Oct 2020 10:20:47 +0200
+Subject: [PATCH] correct paths in logprof.conf
+
+---
+ utils/logprof.conf | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
 diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a3d7a31..296dd8b 100644
+index a778792..a9f7b79 100644
 --- a/utils/logprof.conf
 +++ b/utils/logprof.conf
 @@ -14,7 +14,7 @@
@@ -11,19 +20,42 @@ index a3d7a31..296dd8b 100644
    ldd = /usr/bin/ldd
    logger = /bin/logger /usr/bin/logger
  
-@@ -36,10 +36,10 @@
-   custom_includes =
- 
+@@ -51,12 +51,10 @@
+   /bin/mount    = u
+   /usr/bin/mount = u
+   /etc/init.d/subdomain = u
+-  /sbin/cardmgr = u
+-  /usr/sbin/cardmgr = u
+-  /sbin/subdomain_parser = u
+-  /usr/sbin/subdomain_parser = u
+-  /usr/sbin/genprof = u
+-  /usr/sbin/logprof = u
++  /usr/bin/cardmgr = u
++  /usr/bin/subdomain_parser = u
++  /usr/bin/genprof = u
++  /usr/bin/logprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_logprof = u
  
--[repository]
--  distro         = ubuntu-intrepid
--  url            = http://apparmor.test.opensuse.org/backend/api
--  preferred_user = ubuntu
-+#[repository]
-+#  distro         = ubuntu-intrepid
-+#  url            = http://apparmor.test.opensuse.org/backend/api
-+#  preferred_user = ubuntu
+@@ -97,8 +95,7 @@
+   /usr/bin/sed  = icn
+   /bin/touch    = icn
+   /usr/bin/touch = icn
+-  /sbin/killall5 = icn
+-  /usr/sbin/killall5 = icn
++  /usr/bin/killall5 = icn
+   /usr/bin/find = icn
+   /usr/bin/killall = icn
+   /usr/bin/nice = icn
+@@ -112,6 +109,8 @@
+   /usr/bin/python3.5    = icn
+   /usr/bin/python3.6    = icn
+   /usr/bin/python3.7    = icn
++  /usr/bin/python3.8    = icn
++  /usr/bin/python3.9    = icn
+   /usr/bin/tr   = icn
  
- [qualifiers]
-   # things will be painfully broken if bash has a profile
+ [required_hats]
+-- 
+2.29.0
 
diff --git a/srcpkgs/apparmor/patches/fix-musl.patch b/srcpkgs/apparmor/patches/fix-musl.patch
new file mode 100644
index 00000000000..484b67dfea4
--- /dev/null
+++ b/srcpkgs/apparmor/patches/fix-musl.patch
@@ -0,0 +1,24 @@
+diff --git a/binutils/aa_status.c b/binutils/aa_status.c
+index 78b0340..56ecac3 100644
+--- a/binutils/aa_status.c
++++ b/binutils/aa_status.c
+@@ -17,6 +17,7 @@
+ #include <errno.h>
+ #include <ctype.h>
+ #include <dirent.h>
++#include <limits.h>
+ 
+ #include <sys/apparmor.h>
+ #include <sys/apparmor_private.h>
+diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
+index 32892d0..dad7664 100644
+--- a/libraries/libapparmor/include/sys/apparmor.h
++++ b/libraries/libapparmor/include/sys/apparmor.h
+@@ -22,6 +22,7 @@
+ #include <stdint.h>
+ #include <unistd.h>
+ #include <sys/types.h>
++#include <sys/socket.h>
+ 
+ #ifdef __cplusplus
+ extern "C" {
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index b064f78086e..2a63972e232 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
-version=2.13.4
-revision=6
+version=3.0.0
+revision=1
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
@@ -16,23 +16,13 @@ maintainer="Olivier Mauras <olivier@mauras.ch>"
 license="GPL-2.0-only, LGPL-2.1-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=4f45e5a5de59b72039c6cf218bb61cb4fc42eeb7f47ca109a58238896394a33b
+checksum=8c440ab1848e723483a8550ed2889e18f322e9d7ee9eb4e2e712152ea61da68f
 patch_args="-Np1"
 
 if [ -z "$CROSS_BUILD" ]; then
 	configure_args="--with-perl --with-python"
 fi
 
-post_patch() {
-	# Make.rules feeds some system headers to the C preprocessor to produce
-	# lists of capability and address-family names that, respectively,
-	# populate 'parser/cap_names.h' and 'parser/af_names.h'. The escaping
-	# backslash in the '\#include" directives here is seen by the
-	# preprocessor, causing it to skip the system headers and produce empty
-	# files. Removing the backslash ensures correct behavior.
-	vsed -i ${wrksrc}/common/Make.rules -e 's/\\#include </#include </'
-}
-
 pre_configure() {
 	autoreconf -if
 }
@@ -40,14 +30,15 @@ pre_configure() {
 pre_build() {
 	# Replace release profiles with our own
 	cd ${wrksrc}
-
-	# Put in place our own profiles
 	cp ${FILESDIR}/profiles/* profiles/apparmor.d/
 }
 
 post_build() {
 	cd ${wrksrc}
-	sed -i 's#$(DESTDIR)/sbin#$(DESTDIR)/usr/bin#g' parser/Makefile
+
+    # fix cross compilation
+    vsed -i parser/Makefile -e 's,cpp,$(CPP),'
+
 	make ${makejobs} -C binutils
 	make ${makejobs} -C utils
 	make ${makejobs} -C parser
@@ -56,27 +47,31 @@ post_build() {
 
 post_install() {
 	cd ${wrksrc}
-	make DESTDIR=${DESTDIR} install -C binutils
-	make DESTDIR=${DESTDIR} BINDIR=${DESTDIR}/usr/bin install -C utils
-	make DESTDIR=${DESTDIR} APPARMOR_BIN_PREFIX=${DESTDIR}/usr/lib/apparmor \
-		SBINDIR=${DESTDIR}/usr/bin USR_SBINDIR=${DESTDIR}/usr/bin install -C parser
-	make DESTDIR=${DESTDIR} install -C profiles
-
-	# Put Vim syntax in the correct place
-	mkdir -p ${DESTDIR}/usr/share/vim/vim80/syntax/
-	mv ${DESTDIR}/usr/share/apparmor/apparmor.vim ${DESTDIR}/usr/share/vim/vim80/syntax/
+    commonflags="DESTDIR=\"${DESTDIR}\" SBINDIR=\"${DESTDIR}/usr/bin\" USR_SBINDIR=\"${DESTDIR}/usr/bin\""
+    make $commonflags install -C binutils
+    make $commonflags \
+        BINDIR="${DESTDIR}/usr/bin" \
+        VIM_INSTALL_PATH="${DESTDIR}/usr/share/vim/vimfiles/syntax" \
+        install -C utils
+    make $commonflags \
+        APPARMOR_BIN_PREFIX="${DESTDIR}/usr/lib/apparmor" \
+        install -C parser
+    make DESTDIR="${DESTDIR}" install -C profiles
 
 	# requires perl bindings not generated when cross-compiling
 	if [ "$CROSS_BUILD" ]; then
 		rm -f ${DESTDIR}/usr/bin/aa-notify
 	fi
+
+    # we installed a custom conflicting profile
+    rm ${DESTDIR}/etc/apparmor.d/php-fpm
 }
 
 apparmor-vim_package() {
 	short_desc+=" - Vim syntax"
 	depends="vim"
 	pkg_install() {
-		vmove usr/share/vim/vim80/syntax/apparmor.vim
+		vmove usr/share/vim/vimfiles/syntax/apparmor.vim
 		vmove usr/share/man/man5/apparmor.vim.5
 	}
 }

Re: [PR PATCH] [Updated] [WIP] apparmor: update to 3.0.0

[PaperMountainStudio]

[-- Attachment #1: Type: text/plain, Size: 634 bytes --]

There is an updated pull request by PaperMountainStudio against master on the void-packages repository

https://github.com/PaperMountainStudio/void-packages 0001-apparmor-update-to-3.0.0.patch
https://github.com/void-linux/void-packages/pull/25967

[WIP] apparmor: update to 3.0.0
+ builds and works fine for x86_64-glibc

- [x] doesn't build for musl yet and I am not experienced enough to fix it
- [x] check what happens with dhcpcd profile on kernels before 5.8 (bpf cap is 5.8+)

If anyone wants to adopt this PR, feel free to do so.

A patch file from https://github.com/void-linux/void-packages/pull/25967.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-0001-apparmor-update-to-3.0.0.patch-25967.patch --]
[-- Type: text/x-diff, Size: 14452 bytes --]

From 19d3f2f9bd7efcd8ec99475adf63db039c719fb0 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Wed, 21 Oct 2020 17:25:50 +0200
Subject: [PATCH] apparmor: update to 3.0.0

---
 .../apparmor/files/profiles/usr.bin.dhcpcd    | 11 ++--
 srcpkgs/apparmor/files/profiles/usr.bin.nginx | 22 ++++---
 .../apparmor/files/profiles/usr.bin.php-fpm   | 17 +++---
 .../files/profiles/usr.bin.pulseaudio         | 27 +++++----
 srcpkgs/apparmor/files/profiles/usr.bin.uuidd | 12 ++--
 .../files/profiles/usr.bin.wpa_supplicant     | 14 +++--
 .../patches/correct_paths_logprofconf.patch   | 60 ++++++++++++++-----
 srcpkgs/apparmor/patches/fix-musl.patch       | 24 ++++++++
 srcpkgs/apparmor/template                     | 47 +++++++--------
 9 files changed, 148 insertions(+), 86 deletions(-)
 create mode 100644 srcpkgs/apparmor/patches/fix-musl.patch

diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
index 26364f36385..89dd29f77e8 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
@@ -1,10 +1,12 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile dhcpcd /{usr/,}bin/dhcpcd {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/nameservice>
 
   capability chown,
   capability fowner,
@@ -16,6 +18,7 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   capability setgid,
   capability sys_admin,
   capability sys_chroot,
+  capability bpf,
 
   network packet dgram,
   network inet raw,
@@ -58,5 +61,5 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   owner @{PROC}/@{pid}/stat r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.dhcpcd>
+  include if exists <local/usr.bin.dhcpcd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
index 5e4854d9032..be769703f5d 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
@@ -1,25 +1,23 @@
 # vim:syntax=apparmor
 
+abi <abi/3.0>,
+
 # NOTE: This profile will by default work with pfp-fpm on TCP sockets.
 # If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
 # /path/to/your/unix/socket rw,
 
-#include <tunables/global>
+include <tunables/global>
 
-/usr/bin/nginx {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/nis>
-  #include <abstractions/openssl>
+profile nginx /usr/bin/nginx {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/nis>
+  include <abstractions/openssl>
 
   capability setgid,
   capability setuid,
 
-  # XXX: Maybe switch to "/etc/nginx/** r," ?
-  /etc/nginx/*.conf r,
-  /etc/nginx/*_params r,
-  /etc/nginx/conf.d/* r,
-  /etc/nginx/mime.types r,
+  /etc/nginx/** r,
 
   /run/nginx.pid rw,
 
@@ -30,5 +28,5 @@
   /var/log/nginx/* w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.nginx>
+  include if exists <local/usr.bin.nginx>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
index 98366dcaabf..0b036965da1 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
@@ -1,22 +1,24 @@
 # vim:syntax=apparmor
 
+abi <abi/3.0>,
+
 # NOTE: This profile uses TCP sockets by default
 # If you wish for php-fpm to listen to unix socket,
 # add the following permission to local/usr.bin.php-fpm
 # /path/to/your/unix/socket w,
 
-#include <tunables/global>
+include <tunables/global>
 
 # This is PHP open_basedir where script can only be executed from.
 # /home, /tmp have been removed to not open permissions too widely
 # /usr/share/pear have been removed to have its own permission
 @{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
 
-/usr/bin/php-fpm {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
-  #include <abstractions/php>
+profile php-fpm /usr/bin/php-fpm {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/php>
 
   capability setgid,
   capability setuid,
@@ -38,7 +40,6 @@
   /var/log/php-fpm.log w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.php-fpm>
+  include if exists <local/usr.bin.php-fpm>
 
 }
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
index 4b17e6edc08..e9835524bcc 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
@@ -1,12 +1,16 @@
-#include <tunables/global>
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile pulseaudio /usr/bin/pulseaudio {
-  #include <abstractions/base>
-  #include <abstractions/audio>
-  #include <abstractions/dbus-session>
-  #include <abstractions/dbus-strict>
-  #include <abstractions/nameservice>
-  #include <abstractions/X>
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice>
+  include <abstractions/X>
 
   dbus send
        bus=system
@@ -106,9 +110,9 @@ profile pulseaudio /usr/bin/pulseaudio {
   owner /tmp/.esd-@{pid}*/socket rw,
 
   profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
-    #include <abstractions/base>
-    #include <abstractions/gnome>
-    #include <abstractions/dconf>
+    include <abstractions/base>
+    include <abstractions/gnome>
+    include <abstractions/dconf>
 
     /usr/libexec/pulse/gsettings-helper mr,
     owner /{,var/}run/user/*/dconf/user rw,
@@ -118,6 +122,5 @@ profile pulseaudio /usr/bin/pulseaudio {
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.pulseaudio>
+  include if exists <local/usr.bin.pulseaudio>
 }
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
index 8c00a903611..b365c927b65 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
@@ -1,10 +1,12 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
 
-/usr/bin/uuidd {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+include <tunables/global>
+
+profile uuid /usr/bin/uuidd {
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   network inet dgram,
 
@@ -13,5 +15,5 @@
   /run/uuidd/request rw,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.uuidd>
+  include if exists <local/usr.bin.uuidd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
index df53acc82d6..c5bb67d562f 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
@@ -1,8 +1,12 @@
-#include <tunables/global>
+# vim:syntax=apparmor
 
-/usr/bin/wpa_supplicant {
-  #include <abstractions/base>
-  #include <abstractions/dbus-strict>
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile wpa_supplicant /usr/bin/wpa_supplicant {
+  include <abstractions/base>
+  include <abstractions/dbus-strict>
 
   capability net_admin,
   capability net_raw,
@@ -45,5 +49,5 @@
        bus=system
        path=/fi/epitest/hostap/WPASupplicant/**,
 
-  #include <local/usr.bin.wpa_supplicant>
+  include if exists <local/usr.bin.wpa_supplicant>
 }
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
index 0f25758486a..fb6ce53ffdc 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
@@ -1,5 +1,14 @@
+From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
+From: Paper <paper@tilde.institute>
+Date: Wed, 21 Oct 2020 10:20:47 +0200
+Subject: [PATCH] correct paths in logprof.conf
+
+---
+ utils/logprof.conf | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
 diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a3d7a31..296dd8b 100644
+index a778792..a9f7b79 100644
 --- a/utils/logprof.conf
 +++ b/utils/logprof.conf
 @@ -14,7 +14,7 @@
@@ -11,19 +20,42 @@ index a3d7a31..296dd8b 100644
    ldd = /usr/bin/ldd
    logger = /bin/logger /usr/bin/logger
  
-@@ -36,10 +36,10 @@
-   custom_includes =
- 
+@@ -51,12 +51,10 @@
+   /bin/mount    = u
+   /usr/bin/mount = u
+   /etc/init.d/subdomain = u
+-  /sbin/cardmgr = u
+-  /usr/sbin/cardmgr = u
+-  /sbin/subdomain_parser = u
+-  /usr/sbin/subdomain_parser = u
+-  /usr/sbin/genprof = u
+-  /usr/sbin/logprof = u
++  /usr/bin/cardmgr = u
++  /usr/bin/subdomain_parser = u
++  /usr/bin/genprof = u
++  /usr/bin/logprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_logprof = u
  
--[repository]
--  distro         = ubuntu-intrepid
--  url            = http://apparmor.test.opensuse.org/backend/api
--  preferred_user = ubuntu
-+#[repository]
-+#  distro         = ubuntu-intrepid
-+#  url            = http://apparmor.test.opensuse.org/backend/api
-+#  preferred_user = ubuntu
+@@ -97,8 +95,7 @@
+   /usr/bin/sed  = icn
+   /bin/touch    = icn
+   /usr/bin/touch = icn
+-  /sbin/killall5 = icn
+-  /usr/sbin/killall5 = icn
++  /usr/bin/killall5 = icn
+   /usr/bin/find = icn
+   /usr/bin/killall = icn
+   /usr/bin/nice = icn
+@@ -112,6 +109,8 @@
+   /usr/bin/python3.5    = icn
+   /usr/bin/python3.6    = icn
+   /usr/bin/python3.7    = icn
++  /usr/bin/python3.8    = icn
++  /usr/bin/python3.9    = icn
+   /usr/bin/tr   = icn
  
- [qualifiers]
-   # things will be painfully broken if bash has a profile
+ [required_hats]
+-- 
+2.29.0
 
diff --git a/srcpkgs/apparmor/patches/fix-musl.patch b/srcpkgs/apparmor/patches/fix-musl.patch
new file mode 100644
index 00000000000..484b67dfea4
--- /dev/null
+++ b/srcpkgs/apparmor/patches/fix-musl.patch
@@ -0,0 +1,24 @@
+diff --git a/binutils/aa_status.c b/binutils/aa_status.c
+index 78b0340..56ecac3 100644
+--- a/binutils/aa_status.c
++++ b/binutils/aa_status.c
+@@ -17,6 +17,7 @@
+ #include <errno.h>
+ #include <ctype.h>
+ #include <dirent.h>
++#include <limits.h>
+ 
+ #include <sys/apparmor.h>
+ #include <sys/apparmor_private.h>
+diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
+index 32892d0..dad7664 100644
+--- a/libraries/libapparmor/include/sys/apparmor.h
++++ b/libraries/libapparmor/include/sys/apparmor.h
+@@ -22,6 +22,7 @@
+ #include <stdint.h>
+ #include <unistd.h>
+ #include <sys/types.h>
++#include <sys/socket.h>
+ 
+ #ifdef __cplusplus
+ extern "C" {
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index b064f78086e..bdf6305595f 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
-version=2.13.4
-revision=6
+version=3.0.0
+revision=1
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
@@ -16,23 +16,13 @@ maintainer="Olivier Mauras <olivier@mauras.ch>"
 license="GPL-2.0-only, LGPL-2.1-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=4f45e5a5de59b72039c6cf218bb61cb4fc42eeb7f47ca109a58238896394a33b
+checksum=8c440ab1848e723483a8550ed2889e18f322e9d7ee9eb4e2e712152ea61da68f
 patch_args="-Np1"
 
 if [ -z "$CROSS_BUILD" ]; then
 	configure_args="--with-perl --with-python"
 fi
 
-post_patch() {
-	# Make.rules feeds some system headers to the C preprocessor to produce
-	# lists of capability and address-family names that, respectively,
-	# populate 'parser/cap_names.h' and 'parser/af_names.h'. The escaping
-	# backslash in the '\#include" directives here is seen by the
-	# preprocessor, causing it to skip the system headers and produce empty
-	# files. Removing the backslash ensures correct behavior.
-	vsed -i ${wrksrc}/common/Make.rules -e 's/\\#include </#include </'
-}
-
 pre_configure() {
 	autoreconf -if
 }
@@ -40,14 +30,15 @@ pre_configure() {
 pre_build() {
 	# Replace release profiles with our own
 	cd ${wrksrc}
-
-	# Put in place our own profiles
 	cp ${FILESDIR}/profiles/* profiles/apparmor.d/
 }
 
 post_build() {
 	cd ${wrksrc}
-	sed -i 's#$(DESTDIR)/sbin#$(DESTDIR)/usr/bin#g' parser/Makefile
+
+	# fix cross compilation
+	vsed -i parser/Makefile -e 's,cpp,$(CPP),'
+
 	make ${makejobs} -C binutils
 	make ${makejobs} -C utils
 	make ${makejobs} -C parser
@@ -56,27 +47,31 @@ post_build() {
 
 post_install() {
 	cd ${wrksrc}
-	make DESTDIR=${DESTDIR} install -C binutils
-	make DESTDIR=${DESTDIR} BINDIR=${DESTDIR}/usr/bin install -C utils
-	make DESTDIR=${DESTDIR} APPARMOR_BIN_PREFIX=${DESTDIR}/usr/lib/apparmor \
-		SBINDIR=${DESTDIR}/usr/bin USR_SBINDIR=${DESTDIR}/usr/bin install -C parser
-	make DESTDIR=${DESTDIR} install -C profiles
-
-	# Put Vim syntax in the correct place
-	mkdir -p ${DESTDIR}/usr/share/vim/vim80/syntax/
-	mv ${DESTDIR}/usr/share/apparmor/apparmor.vim ${DESTDIR}/usr/share/vim/vim80/syntax/
+	commonflags="DESTDIR=\"${DESTDIR}\" SBINDIR=\"${DESTDIR}/usr/bin\" USR_SBINDIR=\"${DESTDIR}/usr/bin\""
+	make $commonflags install -C binutils
+	make $commonflags \
+		BINDIR="${DESTDIR}/usr/bin" \
+		VIM_INSTALL_PATH="${DESTDIR}/usr/share/vim/vimfiles/syntax" \
+		install -C utils
+	make $commonflags \
+		APPARMOR_BIN_PREFIX="${DESTDIR}/usr/lib/apparmor" \
+		install -C parser
+	make DESTDIR="${DESTDIR}" install -C profiles
 
 	# requires perl bindings not generated when cross-compiling
 	if [ "$CROSS_BUILD" ]; then
 		rm -f ${DESTDIR}/usr/bin/aa-notify
 	fi
+
+	# we installed a custom conflicting profile
+	rm ${DESTDIR}/etc/apparmor.d/{,local/}php-fpm
 }
 
 apparmor-vim_package() {
 	short_desc+=" - Vim syntax"
 	depends="vim"
 	pkg_install() {
-		vmove usr/share/vim/vim80/syntax/apparmor.vim
+		vmove usr/share/vim/vimfiles/syntax/apparmor.vim
 		vmove usr/share/man/man5/apparmor.vim.5
 	}
 }

Re: [WIP] apparmor: update to 3.0.0

[PaperMountainStudio]

[-- Attachment #1: Type: text/plain, Size: 177 bytes --]

New comment by PaperMountainStudio on void-packages repository

https://github.com/void-linux/void-packages/pull/25967#issuecomment-720102256

Comment:
I think this PR is ready

Re: [PR PATCH] [Updated] [WIP] apparmor: update to 3.0.0

[PaperMountainStudio]

[-- Attachment #1: Type: text/plain, Size: 634 bytes --]

There is an updated pull request by PaperMountainStudio against master on the void-packages repository

https://github.com/PaperMountainStudio/void-packages 0001-apparmor-update-to-3.0.0.patch
https://github.com/void-linux/void-packages/pull/25967

[WIP] apparmor: update to 3.0.0
+ builds and works fine for x86_64-glibc

- [x] doesn't build for musl yet and I am not experienced enough to fix it
- [x] check what happens with dhcpcd profile on kernels before 5.8 (bpf cap is 5.8+)

If anyone wants to adopt this PR, feel free to do so.

A patch file from https://github.com/void-linux/void-packages/pull/25967.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-0001-apparmor-update-to-3.0.0.patch-25967.patch --]
[-- Type: text/x-diff, Size: 15180 bytes --]

From 3ab6d579ea40ca824268b741174b3ce5b80d97d2 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Wed, 21 Oct 2020 17:25:50 +0200
Subject: [PATCH] apparmor: update to 3.0.0

---
 srcpkgs/apparmor/INSTALL.msg                  |  2 +-
 .../apparmor/files/profiles/usr.bin.dhcpcd    | 11 ++--
 srcpkgs/apparmor/files/profiles/usr.bin.nginx | 22 ++++---
 .../apparmor/files/profiles/usr.bin.php-fpm   | 17 +++---
 .../files/profiles/usr.bin.pulseaudio         | 27 +++++----
 srcpkgs/apparmor/files/profiles/usr.bin.uuidd | 12 ++--
 .../files/profiles/usr.bin.wpa_supplicant     | 14 +++--
 .../patches/correct_paths_logprofconf.patch   | 60 ++++++++++++++-----
 srcpkgs/apparmor/patches/fix-musl.patch       | 24 ++++++++
 srcpkgs/apparmor/template                     | 50 ++++++++--------
 10 files changed, 152 insertions(+), 87 deletions(-)
 create mode 100644 srcpkgs/apparmor/patches/fix-musl.patch

diff --git a/srcpkgs/apparmor/INSTALL.msg b/srcpkgs/apparmor/INSTALL.msg
index c9f763715a6..15d5d102250 100644
--- a/srcpkgs/apparmor/INSTALL.msg
+++ b/srcpkgs/apparmor/INSTALL.msg
@@ -1,2 +1,2 @@
 To ensure AppArmor is enabled upon reboot add 'apparmor=1 security=apparmor' to your grub CMDLINE and rebuild your grub config with 'grub-mkconfig -o /boot/grub/grub.cfg'.
-You'll also need to swith 'APPARMOR' setting in /etc/default/apparmor to your taste.
+You'll also need to switch 'APPARMOR' setting in /etc/default/apparmor to your taste.
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
index 26364f36385..89dd29f77e8 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
@@ -1,10 +1,12 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile dhcpcd /{usr/,}bin/dhcpcd {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/nameservice>
 
   capability chown,
   capability fowner,
@@ -16,6 +18,7 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   capability setgid,
   capability sys_admin,
   capability sys_chroot,
+  capability bpf,
 
   network packet dgram,
   network inet raw,
@@ -58,5 +61,5 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   owner @{PROC}/@{pid}/stat r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.dhcpcd>
+  include if exists <local/usr.bin.dhcpcd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
index 5e4854d9032..be769703f5d 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
@@ -1,25 +1,23 @@
 # vim:syntax=apparmor
 
+abi <abi/3.0>,
+
 # NOTE: This profile will by default work with pfp-fpm on TCP sockets.
 # If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
 # /path/to/your/unix/socket rw,
 
-#include <tunables/global>
+include <tunables/global>
 
-/usr/bin/nginx {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/nis>
-  #include <abstractions/openssl>
+profile nginx /usr/bin/nginx {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/nis>
+  include <abstractions/openssl>
 
   capability setgid,
   capability setuid,
 
-  # XXX: Maybe switch to "/etc/nginx/** r," ?
-  /etc/nginx/*.conf r,
-  /etc/nginx/*_params r,
-  /etc/nginx/conf.d/* r,
-  /etc/nginx/mime.types r,
+  /etc/nginx/** r,
 
   /run/nginx.pid rw,
 
@@ -30,5 +28,5 @@
   /var/log/nginx/* w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.nginx>
+  include if exists <local/usr.bin.nginx>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
index 98366dcaabf..0b036965da1 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
@@ -1,22 +1,24 @@
 # vim:syntax=apparmor
 
+abi <abi/3.0>,
+
 # NOTE: This profile uses TCP sockets by default
 # If you wish for php-fpm to listen to unix socket,
 # add the following permission to local/usr.bin.php-fpm
 # /path/to/your/unix/socket w,
 
-#include <tunables/global>
+include <tunables/global>
 
 # This is PHP open_basedir where script can only be executed from.
 # /home, /tmp have been removed to not open permissions too widely
 # /usr/share/pear have been removed to have its own permission
 @{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
 
-/usr/bin/php-fpm {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
-  #include <abstractions/php>
+profile php-fpm /usr/bin/php-fpm {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/php>
 
   capability setgid,
   capability setuid,
@@ -38,7 +40,6 @@
   /var/log/php-fpm.log w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.php-fpm>
+  include if exists <local/usr.bin.php-fpm>
 
 }
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
index 4b17e6edc08..e9835524bcc 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
@@ -1,12 +1,16 @@
-#include <tunables/global>
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile pulseaudio /usr/bin/pulseaudio {
-  #include <abstractions/base>
-  #include <abstractions/audio>
-  #include <abstractions/dbus-session>
-  #include <abstractions/dbus-strict>
-  #include <abstractions/nameservice>
-  #include <abstractions/X>
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice>
+  include <abstractions/X>
 
   dbus send
        bus=system
@@ -106,9 +110,9 @@ profile pulseaudio /usr/bin/pulseaudio {
   owner /tmp/.esd-@{pid}*/socket rw,
 
   profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
-    #include <abstractions/base>
-    #include <abstractions/gnome>
-    #include <abstractions/dconf>
+    include <abstractions/base>
+    include <abstractions/gnome>
+    include <abstractions/dconf>
 
     /usr/libexec/pulse/gsettings-helper mr,
     owner /{,var/}run/user/*/dconf/user rw,
@@ -118,6 +122,5 @@ profile pulseaudio /usr/bin/pulseaudio {
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.pulseaudio>
+  include if exists <local/usr.bin.pulseaudio>
 }
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
index 8c00a903611..b365c927b65 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
@@ -1,10 +1,12 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
 
-/usr/bin/uuidd {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+include <tunables/global>
+
+profile uuid /usr/bin/uuidd {
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   network inet dgram,
 
@@ -13,5 +15,5 @@
   /run/uuidd/request rw,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.uuidd>
+  include if exists <local/usr.bin.uuidd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
index df53acc82d6..c5bb67d562f 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
@@ -1,8 +1,12 @@
-#include <tunables/global>
+# vim:syntax=apparmor
 
-/usr/bin/wpa_supplicant {
-  #include <abstractions/base>
-  #include <abstractions/dbus-strict>
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile wpa_supplicant /usr/bin/wpa_supplicant {
+  include <abstractions/base>
+  include <abstractions/dbus-strict>
 
   capability net_admin,
   capability net_raw,
@@ -45,5 +49,5 @@
        bus=system
        path=/fi/epitest/hostap/WPASupplicant/**,
 
-  #include <local/usr.bin.wpa_supplicant>
+  include if exists <local/usr.bin.wpa_supplicant>
 }
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
index 0f25758486a..fb6ce53ffdc 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
@@ -1,5 +1,14 @@
+From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
+From: Paper <paper@tilde.institute>
+Date: Wed, 21 Oct 2020 10:20:47 +0200
+Subject: [PATCH] correct paths in logprof.conf
+
+---
+ utils/logprof.conf | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
 diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a3d7a31..296dd8b 100644
+index a778792..a9f7b79 100644
 --- a/utils/logprof.conf
 +++ b/utils/logprof.conf
 @@ -14,7 +14,7 @@
@@ -11,19 +20,42 @@ index a3d7a31..296dd8b 100644
    ldd = /usr/bin/ldd
    logger = /bin/logger /usr/bin/logger
  
-@@ -36,10 +36,10 @@
-   custom_includes =
- 
+@@ -51,12 +51,10 @@
+   /bin/mount    = u
+   /usr/bin/mount = u
+   /etc/init.d/subdomain = u
+-  /sbin/cardmgr = u
+-  /usr/sbin/cardmgr = u
+-  /sbin/subdomain_parser = u
+-  /usr/sbin/subdomain_parser = u
+-  /usr/sbin/genprof = u
+-  /usr/sbin/logprof = u
++  /usr/bin/cardmgr = u
++  /usr/bin/subdomain_parser = u
++  /usr/bin/genprof = u
++  /usr/bin/logprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_logprof = u
  
--[repository]
--  distro         = ubuntu-intrepid
--  url            = http://apparmor.test.opensuse.org/backend/api
--  preferred_user = ubuntu
-+#[repository]
-+#  distro         = ubuntu-intrepid
-+#  url            = http://apparmor.test.opensuse.org/backend/api
-+#  preferred_user = ubuntu
+@@ -97,8 +95,7 @@
+   /usr/bin/sed  = icn
+   /bin/touch    = icn
+   /usr/bin/touch = icn
+-  /sbin/killall5 = icn
+-  /usr/sbin/killall5 = icn
++  /usr/bin/killall5 = icn
+   /usr/bin/find = icn
+   /usr/bin/killall = icn
+   /usr/bin/nice = icn
+@@ -112,6 +109,8 @@
+   /usr/bin/python3.5    = icn
+   /usr/bin/python3.6    = icn
+   /usr/bin/python3.7    = icn
++  /usr/bin/python3.8    = icn
++  /usr/bin/python3.9    = icn
+   /usr/bin/tr   = icn
  
- [qualifiers]
-   # things will be painfully broken if bash has a profile
+ [required_hats]
+-- 
+2.29.0
 
diff --git a/srcpkgs/apparmor/patches/fix-musl.patch b/srcpkgs/apparmor/patches/fix-musl.patch
new file mode 100644
index 00000000000..484b67dfea4
--- /dev/null
+++ b/srcpkgs/apparmor/patches/fix-musl.patch
@@ -0,0 +1,24 @@
+diff --git a/binutils/aa_status.c b/binutils/aa_status.c
+index 78b0340..56ecac3 100644
+--- a/binutils/aa_status.c
++++ b/binutils/aa_status.c
+@@ -17,6 +17,7 @@
+ #include <errno.h>
+ #include <ctype.h>
+ #include <dirent.h>
++#include <limits.h>
+ 
+ #include <sys/apparmor.h>
+ #include <sys/apparmor_private.h>
+diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
+index 32892d0..dad7664 100644
+--- a/libraries/libapparmor/include/sys/apparmor.h
++++ b/libraries/libapparmor/include/sys/apparmor.h
+@@ -22,6 +22,7 @@
+ #include <stdint.h>
+ #include <unistd.h>
+ #include <sys/types.h>
++#include <sys/socket.h>
+ 
+ #ifdef __cplusplus
+ extern "C" {
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index b064f78086e..4c260b24a1b 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
-version=2.13.4
-revision=6
+version=3.0.0
+revision=1
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
@@ -16,23 +16,13 @@ maintainer="Olivier Mauras <olivier@mauras.ch>"
 license="GPL-2.0-only, LGPL-2.1-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=4f45e5a5de59b72039c6cf218bb61cb4fc42eeb7f47ca109a58238896394a33b
+checksum=8c440ab1848e723483a8550ed2889e18f322e9d7ee9eb4e2e712152ea61da68f
 patch_args="-Np1"
 
 if [ -z "$CROSS_BUILD" ]; then
 	configure_args="--with-perl --with-python"
 fi
 
-post_patch() {
-	# Make.rules feeds some system headers to the C preprocessor to produce
-	# lists of capability and address-family names that, respectively,
-	# populate 'parser/cap_names.h' and 'parser/af_names.h'. The escaping
-	# backslash in the '\#include" directives here is seen by the
-	# preprocessor, causing it to skip the system headers and produce empty
-	# files. Removing the backslash ensures correct behavior.
-	vsed -i ${wrksrc}/common/Make.rules -e 's/\\#include </#include </'
-}
-
 pre_configure() {
 	autoreconf -if
 }
@@ -40,14 +30,18 @@ pre_configure() {
 pre_build() {
 	# Replace release profiles with our own
 	cd ${wrksrc}
-
-	# Put in place our own profiles
 	cp ${FILESDIR}/profiles/* profiles/apparmor.d/
+
+	# use the correct syslog path
+	vsed -i utils/logprof.conf -e 's,logfiles = .*,logfiles = /var/log/socklog/kernel/current,'
 }
 
 post_build() {
 	cd ${wrksrc}
-	sed -i 's#$(DESTDIR)/sbin#$(DESTDIR)/usr/bin#g' parser/Makefile
+
+	# fix cross compilation
+	vsed -i parser/Makefile -e 's,cpp,$(CPP),'
+
 	make ${makejobs} -C binutils
 	make ${makejobs} -C utils
 	make ${makejobs} -C parser
@@ -56,27 +50,31 @@ post_build() {
 
 post_install() {
 	cd ${wrksrc}
-	make DESTDIR=${DESTDIR} install -C binutils
-	make DESTDIR=${DESTDIR} BINDIR=${DESTDIR}/usr/bin install -C utils
-	make DESTDIR=${DESTDIR} APPARMOR_BIN_PREFIX=${DESTDIR}/usr/lib/apparmor \
-		SBINDIR=${DESTDIR}/usr/bin USR_SBINDIR=${DESTDIR}/usr/bin install -C parser
-	make DESTDIR=${DESTDIR} install -C profiles
-
-	# Put Vim syntax in the correct place
-	mkdir -p ${DESTDIR}/usr/share/vim/vim80/syntax/
-	mv ${DESTDIR}/usr/share/apparmor/apparmor.vim ${DESTDIR}/usr/share/vim/vim80/syntax/
+	commonflags="DESTDIR=\"${DESTDIR}\" SBINDIR=\"${DESTDIR}/usr/bin\" USR_SBINDIR=\"${DESTDIR}/usr/bin\""
+	make $commonflags install -C binutils
+	make $commonflags \
+		BINDIR="${DESTDIR}/usr/bin" \
+		VIM_INSTALL_PATH="${DESTDIR}/usr/share/vim/vimfiles/syntax" \
+		install -C utils
+	make $commonflags \
+		APPARMOR_BIN_PREFIX="${DESTDIR}/usr/lib/apparmor" \
+		install -C parser
+	make DESTDIR="${DESTDIR}" install -C profiles
 
 	# requires perl bindings not generated when cross-compiling
 	if [ "$CROSS_BUILD" ]; then
 		rm -f ${DESTDIR}/usr/bin/aa-notify
 	fi
+
+	# we installed a custom conflicting profile
+	rm ${DESTDIR}/etc/apparmor.d/{,local/}php-fpm
 }
 
 apparmor-vim_package() {
 	short_desc+=" - Vim syntax"
 	depends="vim"
 	pkg_install() {
-		vmove usr/share/vim/vim80/syntax/apparmor.vim
+		vmove usr/share/vim/vimfiles/syntax/apparmor.vim
 		vmove usr/share/man/man5/apparmor.vim.5
 	}
 }

Re: [WIP] apparmor: update to 3.0.0

[PaperMountainStudio]

[-- Attachment #1: Type: text/plain, Size: 241 bytes --]

New comment by PaperMountainStudio on void-packages repository

https://github.com/void-linux/void-packages/pull/25967#issuecomment-720142932

Comment:
last touch:
- use the correct syslog path for void
- refer to void docs in INSTALL.msg

Re: [PR PATCH] [Updated] apparmor: update to 3.0.0

[PaperMountainStudio]

[-- Attachment #1: Type: text/plain, Size: 628 bytes --]

There is an updated pull request by PaperMountainStudio against master on the void-packages repository

https://github.com/PaperMountainStudio/void-packages 0001-apparmor-update-to-3.0.0.patch
https://github.com/void-linux/void-packages/pull/25967

apparmor: update to 3.0.0
+ builds and works fine for x86_64-glibc

- [x] doesn't build for musl yet and I am not experienced enough to fix it
- [x] check what happens with dhcpcd profile on kernels before 5.8 (bpf cap is 5.8+)

If anyone wants to adopt this PR, feel free to do so.

A patch file from https://github.com/void-linux/void-packages/pull/25967.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-0001-apparmor-update-to-3.0.0.patch-25967.patch --]
[-- Type: text/x-diff, Size: 15222 bytes --]

From 7afd6656c735d2c912db71d9d6354ae467a3ee31 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Wed, 21 Oct 2020 17:25:50 +0200
Subject: [PATCH] apparmor: update to 3.0.0

---
 srcpkgs/apparmor/INSTALL.msg                  |  3 +-
 .../apparmor/files/profiles/usr.bin.dhcpcd    | 11 ++--
 srcpkgs/apparmor/files/profiles/usr.bin.nginx | 22 ++++---
 .../apparmor/files/profiles/usr.bin.php-fpm   | 17 +++---
 .../files/profiles/usr.bin.pulseaudio         | 27 +++++----
 srcpkgs/apparmor/files/profiles/usr.bin.uuidd | 12 ++--
 .../files/profiles/usr.bin.wpa_supplicant     | 14 +++--
 .../patches/correct_paths_logprofconf.patch   | 60 ++++++++++++++-----
 srcpkgs/apparmor/patches/fix-musl.patch       | 24 ++++++++
 srcpkgs/apparmor/template                     | 50 ++++++++--------
 10 files changed, 152 insertions(+), 88 deletions(-)
 create mode 100644 srcpkgs/apparmor/patches/fix-musl.patch

diff --git a/srcpkgs/apparmor/INSTALL.msg b/srcpkgs/apparmor/INSTALL.msg
index c9f763715a6..488f2c40e11 100644
--- a/srcpkgs/apparmor/INSTALL.msg
+++ b/srcpkgs/apparmor/INSTALL.msg
@@ -1,2 +1 @@
-To ensure AppArmor is enabled upon reboot add 'apparmor=1 security=apparmor' to your grub CMDLINE and rebuild your grub config with 'grub-mkconfig -o /boot/grub/grub.cfg'.
-You'll also need to swith 'APPARMOR' setting in /etc/default/apparmor to your taste.
+To configure AppArmor properly, please refer to the Void Linux Handbook: https://docs.voidlinux.org/config/security/apparmor.html
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
index 26364f36385..89dd29f77e8 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
@@ -1,10 +1,12 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile dhcpcd /{usr/,}bin/dhcpcd {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/nameservice>
 
   capability chown,
   capability fowner,
@@ -16,6 +18,7 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   capability setgid,
   capability sys_admin,
   capability sys_chroot,
+  capability bpf,
 
   network packet dgram,
   network inet raw,
@@ -58,5 +61,5 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   owner @{PROC}/@{pid}/stat r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.dhcpcd>
+  include if exists <local/usr.bin.dhcpcd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
index 5e4854d9032..be769703f5d 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
@@ -1,25 +1,23 @@
 # vim:syntax=apparmor
 
+abi <abi/3.0>,
+
 # NOTE: This profile will by default work with pfp-fpm on TCP sockets.
 # If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
 # /path/to/your/unix/socket rw,
 
-#include <tunables/global>
+include <tunables/global>
 
-/usr/bin/nginx {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/nis>
-  #include <abstractions/openssl>
+profile nginx /usr/bin/nginx {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/nis>
+  include <abstractions/openssl>
 
   capability setgid,
   capability setuid,
 
-  # XXX: Maybe switch to "/etc/nginx/** r," ?
-  /etc/nginx/*.conf r,
-  /etc/nginx/*_params r,
-  /etc/nginx/conf.d/* r,
-  /etc/nginx/mime.types r,
+  /etc/nginx/** r,
 
   /run/nginx.pid rw,
 
@@ -30,5 +28,5 @@
   /var/log/nginx/* w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.nginx>
+  include if exists <local/usr.bin.nginx>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
index 98366dcaabf..0b036965da1 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
@@ -1,22 +1,24 @@
 # vim:syntax=apparmor
 
+abi <abi/3.0>,
+
 # NOTE: This profile uses TCP sockets by default
 # If you wish for php-fpm to listen to unix socket,
 # add the following permission to local/usr.bin.php-fpm
 # /path/to/your/unix/socket w,
 
-#include <tunables/global>
+include <tunables/global>
 
 # This is PHP open_basedir where script can only be executed from.
 # /home, /tmp have been removed to not open permissions too widely
 # /usr/share/pear have been removed to have its own permission
 @{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
 
-/usr/bin/php-fpm {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
-  #include <abstractions/php>
+profile php-fpm /usr/bin/php-fpm {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/php>
 
   capability setgid,
   capability setuid,
@@ -38,7 +40,6 @@
   /var/log/php-fpm.log w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.php-fpm>
+  include if exists <local/usr.bin.php-fpm>
 
 }
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
index 4b17e6edc08..e9835524bcc 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
@@ -1,12 +1,16 @@
-#include <tunables/global>
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile pulseaudio /usr/bin/pulseaudio {
-  #include <abstractions/base>
-  #include <abstractions/audio>
-  #include <abstractions/dbus-session>
-  #include <abstractions/dbus-strict>
-  #include <abstractions/nameservice>
-  #include <abstractions/X>
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice>
+  include <abstractions/X>
 
   dbus send
        bus=system
@@ -106,9 +110,9 @@ profile pulseaudio /usr/bin/pulseaudio {
   owner /tmp/.esd-@{pid}*/socket rw,
 
   profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
-    #include <abstractions/base>
-    #include <abstractions/gnome>
-    #include <abstractions/dconf>
+    include <abstractions/base>
+    include <abstractions/gnome>
+    include <abstractions/dconf>
 
     /usr/libexec/pulse/gsettings-helper mr,
     owner /{,var/}run/user/*/dconf/user rw,
@@ -118,6 +122,5 @@ profile pulseaudio /usr/bin/pulseaudio {
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.pulseaudio>
+  include if exists <local/usr.bin.pulseaudio>
 }
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
index 8c00a903611..b365c927b65 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
@@ -1,10 +1,12 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
 
-/usr/bin/uuidd {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+include <tunables/global>
+
+profile uuid /usr/bin/uuidd {
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   network inet dgram,
 
@@ -13,5 +15,5 @@
   /run/uuidd/request rw,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.uuidd>
+  include if exists <local/usr.bin.uuidd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
index df53acc82d6..c5bb67d562f 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
@@ -1,8 +1,12 @@
-#include <tunables/global>
+# vim:syntax=apparmor
 
-/usr/bin/wpa_supplicant {
-  #include <abstractions/base>
-  #include <abstractions/dbus-strict>
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile wpa_supplicant /usr/bin/wpa_supplicant {
+  include <abstractions/base>
+  include <abstractions/dbus-strict>
 
   capability net_admin,
   capability net_raw,
@@ -45,5 +49,5 @@
        bus=system
        path=/fi/epitest/hostap/WPASupplicant/**,
 
-  #include <local/usr.bin.wpa_supplicant>
+  include if exists <local/usr.bin.wpa_supplicant>
 }
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
index 0f25758486a..fb6ce53ffdc 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
@@ -1,5 +1,14 @@
+From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
+From: Paper <paper@tilde.institute>
+Date: Wed, 21 Oct 2020 10:20:47 +0200
+Subject: [PATCH] correct paths in logprof.conf
+
+---
+ utils/logprof.conf | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
 diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a3d7a31..296dd8b 100644
+index a778792..a9f7b79 100644
 --- a/utils/logprof.conf
 +++ b/utils/logprof.conf
 @@ -14,7 +14,7 @@
@@ -11,19 +20,42 @@ index a3d7a31..296dd8b 100644
    ldd = /usr/bin/ldd
    logger = /bin/logger /usr/bin/logger
  
-@@ -36,10 +36,10 @@
-   custom_includes =
- 
+@@ -51,12 +51,10 @@
+   /bin/mount    = u
+   /usr/bin/mount = u
+   /etc/init.d/subdomain = u
+-  /sbin/cardmgr = u
+-  /usr/sbin/cardmgr = u
+-  /sbin/subdomain_parser = u
+-  /usr/sbin/subdomain_parser = u
+-  /usr/sbin/genprof = u
+-  /usr/sbin/logprof = u
++  /usr/bin/cardmgr = u
++  /usr/bin/subdomain_parser = u
++  /usr/bin/genprof = u
++  /usr/bin/logprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_logprof = u
  
--[repository]
--  distro         = ubuntu-intrepid
--  url            = http://apparmor.test.opensuse.org/backend/api
--  preferred_user = ubuntu
-+#[repository]
-+#  distro         = ubuntu-intrepid
-+#  url            = http://apparmor.test.opensuse.org/backend/api
-+#  preferred_user = ubuntu
+@@ -97,8 +95,7 @@
+   /usr/bin/sed  = icn
+   /bin/touch    = icn
+   /usr/bin/touch = icn
+-  /sbin/killall5 = icn
+-  /usr/sbin/killall5 = icn
++  /usr/bin/killall5 = icn
+   /usr/bin/find = icn
+   /usr/bin/killall = icn
+   /usr/bin/nice = icn
+@@ -112,6 +109,8 @@
+   /usr/bin/python3.5    = icn
+   /usr/bin/python3.6    = icn
+   /usr/bin/python3.7    = icn
++  /usr/bin/python3.8    = icn
++  /usr/bin/python3.9    = icn
+   /usr/bin/tr   = icn
  
- [qualifiers]
-   # things will be painfully broken if bash has a profile
+ [required_hats]
+-- 
+2.29.0
 
diff --git a/srcpkgs/apparmor/patches/fix-musl.patch b/srcpkgs/apparmor/patches/fix-musl.patch
new file mode 100644
index 00000000000..484b67dfea4
--- /dev/null
+++ b/srcpkgs/apparmor/patches/fix-musl.patch
@@ -0,0 +1,24 @@
+diff --git a/binutils/aa_status.c b/binutils/aa_status.c
+index 78b0340..56ecac3 100644
+--- a/binutils/aa_status.c
++++ b/binutils/aa_status.c
+@@ -17,6 +17,7 @@
+ #include <errno.h>
+ #include <ctype.h>
+ #include <dirent.h>
++#include <limits.h>
+ 
+ #include <sys/apparmor.h>
+ #include <sys/apparmor_private.h>
+diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
+index 32892d0..dad7664 100644
+--- a/libraries/libapparmor/include/sys/apparmor.h
++++ b/libraries/libapparmor/include/sys/apparmor.h
+@@ -22,6 +22,7 @@
+ #include <stdint.h>
+ #include <unistd.h>
+ #include <sys/types.h>
++#include <sys/socket.h>
+ 
+ #ifdef __cplusplus
+ extern "C" {
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index b064f78086e..4c260b24a1b 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
-version=2.13.4
-revision=6
+version=3.0.0
+revision=1
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
@@ -16,23 +16,13 @@ maintainer="Olivier Mauras <olivier@mauras.ch>"
 license="GPL-2.0-only, LGPL-2.1-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=4f45e5a5de59b72039c6cf218bb61cb4fc42eeb7f47ca109a58238896394a33b
+checksum=8c440ab1848e723483a8550ed2889e18f322e9d7ee9eb4e2e712152ea61da68f
 patch_args="-Np1"
 
 if [ -z "$CROSS_BUILD" ]; then
 	configure_args="--with-perl --with-python"
 fi
 
-post_patch() {
-	# Make.rules feeds some system headers to the C preprocessor to produce
-	# lists of capability and address-family names that, respectively,
-	# populate 'parser/cap_names.h' and 'parser/af_names.h'. The escaping
-	# backslash in the '\#include" directives here is seen by the
-	# preprocessor, causing it to skip the system headers and produce empty
-	# files. Removing the backslash ensures correct behavior.
-	vsed -i ${wrksrc}/common/Make.rules -e 's/\\#include </#include </'
-}
-
 pre_configure() {
 	autoreconf -if
 }
@@ -40,14 +30,18 @@ pre_configure() {
 pre_build() {
 	# Replace release profiles with our own
 	cd ${wrksrc}
-
-	# Put in place our own profiles
 	cp ${FILESDIR}/profiles/* profiles/apparmor.d/
+
+	# use the correct syslog path
+	vsed -i utils/logprof.conf -e 's,logfiles = .*,logfiles = /var/log/socklog/kernel/current,'
 }
 
 post_build() {
 	cd ${wrksrc}
-	sed -i 's#$(DESTDIR)/sbin#$(DESTDIR)/usr/bin#g' parser/Makefile
+
+	# fix cross compilation
+	vsed -i parser/Makefile -e 's,cpp,$(CPP),'
+
 	make ${makejobs} -C binutils
 	make ${makejobs} -C utils
 	make ${makejobs} -C parser
@@ -56,27 +50,31 @@ post_build() {
 
 post_install() {
 	cd ${wrksrc}
-	make DESTDIR=${DESTDIR} install -C binutils
-	make DESTDIR=${DESTDIR} BINDIR=${DESTDIR}/usr/bin install -C utils
-	make DESTDIR=${DESTDIR} APPARMOR_BIN_PREFIX=${DESTDIR}/usr/lib/apparmor \
-		SBINDIR=${DESTDIR}/usr/bin USR_SBINDIR=${DESTDIR}/usr/bin install -C parser
-	make DESTDIR=${DESTDIR} install -C profiles
-
-	# Put Vim syntax in the correct place
-	mkdir -p ${DESTDIR}/usr/share/vim/vim80/syntax/
-	mv ${DESTDIR}/usr/share/apparmor/apparmor.vim ${DESTDIR}/usr/share/vim/vim80/syntax/
+	commonflags="DESTDIR=\"${DESTDIR}\" SBINDIR=\"${DESTDIR}/usr/bin\" USR_SBINDIR=\"${DESTDIR}/usr/bin\""
+	make $commonflags install -C binutils
+	make $commonflags \
+		BINDIR="${DESTDIR}/usr/bin" \
+		VIM_INSTALL_PATH="${DESTDIR}/usr/share/vim/vimfiles/syntax" \
+		install -C utils
+	make $commonflags \
+		APPARMOR_BIN_PREFIX="${DESTDIR}/usr/lib/apparmor" \
+		install -C parser
+	make DESTDIR="${DESTDIR}" install -C profiles
 
 	# requires perl bindings not generated when cross-compiling
 	if [ "$CROSS_BUILD" ]; then
 		rm -f ${DESTDIR}/usr/bin/aa-notify
 	fi
+
+	# we installed a custom conflicting profile
+	rm ${DESTDIR}/etc/apparmor.d/{,local/}php-fpm
 }
 
 apparmor-vim_package() {
 	short_desc+=" - Vim syntax"
 	depends="vim"
 	pkg_install() {
-		vmove usr/share/vim/vim80/syntax/apparmor.vim
+		vmove usr/share/vim/vimfiles/syntax/apparmor.vim
 		vmove usr/share/man/man5/apparmor.vim.5
 	}
 }

Re: apparmor: update to 3.0.0

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 240 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/pull/25967#issuecomment-723739942

Comment:
Hmm, it complains about being unable to create cache when I have `write-cache` in my `parser.conf`.

Re: [PR PATCH] [Updated] apparmor: update to 3.0.0

[PaperMountainStudio]

[-- Attachment #1: Type: text/plain, Size: 520 bytes --]

There is an updated pull request by PaperMountainStudio against master on the void-packages repository

https://github.com/PaperMountainStudio/void-packages 0001-apparmor-update-to-3.0.0.patch
https://github.com/void-linux/void-packages/pull/25967

apparmor: update to 3.0.0
+ builds and works fine for x86_64-glibc

- [x] fix build on musl
- [x] check what happens with dhcpcd profile on kernels before 5.8 (bpf cap is 5.8+)

A patch file from https://github.com/void-linux/void-packages/pull/25967.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-0001-apparmor-update-to-3.0.0.patch-25967.patch --]
[-- Type: text/x-diff, Size: 16043 bytes --]

From a3715a8fb503a164c3571383499c8d04c9f868e3 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Wed, 21 Oct 2020 17:25:50 +0200
Subject: [PATCH] apparmor: update to 3.0.0

---
 srcpkgs/apparmor/INSTALL.msg                  |  3 +-
 .../apparmor/files/profiles/usr.bin.dhcpcd    | 12 ++--
 srcpkgs/apparmor/files/profiles/usr.bin.nginx | 22 ++++---
 .../apparmor/files/profiles/usr.bin.php-fpm   | 17 +++---
 .../files/profiles/usr.bin.pulseaudio         | 35 +++++++----
 srcpkgs/apparmor/files/profiles/usr.bin.uuidd | 12 ++--
 .../files/profiles/usr.bin.wpa_supplicant     | 14 +++--
 .../patches/correct_paths_logprofconf.patch   | 60 ++++++++++++++-----
 srcpkgs/apparmor/patches/fix-musl.patch       | 24 ++++++++
 srcpkgs/apparmor/template                     | 50 ++++++++--------
 10 files changed, 160 insertions(+), 89 deletions(-)
 create mode 100644 srcpkgs/apparmor/patches/fix-musl.patch

diff --git a/srcpkgs/apparmor/INSTALL.msg b/srcpkgs/apparmor/INSTALL.msg
index c9f763715a6..488f2c40e11 100644
--- a/srcpkgs/apparmor/INSTALL.msg
+++ b/srcpkgs/apparmor/INSTALL.msg
@@ -1,2 +1 @@
-To ensure AppArmor is enabled upon reboot add 'apparmor=1 security=apparmor' to your grub CMDLINE and rebuild your grub config with 'grub-mkconfig -o /boot/grub/grub.cfg'.
-You'll also need to swith 'APPARMOR' setting in /etc/default/apparmor to your taste.
+To configure AppArmor properly, please refer to the Void Linux Handbook: https://docs.voidlinux.org/config/security/apparmor.html
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
index 26364f36385..1d6e1b95d62 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
@@ -1,10 +1,12 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile dhcpcd /{usr/,}bin/dhcpcd {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/nameservice>
 
   capability chown,
   capability fowner,
@@ -16,8 +18,10 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   capability setgid,
   capability sys_admin,
   capability sys_chroot,
+  capability bpf,
 
   network packet dgram,
+  network packet raw,
   network inet raw,
   network inet6 raw,
 
@@ -58,5 +62,5 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   owner @{PROC}/@{pid}/stat r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.dhcpcd>
+  include if exists <local/usr.bin.dhcpcd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
index 5e4854d9032..be769703f5d 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
@@ -1,25 +1,23 @@
 # vim:syntax=apparmor
 
+abi <abi/3.0>,
+
 # NOTE: This profile will by default work with pfp-fpm on TCP sockets.
 # If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
 # /path/to/your/unix/socket rw,
 
-#include <tunables/global>
+include <tunables/global>
 
-/usr/bin/nginx {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/nis>
-  #include <abstractions/openssl>
+profile nginx /usr/bin/nginx {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/nis>
+  include <abstractions/openssl>
 
   capability setgid,
   capability setuid,
 
-  # XXX: Maybe switch to "/etc/nginx/** r," ?
-  /etc/nginx/*.conf r,
-  /etc/nginx/*_params r,
-  /etc/nginx/conf.d/* r,
-  /etc/nginx/mime.types r,
+  /etc/nginx/** r,
 
   /run/nginx.pid rw,
 
@@ -30,5 +28,5 @@
   /var/log/nginx/* w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.nginx>
+  include if exists <local/usr.bin.nginx>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
index 98366dcaabf..0b036965da1 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
@@ -1,22 +1,24 @@
 # vim:syntax=apparmor
 
+abi <abi/3.0>,
+
 # NOTE: This profile uses TCP sockets by default
 # If you wish for php-fpm to listen to unix socket,
 # add the following permission to local/usr.bin.php-fpm
 # /path/to/your/unix/socket w,
 
-#include <tunables/global>
+include <tunables/global>
 
 # This is PHP open_basedir where script can only be executed from.
 # /home, /tmp have been removed to not open permissions too widely
 # /usr/share/pear have been removed to have its own permission
 @{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
 
-/usr/bin/php-fpm {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
-  #include <abstractions/php>
+profile php-fpm /usr/bin/php-fpm {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/php>
 
   capability setgid,
   capability setuid,
@@ -38,7 +40,6 @@
   /var/log/php-fpm.log w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.php-fpm>
+  include if exists <local/usr.bin.php-fpm>
 
 }
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
index 4b17e6edc08..114afc8fdac 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
@@ -1,12 +1,16 @@
-#include <tunables/global>
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile pulseaudio /usr/bin/pulseaudio {
-  #include <abstractions/base>
-  #include <abstractions/audio>
-  #include <abstractions/dbus-session>
-  #include <abstractions/dbus-strict>
-  #include <abstractions/nameservice>
-  #include <abstractions/X>
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice>
+  include <abstractions/X>
 
   dbus send
        bus=system
@@ -67,12 +71,17 @@ profile pulseaudio /usr/bin/pulseaudio {
   /sys/devices/virtual/sound/**/uevent r,
 
   /usr/share/alsa/** r,
-  /usr/share/applications/ r,
-  /usr/share/applications/* r,
   /usr/share/pulseaudio/** r,
   /usr/lib/pulse-[1-9]*.[0-9]/modules/*.so mr,
   /usr/libexec/pulse/gsettings-helper Cx,
 
+  /usr/{,local/}share/applications/ r,
+  /usr/{,local/}share/applications/* r,
+  @{HOME}/.local/share/{,flatpak/exports/share/}applications/ r,
+  @{HOME}/.local/share/{,flatpak/exports/share/}applications/* r,
+  /var/lib/flatpak/exports/share/applications/ r,
+  /var/lib/flatpak/exports/share/applications/* r,
+
   owner /var/lib/gdm3/.config/pulse/ rw,
   owner /var/lib/gdm3/.config/pulse/* rw,
   owner /var/lib/gdm3/.config/pulse/cookie rwk,
@@ -106,9 +115,9 @@ profile pulseaudio /usr/bin/pulseaudio {
   owner /tmp/.esd-@{pid}*/socket rw,
 
   profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
-    #include <abstractions/base>
-    #include <abstractions/gnome>
-    #include <abstractions/dconf>
+    include <abstractions/base>
+    include <abstractions/gnome>
+    include <abstractions/dconf>
 
     /usr/libexec/pulse/gsettings-helper mr,
     owner /{,var/}run/user/*/dconf/user rw,
@@ -118,6 +127,6 @@ profile pulseaudio /usr/bin/pulseaudio {
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.pulseaudio>
+  include if exists <local/usr.bin.pulseaudio>
 }
 
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
index 8c00a903611..b365c927b65 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
@@ -1,10 +1,12 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
 
-/usr/bin/uuidd {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+include <tunables/global>
+
+profile uuid /usr/bin/uuidd {
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   network inet dgram,
 
@@ -13,5 +15,5 @@
   /run/uuidd/request rw,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.uuidd>
+  include if exists <local/usr.bin.uuidd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
index df53acc82d6..c5bb67d562f 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
@@ -1,8 +1,12 @@
-#include <tunables/global>
+# vim:syntax=apparmor
 
-/usr/bin/wpa_supplicant {
-  #include <abstractions/base>
-  #include <abstractions/dbus-strict>
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile wpa_supplicant /usr/bin/wpa_supplicant {
+  include <abstractions/base>
+  include <abstractions/dbus-strict>
 
   capability net_admin,
   capability net_raw,
@@ -45,5 +49,5 @@
        bus=system
        path=/fi/epitest/hostap/WPASupplicant/**,
 
-  #include <local/usr.bin.wpa_supplicant>
+  include if exists <local/usr.bin.wpa_supplicant>
 }
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
index 0f25758486a..fb6ce53ffdc 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
@@ -1,5 +1,14 @@
+From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
+From: Paper <paper@tilde.institute>
+Date: Wed, 21 Oct 2020 10:20:47 +0200
+Subject: [PATCH] correct paths in logprof.conf
+
+---
+ utils/logprof.conf | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
 diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a3d7a31..296dd8b 100644
+index a778792..a9f7b79 100644
 --- a/utils/logprof.conf
 +++ b/utils/logprof.conf
 @@ -14,7 +14,7 @@
@@ -11,19 +20,42 @@ index a3d7a31..296dd8b 100644
    ldd = /usr/bin/ldd
    logger = /bin/logger /usr/bin/logger
  
-@@ -36,10 +36,10 @@
-   custom_includes =
- 
+@@ -51,12 +51,10 @@
+   /bin/mount    = u
+   /usr/bin/mount = u
+   /etc/init.d/subdomain = u
+-  /sbin/cardmgr = u
+-  /usr/sbin/cardmgr = u
+-  /sbin/subdomain_parser = u
+-  /usr/sbin/subdomain_parser = u
+-  /usr/sbin/genprof = u
+-  /usr/sbin/logprof = u
++  /usr/bin/cardmgr = u
++  /usr/bin/subdomain_parser = u
++  /usr/bin/genprof = u
++  /usr/bin/logprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_logprof = u
  
--[repository]
--  distro         = ubuntu-intrepid
--  url            = http://apparmor.test.opensuse.org/backend/api
--  preferred_user = ubuntu
-+#[repository]
-+#  distro         = ubuntu-intrepid
-+#  url            = http://apparmor.test.opensuse.org/backend/api
-+#  preferred_user = ubuntu
+@@ -97,8 +95,7 @@
+   /usr/bin/sed  = icn
+   /bin/touch    = icn
+   /usr/bin/touch = icn
+-  /sbin/killall5 = icn
+-  /usr/sbin/killall5 = icn
++  /usr/bin/killall5 = icn
+   /usr/bin/find = icn
+   /usr/bin/killall = icn
+   /usr/bin/nice = icn
+@@ -112,6 +109,8 @@
+   /usr/bin/python3.5    = icn
+   /usr/bin/python3.6    = icn
+   /usr/bin/python3.7    = icn
++  /usr/bin/python3.8    = icn
++  /usr/bin/python3.9    = icn
+   /usr/bin/tr   = icn
  
- [qualifiers]
-   # things will be painfully broken if bash has a profile
+ [required_hats]
+-- 
+2.29.0
 
diff --git a/srcpkgs/apparmor/patches/fix-musl.patch b/srcpkgs/apparmor/patches/fix-musl.patch
new file mode 100644
index 00000000000..484b67dfea4
--- /dev/null
+++ b/srcpkgs/apparmor/patches/fix-musl.patch
@@ -0,0 +1,24 @@
+diff --git a/binutils/aa_status.c b/binutils/aa_status.c
+index 78b0340..56ecac3 100644
+--- a/binutils/aa_status.c
++++ b/binutils/aa_status.c
+@@ -17,6 +17,7 @@
+ #include <errno.h>
+ #include <ctype.h>
+ #include <dirent.h>
++#include <limits.h>
+ 
+ #include <sys/apparmor.h>
+ #include <sys/apparmor_private.h>
+diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
+index 32892d0..dad7664 100644
+--- a/libraries/libapparmor/include/sys/apparmor.h
++++ b/libraries/libapparmor/include/sys/apparmor.h
+@@ -22,6 +22,7 @@
+ #include <stdint.h>
+ #include <unistd.h>
+ #include <sys/types.h>
++#include <sys/socket.h>
+ 
+ #ifdef __cplusplus
+ extern "C" {
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index b064f78086e..4c260b24a1b 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
-version=2.13.4
-revision=6
+version=3.0.0
+revision=1
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
@@ -16,23 +16,13 @@ maintainer="Olivier Mauras <olivier@mauras.ch>"
 license="GPL-2.0-only, LGPL-2.1-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=4f45e5a5de59b72039c6cf218bb61cb4fc42eeb7f47ca109a58238896394a33b
+checksum=8c440ab1848e723483a8550ed2889e18f322e9d7ee9eb4e2e712152ea61da68f
 patch_args="-Np1"
 
 if [ -z "$CROSS_BUILD" ]; then
 	configure_args="--with-perl --with-python"
 fi
 
-post_patch() {
-	# Make.rules feeds some system headers to the C preprocessor to produce
-	# lists of capability and address-family names that, respectively,
-	# populate 'parser/cap_names.h' and 'parser/af_names.h'. The escaping
-	# backslash in the '\#include" directives here is seen by the
-	# preprocessor, causing it to skip the system headers and produce empty
-	# files. Removing the backslash ensures correct behavior.
-	vsed -i ${wrksrc}/common/Make.rules -e 's/\\#include </#include </'
-}
-
 pre_configure() {
 	autoreconf -if
 }
@@ -40,14 +30,18 @@ pre_configure() {
 pre_build() {
 	# Replace release profiles with our own
 	cd ${wrksrc}
-
-	# Put in place our own profiles
 	cp ${FILESDIR}/profiles/* profiles/apparmor.d/
+
+	# use the correct syslog path
+	vsed -i utils/logprof.conf -e 's,logfiles = .*,logfiles = /var/log/socklog/kernel/current,'
 }
 
 post_build() {
 	cd ${wrksrc}
-	sed -i 's#$(DESTDIR)/sbin#$(DESTDIR)/usr/bin#g' parser/Makefile
+
+	# fix cross compilation
+	vsed -i parser/Makefile -e 's,cpp,$(CPP),'
+
 	make ${makejobs} -C binutils
 	make ${makejobs} -C utils
 	make ${makejobs} -C parser
@@ -56,27 +50,31 @@ post_build() {
 
 post_install() {
 	cd ${wrksrc}
-	make DESTDIR=${DESTDIR} install -C binutils
-	make DESTDIR=${DESTDIR} BINDIR=${DESTDIR}/usr/bin install -C utils
-	make DESTDIR=${DESTDIR} APPARMOR_BIN_PREFIX=${DESTDIR}/usr/lib/apparmor \
-		SBINDIR=${DESTDIR}/usr/bin USR_SBINDIR=${DESTDIR}/usr/bin install -C parser
-	make DESTDIR=${DESTDIR} install -C profiles
-
-	# Put Vim syntax in the correct place
-	mkdir -p ${DESTDIR}/usr/share/vim/vim80/syntax/
-	mv ${DESTDIR}/usr/share/apparmor/apparmor.vim ${DESTDIR}/usr/share/vim/vim80/syntax/
+	commonflags="DESTDIR=\"${DESTDIR}\" SBINDIR=\"${DESTDIR}/usr/bin\" USR_SBINDIR=\"${DESTDIR}/usr/bin\""
+	make $commonflags install -C binutils
+	make $commonflags \
+		BINDIR="${DESTDIR}/usr/bin" \
+		VIM_INSTALL_PATH="${DESTDIR}/usr/share/vim/vimfiles/syntax" \
+		install -C utils
+	make $commonflags \
+		APPARMOR_BIN_PREFIX="${DESTDIR}/usr/lib/apparmor" \
+		install -C parser
+	make DESTDIR="${DESTDIR}" install -C profiles
 
 	# requires perl bindings not generated when cross-compiling
 	if [ "$CROSS_BUILD" ]; then
 		rm -f ${DESTDIR}/usr/bin/aa-notify
 	fi
+
+	# we installed a custom conflicting profile
+	rm ${DESTDIR}/etc/apparmor.d/{,local/}php-fpm
 }
 
 apparmor-vim_package() {
 	short_desc+=" - Vim syntax"
 	depends="vim"
 	pkg_install() {
-		vmove usr/share/vim/vim80/syntax/apparmor.vim
+		vmove usr/share/vim/vimfiles/syntax/apparmor.vim
 		vmove usr/share/man/man5/apparmor.vim.5
 	}
 }

Re: apparmor: update to 3.0.0

[PaperMountainStudio]

[-- Attachment #1: Type: text/plain, Size: 427 bytes --]

New comment by PaperMountainStudio on void-packages repository

https://github.com/void-linux/void-packages/pull/25967#issuecomment-725719654

Comment:
- fixed dhcpcd profile which caused it not to get address from a DHCP server
- fixed warnings about (probably harmless) rule violations in pulseaudio profile (read access to /usr/share/applications)

I managed to reproduce the error with write-cache, I will try to fix it

Re: [PR REVIEW] apparmor: update to 3.0.0

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 248 bytes --]

New review comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/pull/25967#discussion_r521754959

Comment:
change to `owner @{HOME}...` so that it only gives permissions for the user's own home directory.

Re: [PR PATCH] [Updated] apparmor: update to 3.0.0

[PaperMountainStudio]

[-- Attachment #1: Type: text/plain, Size: 520 bytes --]

There is an updated pull request by PaperMountainStudio against master on the void-packages repository

https://github.com/PaperMountainStudio/void-packages 0001-apparmor-update-to-3.0.0.patch
https://github.com/void-linux/void-packages/pull/25967

apparmor: update to 3.0.0
+ builds and works fine for x86_64-glibc

- [x] fix build on musl
- [x] check what happens with dhcpcd profile on kernels before 5.8 (bpf cap is 5.8+)

A patch file from https://github.com/void-linux/void-packages/pull/25967.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-0001-apparmor-update-to-3.0.0.patch-25967.patch --]
[-- Type: text/x-diff, Size: 16055 bytes --]

From 480bff67ccaa36d637bb00f4084eb514be24639c Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Wed, 21 Oct 2020 17:25:50 +0200
Subject: [PATCH] apparmor: update to 3.0.0

---
 srcpkgs/apparmor/INSTALL.msg                  |  3 +-
 .../apparmor/files/profiles/usr.bin.dhcpcd    | 12 ++--
 srcpkgs/apparmor/files/profiles/usr.bin.nginx | 22 ++++---
 .../apparmor/files/profiles/usr.bin.php-fpm   | 17 +++---
 .../files/profiles/usr.bin.pulseaudio         | 35 +++++++----
 srcpkgs/apparmor/files/profiles/usr.bin.uuidd | 12 ++--
 .../files/profiles/usr.bin.wpa_supplicant     | 14 +++--
 .../patches/correct_paths_logprofconf.patch   | 60 ++++++++++++++-----
 srcpkgs/apparmor/patches/fix-musl.patch       | 24 ++++++++
 srcpkgs/apparmor/template                     | 50 ++++++++--------
 10 files changed, 160 insertions(+), 89 deletions(-)
 create mode 100644 srcpkgs/apparmor/patches/fix-musl.patch

diff --git a/srcpkgs/apparmor/INSTALL.msg b/srcpkgs/apparmor/INSTALL.msg
index c9f763715a6..488f2c40e11 100644
--- a/srcpkgs/apparmor/INSTALL.msg
+++ b/srcpkgs/apparmor/INSTALL.msg
@@ -1,2 +1 @@
-To ensure AppArmor is enabled upon reboot add 'apparmor=1 security=apparmor' to your grub CMDLINE and rebuild your grub config with 'grub-mkconfig -o /boot/grub/grub.cfg'.
-You'll also need to swith 'APPARMOR' setting in /etc/default/apparmor to your taste.
+To configure AppArmor properly, please refer to the Void Linux Handbook: https://docs.voidlinux.org/config/security/apparmor.html
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
index 26364f36385..1d6e1b95d62 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
@@ -1,10 +1,12 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile dhcpcd /{usr/,}bin/dhcpcd {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/nameservice>
 
   capability chown,
   capability fowner,
@@ -16,8 +18,10 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   capability setgid,
   capability sys_admin,
   capability sys_chroot,
+  capability bpf,
 
   network packet dgram,
+  network packet raw,
   network inet raw,
   network inet6 raw,
 
@@ -58,5 +62,5 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
   owner @{PROC}/@{pid}/stat r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.dhcpcd>
+  include if exists <local/usr.bin.dhcpcd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
index 5e4854d9032..be769703f5d 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
@@ -1,25 +1,23 @@
 # vim:syntax=apparmor
 
+abi <abi/3.0>,
+
 # NOTE: This profile will by default work with pfp-fpm on TCP sockets.
 # If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
 # /path/to/your/unix/socket rw,
 
-#include <tunables/global>
+include <tunables/global>
 
-/usr/bin/nginx {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/nis>
-  #include <abstractions/openssl>
+profile nginx /usr/bin/nginx {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/nis>
+  include <abstractions/openssl>
 
   capability setgid,
   capability setuid,
 
-  # XXX: Maybe switch to "/etc/nginx/** r," ?
-  /etc/nginx/*.conf r,
-  /etc/nginx/*_params r,
-  /etc/nginx/conf.d/* r,
-  /etc/nginx/mime.types r,
+  /etc/nginx/** r,
 
   /run/nginx.pid rw,
 
@@ -30,5 +28,5 @@
   /var/log/nginx/* w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.nginx>
+  include if exists <local/usr.bin.nginx>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
index 98366dcaabf..0b036965da1 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
@@ -1,22 +1,24 @@
 # vim:syntax=apparmor
 
+abi <abi/3.0>,
+
 # NOTE: This profile uses TCP sockets by default
 # If you wish for php-fpm to listen to unix socket,
 # add the following permission to local/usr.bin.php-fpm
 # /path/to/your/unix/socket w,
 
-#include <tunables/global>
+include <tunables/global>
 
 # This is PHP open_basedir where script can only be executed from.
 # /home, /tmp have been removed to not open permissions too widely
 # /usr/share/pear have been removed to have its own permission
 @{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
 
-/usr/bin/php-fpm {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
-  #include <abstractions/php>
+profile php-fpm /usr/bin/php-fpm {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/php>
 
   capability setgid,
   capability setuid,
@@ -38,7 +40,6 @@
   /var/log/php-fpm.log w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.php-fpm>
+  include if exists <local/usr.bin.php-fpm>
 
 }
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
index 4b17e6edc08..f8ceb4c2334 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
@@ -1,12 +1,16 @@
-#include <tunables/global>
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile pulseaudio /usr/bin/pulseaudio {
-  #include <abstractions/base>
-  #include <abstractions/audio>
-  #include <abstractions/dbus-session>
-  #include <abstractions/dbus-strict>
-  #include <abstractions/nameservice>
-  #include <abstractions/X>
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice>
+  include <abstractions/X>
 
   dbus send
        bus=system
@@ -67,12 +71,17 @@ profile pulseaudio /usr/bin/pulseaudio {
   /sys/devices/virtual/sound/**/uevent r,
 
   /usr/share/alsa/** r,
-  /usr/share/applications/ r,
-  /usr/share/applications/* r,
   /usr/share/pulseaudio/** r,
   /usr/lib/pulse-[1-9]*.[0-9]/modules/*.so mr,
   /usr/libexec/pulse/gsettings-helper Cx,
 
+  /usr/{,local/}share/applications/ r,
+  /usr/{,local/}share/applications/* r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/ r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/* r,
+  /var/lib/flatpak/exports/share/applications/ r,
+  /var/lib/flatpak/exports/share/applications/* r,
+
   owner /var/lib/gdm3/.config/pulse/ rw,
   owner /var/lib/gdm3/.config/pulse/* rw,
   owner /var/lib/gdm3/.config/pulse/cookie rwk,
@@ -106,9 +115,9 @@ profile pulseaudio /usr/bin/pulseaudio {
   owner /tmp/.esd-@{pid}*/socket rw,
 
   profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
-    #include <abstractions/base>
-    #include <abstractions/gnome>
-    #include <abstractions/dconf>
+    include <abstractions/base>
+    include <abstractions/gnome>
+    include <abstractions/dconf>
 
     /usr/libexec/pulse/gsettings-helper mr,
     owner /{,var/}run/user/*/dconf/user rw,
@@ -118,6 +127,6 @@ profile pulseaudio /usr/bin/pulseaudio {
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.pulseaudio>
+  include if exists <local/usr.bin.pulseaudio>
 }
 
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
index 8c00a903611..b365c927b65 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
@@ -1,10 +1,12 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
 
-/usr/bin/uuidd {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+include <tunables/global>
+
+profile uuid /usr/bin/uuidd {
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   network inet dgram,
 
@@ -13,5 +15,5 @@
   /run/uuidd/request rw,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.uuidd>
+  include if exists <local/usr.bin.uuidd>
 }
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
index df53acc82d6..c5bb67d562f 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
@@ -1,8 +1,12 @@
-#include <tunables/global>
+# vim:syntax=apparmor
 
-/usr/bin/wpa_supplicant {
-  #include <abstractions/base>
-  #include <abstractions/dbus-strict>
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile wpa_supplicant /usr/bin/wpa_supplicant {
+  include <abstractions/base>
+  include <abstractions/dbus-strict>
 
   capability net_admin,
   capability net_raw,
@@ -45,5 +49,5 @@
        bus=system
        path=/fi/epitest/hostap/WPASupplicant/**,
 
-  #include <local/usr.bin.wpa_supplicant>
+  include if exists <local/usr.bin.wpa_supplicant>
 }
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
index 0f25758486a..fb6ce53ffdc 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
@@ -1,5 +1,14 @@
+From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
+From: Paper <paper@tilde.institute>
+Date: Wed, 21 Oct 2020 10:20:47 +0200
+Subject: [PATCH] correct paths in logprof.conf
+
+---
+ utils/logprof.conf | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
 diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a3d7a31..296dd8b 100644
+index a778792..a9f7b79 100644
 --- a/utils/logprof.conf
 +++ b/utils/logprof.conf
 @@ -14,7 +14,7 @@
@@ -11,19 +20,42 @@ index a3d7a31..296dd8b 100644
    ldd = /usr/bin/ldd
    logger = /bin/logger /usr/bin/logger
  
-@@ -36,10 +36,10 @@
-   custom_includes =
- 
+@@ -51,12 +51,10 @@
+   /bin/mount    = u
+   /usr/bin/mount = u
+   /etc/init.d/subdomain = u
+-  /sbin/cardmgr = u
+-  /usr/sbin/cardmgr = u
+-  /sbin/subdomain_parser = u
+-  /usr/sbin/subdomain_parser = u
+-  /usr/sbin/genprof = u
+-  /usr/sbin/logprof = u
++  /usr/bin/cardmgr = u
++  /usr/bin/subdomain_parser = u
++  /usr/bin/genprof = u
++  /usr/bin/logprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+   /usr/lib/YaST2/servers_non_y2/ag_logprof = u
  
--[repository]
--  distro         = ubuntu-intrepid
--  url            = http://apparmor.test.opensuse.org/backend/api
--  preferred_user = ubuntu
-+#[repository]
-+#  distro         = ubuntu-intrepid
-+#  url            = http://apparmor.test.opensuse.org/backend/api
-+#  preferred_user = ubuntu
+@@ -97,8 +95,7 @@
+   /usr/bin/sed  = icn
+   /bin/touch    = icn
+   /usr/bin/touch = icn
+-  /sbin/killall5 = icn
+-  /usr/sbin/killall5 = icn
++  /usr/bin/killall5 = icn
+   /usr/bin/find = icn
+   /usr/bin/killall = icn
+   /usr/bin/nice = icn
+@@ -112,6 +109,8 @@
+   /usr/bin/python3.5    = icn
+   /usr/bin/python3.6    = icn
+   /usr/bin/python3.7    = icn
++  /usr/bin/python3.8    = icn
++  /usr/bin/python3.9    = icn
+   /usr/bin/tr   = icn
  
- [qualifiers]
-   # things will be painfully broken if bash has a profile
+ [required_hats]
+-- 
+2.29.0
 
diff --git a/srcpkgs/apparmor/patches/fix-musl.patch b/srcpkgs/apparmor/patches/fix-musl.patch
new file mode 100644
index 00000000000..484b67dfea4
--- /dev/null
+++ b/srcpkgs/apparmor/patches/fix-musl.patch
@@ -0,0 +1,24 @@
+diff --git a/binutils/aa_status.c b/binutils/aa_status.c
+index 78b0340..56ecac3 100644
+--- a/binutils/aa_status.c
++++ b/binutils/aa_status.c
+@@ -17,6 +17,7 @@
+ #include <errno.h>
+ #include <ctype.h>
+ #include <dirent.h>
++#include <limits.h>
+ 
+ #include <sys/apparmor.h>
+ #include <sys/apparmor_private.h>
+diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
+index 32892d0..dad7664 100644
+--- a/libraries/libapparmor/include/sys/apparmor.h
++++ b/libraries/libapparmor/include/sys/apparmor.h
+@@ -22,6 +22,7 @@
+ #include <stdint.h>
+ #include <unistd.h>
+ #include <sys/types.h>
++#include <sys/socket.h>
+ 
+ #ifdef __cplusplus
+ extern "C" {
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index b064f78086e..4c260b24a1b 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
-version=2.13.4
-revision=6
+version=3.0.0
+revision=1
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
@@ -16,23 +16,13 @@ maintainer="Olivier Mauras <olivier@mauras.ch>"
 license="GPL-2.0-only, LGPL-2.1-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=4f45e5a5de59b72039c6cf218bb61cb4fc42eeb7f47ca109a58238896394a33b
+checksum=8c440ab1848e723483a8550ed2889e18f322e9d7ee9eb4e2e712152ea61da68f
 patch_args="-Np1"
 
 if [ -z "$CROSS_BUILD" ]; then
 	configure_args="--with-perl --with-python"
 fi
 
-post_patch() {
-	# Make.rules feeds some system headers to the C preprocessor to produce
-	# lists of capability and address-family names that, respectively,
-	# populate 'parser/cap_names.h' and 'parser/af_names.h'. The escaping
-	# backslash in the '\#include" directives here is seen by the
-	# preprocessor, causing it to skip the system headers and produce empty
-	# files. Removing the backslash ensures correct behavior.
-	vsed -i ${wrksrc}/common/Make.rules -e 's/\\#include </#include </'
-}
-
 pre_configure() {
 	autoreconf -if
 }
@@ -40,14 +30,18 @@ pre_configure() {
 pre_build() {
 	# Replace release profiles with our own
 	cd ${wrksrc}
-
-	# Put in place our own profiles
 	cp ${FILESDIR}/profiles/* profiles/apparmor.d/
+
+	# use the correct syslog path
+	vsed -i utils/logprof.conf -e 's,logfiles = .*,logfiles = /var/log/socklog/kernel/current,'
 }
 
 post_build() {
 	cd ${wrksrc}
-	sed -i 's#$(DESTDIR)/sbin#$(DESTDIR)/usr/bin#g' parser/Makefile
+
+	# fix cross compilation
+	vsed -i parser/Makefile -e 's,cpp,$(CPP),'
+
 	make ${makejobs} -C binutils
 	make ${makejobs} -C utils
 	make ${makejobs} -C parser
@@ -56,27 +50,31 @@ post_build() {
 
 post_install() {
 	cd ${wrksrc}
-	make DESTDIR=${DESTDIR} install -C binutils
-	make DESTDIR=${DESTDIR} BINDIR=${DESTDIR}/usr/bin install -C utils
-	make DESTDIR=${DESTDIR} APPARMOR_BIN_PREFIX=${DESTDIR}/usr/lib/apparmor \
-		SBINDIR=${DESTDIR}/usr/bin USR_SBINDIR=${DESTDIR}/usr/bin install -C parser
-	make DESTDIR=${DESTDIR} install -C profiles
-
-	# Put Vim syntax in the correct place
-	mkdir -p ${DESTDIR}/usr/share/vim/vim80/syntax/
-	mv ${DESTDIR}/usr/share/apparmor/apparmor.vim ${DESTDIR}/usr/share/vim/vim80/syntax/
+	commonflags="DESTDIR=\"${DESTDIR}\" SBINDIR=\"${DESTDIR}/usr/bin\" USR_SBINDIR=\"${DESTDIR}/usr/bin\""
+	make $commonflags install -C binutils
+	make $commonflags \
+		BINDIR="${DESTDIR}/usr/bin" \
+		VIM_INSTALL_PATH="${DESTDIR}/usr/share/vim/vimfiles/syntax" \
+		install -C utils
+	make $commonflags \
+		APPARMOR_BIN_PREFIX="${DESTDIR}/usr/lib/apparmor" \
+		install -C parser
+	make DESTDIR="${DESTDIR}" install -C profiles
 
 	# requires perl bindings not generated when cross-compiling
 	if [ "$CROSS_BUILD" ]; then
 		rm -f ${DESTDIR}/usr/bin/aa-notify
 	fi
+
+	# we installed a custom conflicting profile
+	rm ${DESTDIR}/etc/apparmor.d/{,local/}php-fpm
 }
 
 apparmor-vim_package() {
 	short_desc+=" - Vim syntax"
 	depends="vim"
 	pkg_install() {
-		vmove usr/share/vim/vim80/syntax/apparmor.vim
+		vmove usr/share/vim/vimfiles/syntax/apparmor.vim
 		vmove usr/share/man/man5/apparmor.vim.5
 	}
 }

Re: apparmor: update to 3.0.0

[the-maldridge]

[-- Attachment #1: Type: text/plain, Size: 192 bytes --]

New comment by the-maldridge on void-packages repository

https://github.com/void-linux/void-packages/pull/25967#issuecomment-731689616

Comment:
@ericonr can you re-review and merge if good?

Re: apparmor: update to 3.0.0

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 293 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/pull/25967#issuecomment-731692028

Comment:
@paper42 see if you can figure out how the cache thing works; I don't think it was working for the previous version, so it should be ok to fix it later.

Re: [PR PATCH] [Merged]: apparmor: update to 3.0.0

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 312 bytes --]

There's a merged pull request on the void-packages repository

apparmor: update to 3.0.0
https://github.com/void-linux/void-packages/pull/25967

Description:
+ builds and works fine for x86_64-glibc

- [x] fix build on musl
- [x] check what happens with dhcpcd profile on kernels before 5.8 (bpf cap is 5.8+)