diff -Nru apparmor-2.8.96~2652/debian/changelog apparmor-2.8.96~2652/debian/changelog
--- apparmor-2.8.96~2652/debian/changelog	2014-10-07 09:51:25.000000000 -0500
+++ apparmor-2.8.96~2652/debian/changelog	2014-10-27 07:13:46.000000000 -0500
@@ -1,3 +1,13 @@
+apparmor (2.8.96~2652-0ubuntu5.3) 14.09; urgency=medium
+
+  * debian/lib/apparmor/functions: disable expr tree simplification for
+    /var/lib/apparmor/profiles (LP: #1383858)
+  * parser-dont-skip-read-cache-with-optimizations.patch: don't skip read
+    cache when specifying '-O' (LP: #1385947)
+  * 10-lp1371771.patch, 11-lp1371765.patch: refresh for the above
+
+ -- Jamie Strandboge <jamie@ubuntu.com>  Mon, 27 Oct 2014 07:13:42 -0500
+
 apparmor (2.8.96~2652-0ubuntu5.1) 14.09; urgency=medium
 
   * debian/apparmor.{upstart,init}: check if click-apparmor md5sums changed so
diff -Nru apparmor-2.8.96~2652/debian/lib/apparmor/functions apparmor-2.8.96~2652/debian/lib/apparmor/functions
--- apparmor-2.8.96~2652/debian/lib/apparmor/functions	2014-10-07 09:50:00.000000000 -0500
+++ apparmor-2.8.96~2652/debian/lib/apparmor/functions	2014-10-22 10:26:28.000000000 -0500
@@ -52,6 +52,13 @@
 			cache_args=
 		fi
 
+		# LP: #1383858 - expr tree simplification is too slow for
+		# click policy, so disable it for now
+		cache_extra_args=
+		if [ "$pdir" = "$PROFILES_VAR" ] && [ -d "$PROFILES_CACHE_VAR" ]; then
+			cache_extra_args="-O no-expr-simplify"
+		fi
+
 		# If need to compile everything, then use -n1 with xargs to
 		# take advantage of -P. When cache files are in use, omit -n1
 		# since it is considerably faster on moderately sized profile
@@ -68,7 +75,7 @@
 				echo "$pdir"/"$profile"
 			fi
 		done) | \
-		xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args -- || {
+		xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
 			rc_all="$?"
 			# FIXME: when the parser properly handles broken
 			# profiles (LP: #1377338), remove this if statement.
@@ -84,7 +91,7 @@
 						echo "$pdir"/"$profile"
 					fi
 				done) | \
-				xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args -- || {
+				xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
 					rc_all="$?"
 				}
 			fi
diff -Nru apparmor-2.8.96~2652/debian/patches/10-lp1371771.patch apparmor-2.8.96~2652/debian/patches/10-lp1371771.patch
--- apparmor-2.8.96~2652/debian/patches/10-lp1371771.patch	2014-09-22 09:21:14.000000000 -0500
+++ apparmor-2.8.96~2652/debian/patches/10-lp1371771.patch	2014-10-27 07:05:55.000000000 -0500
@@ -45,7 +45,7 @@
  	       ,command);
  }
  
-@@ -411,6 +414,9 @@ static int process_arg(int c, char *opta
+@@ -409,6 +412,9 @@ static int process_arg(int c, char *opta
  	case 131:
  		create_cache_dir = 1;
  		break;
@@ -55,7 +55,7 @@
  	case 'L':
  		cacheloc = strdup(optarg);
  		break;
-@@ -719,9 +725,10 @@ int process_binary(int option, const cha
+@@ -717,9 +723,10 @@ int process_binary(int option, const cha
  	if (profilename) {
  		fd = open(profilename, O_RDONLY);
  		if (fd == -1) {
@@ -67,7 +67,7 @@
  		}
  	} else {
  		fd = dup(0);
-@@ -734,7 +741,7 @@ int process_binary(int option, const cha
+@@ -732,7 +739,7 @@ int process_binary(int option, const cha
  			chunksize <<= 1;
  			if (!buffer) {
  				PERROR(_("Memory allocation error."));
@@ -76,7 +76,7 @@
  			}
  		}
  
-@@ -860,7 +867,7 @@ int process_profile(int option, const ch
+@@ -858,7 +865,7 @@ int process_profile(int option, const ch
  		if ( !(yyin = fopen(profilename, "r")) ) {
  			PERROR(_("Error: Could not read profile %s: %s.\n"),
  			       profilename, strerror(errno));
@@ -85,7 +85,7 @@
  		}
  	}
  	else {
-@@ -922,7 +929,7 @@ int process_profile(int option, const ch
+@@ -920,7 +927,7 @@ int process_profile(int option, const ch
  	    !skip_cache) {
  		if (asprintf(&cachename, "%s/%s", cacheloc, basename)<0) {
  			PERROR(_("Memory allocation error."));
@@ -94,7 +94,7 @@
  		}
  		/* Load a binary cache if it exists and is newest */
  		if (!skip_read_cache &&
-@@ -938,11 +945,11 @@ int process_profile(int option, const ch
+@@ -936,11 +943,11 @@ int process_profile(int option, const ch
  			/* Otherwise, set up to save a cached copy */
  			if (asprintf(&cachetemp, "%s-XXXXXX", cachename)<0) {
  				perror("asprintf");
@@ -108,7 +108,7 @@
  			}
  		}
  	}
-@@ -1160,7 +1167,7 @@ static void setup_flags(void)
+@@ -1158,7 +1165,7 @@ static void setup_flags(void)
  
  int main(int argc, char *argv[])
  {
@@ -117,7 +117,7 @@
  	int i;
  	int optind;
  
-@@ -1203,13 +1210,16 @@ int main(int argc, char *argv[])
+@@ -1201,13 +1208,16 @@ int main(int argc, char *argv[])
  
  	setup_flags();
  
@@ -137,7 +137,7 @@
  		}
  		/* skip stdin if we've seen other command line arguments */
  		if (i == argc && optind != argc)
-@@ -1224,10 +1234,9 @@ int main(int argc, char *argv[])
+@@ -1222,10 +1232,9 @@ int main(int argc, char *argv[])
  			int (*cb)(DIR *dir, const char *name, struct stat *st,
  				  void *data);
  			cb = binary_input ? binary_dir_cb : profile_dir_cb;
@@ -149,7 +149,7 @@
  			}
  		} else if (binary_input) {
  			retval = process_binary(option, profilename);
-@@ -1237,10 +1246,16 @@ int main(int argc, char *argv[])
+@@ -1235,10 +1244,16 @@ int main(int argc, char *argv[])
  
  		if (profilename) free(profilename);
  		profilename = NULL;
diff -Nru apparmor-2.8.96~2652/debian/patches/11-lp1371765.patch apparmor-2.8.96~2652/debian/patches/11-lp1371765.patch
--- apparmor-2.8.96~2652/debian/patches/11-lp1371765.patch	2014-09-22 09:24:25.000000000 -0500
+++ apparmor-2.8.96~2652/debian/patches/11-lp1371765.patch	2014-10-27 07:06:11.000000000 -0500
@@ -35,7 +35,7 @@
  	       ,command);
  }
  
-@@ -417,6 +420,9 @@ static int process_arg(int c, char *opta
+@@ -415,6 +418,9 @@ static int process_arg(int c, char *opta
  	case 132:
  		abort_on_error = 1;
  		break;
@@ -45,7 +45,7 @@
  	case 'L':
  		cacheloc = strdup(optarg);
  		break;
-@@ -939,7 +945,8 @@ int process_profile(int option, const ch
+@@ -937,7 +943,8 @@ int process_profile(int option, const ch
  			if (show_cache)
  				PERROR("Cache hit: %s\n", cachename);
  			retval = process_binary(option, cachename);
diff -Nru apparmor-2.8.96~2652/debian/patches/parser-dont-skip-read-cache-with-optimizations.patch apparmor-2.8.96~2652/debian/patches/parser-dont-skip-read-cache-with-optimizations.patch
--- apparmor-2.8.96~2652/debian/patches/parser-dont-skip-read-cache-with-optimizations.patch	1969-12-31 18:00:00.000000000 -0600
+++ apparmor-2.8.96~2652/debian/patches/parser-dont-skip-read-cache-with-optimizations.patch	2014-10-27 07:05:28.000000000 -0500
@@ -0,0 +1,20 @@
+Author: John Johansen <john.johansen@canonical.com>
+Description: When specifying '-O' to the parser, it skips reading the cache.
+ On Ubuntu, due to LP: #1383858 we want to use no-expr-simplify, but also use
+ the cache if it is there.
+Forwarded: no (Ubuntu-specific)
+Bug: https://launchpad.net/bugs/1385947
+
+Index: apparmor-2.8.96~2652/parser/parser_main.c
+===================================================================
+--- apparmor-2.8.96~2652.orig/parser/parser_main.c
++++ apparmor-2.8.96~2652/parser/parser_main.c
+@@ -357,8 +357,6 @@ static int process_arg(int c, char *opta
+ 		}
+ 		break;
+ 	case 'O':
+-		skip_read_cache = 1;
+-
+ 		if (!handle_flag_table(optflag_table, optarg,
+ 				       &dfaflags)) {
+ 			PERROR("%s: Invalid --Optimize option %s\n",
diff -Nru apparmor-2.8.96~2652/debian/patches/series apparmor-2.8.96~2652/debian/patches/series
--- apparmor-2.8.96~2652/debian/patches/series	2014-09-19 14:49:20.000000000 -0500
+++ apparmor-2.8.96~2652/debian/patches/series	2014-10-27 07:04:53.000000000 -0500
@@ -7,6 +7,7 @@
 etc-writable.patch
 aa-utils_are_bilingual.patch
 parser-include-usr-share-apparmor.patch
+parser-dont-skip-read-cache-with-optimizations.patch
 
 #
 # Patches not yet upstream