diff -Nru apparmor-2.7.102/debian/changelog apparmor-2.7.102/debian/changelog
--- apparmor-2.7.102/debian/changelog	2012-12-19 05:51:42.000000000 -0800
+++ apparmor-2.7.102/debian/changelog	2013-01-24 12:16:38.000000000 -0800
@@ -1,3 +1,15 @@
+apparmor (2.7.102-0ubuntu3.8) precise-proposed; urgency=low
+
+  * 0022-aa-logprof-PUx_rewrite_fix-lp982619.patch: fix aa-logprof
+    rewrite of PUx modes (LP: #982619)
+  * 0023-lp1091642-parser-reset_matchflags.patch: prevent reuse of
+    matchflags in parser dfa backend and add testcase demonstrating
+    the problem (LP: #1091642)
+  * 0024-profiles-allow_exo-open-lp987578.patch: allow exo-open to work
+    within ubuntu-integration (LP: #987578)
+
+ -- Steve Beattie <sbeattie@ubuntu.com>  Thu, 24 Jan 2013 11:40:48 -0800
+
 apparmor (2.7.102-0ubuntu3.7) precise-security; urgency=low
 
   * debian/patches/0001-add-chromium-browser.patch:
diff -Nru apparmor-2.7.102/debian/patches/0022-aa-logprof-PUx_rewrite_fix-lp982619.patch apparmor-2.7.102/debian/patches/0022-aa-logprof-PUx_rewrite_fix-lp982619.patch
--- apparmor-2.7.102/debian/patches/0022-aa-logprof-PUx_rewrite_fix-lp982619.patch	1969-12-31 16:00:00.000000000 -0800
+++ apparmor-2.7.102/debian/patches/0022-aa-logprof-PUx_rewrite_fix-lp982619.patch	2013-01-24 12:15:13.000000000 -0800
@@ -0,0 +1,67 @@
+Subject: fix aa-logprof rewrite of PUx modes
+Origin: http://bazaar.launchpad.net/~apparmor-dev/apparmor/release-2.7/revision/1900
+Bug: https://launchpad.net/bugs/982619
+committer: Steve Beattie <sbeattie@ubuntu.com>
+
+  Merge from trunk rev 2034: fix aa-logprof rewrite of PUx modes
+  
+  When writing out a profile, aa-logprof incorrectly converts PUx execute
+  permission modes to the syntactically invalid UPx mode, because the
+  function that converts the internal representation of permissions to
+  a string emits the U(nconfined) mode bit before the P bit.
+  
+  This patch corrects this by reordering the way the exec permissions
+  are emitted, so that P and C modes come before U and i. Based on
+  http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Execute_rules
+  this should emit the modes correctly in all combined exec modes.
+  Other approaches to fixing this would require adjusting the data
+  structure that contains the permission modes, resulting in a more
+  invasive patch.
+  
+  Nominated-By: Steve Beattie <sbeattie@ubuntu.com>
+  Signed-Off-By: John Johansen <john.johansen@canonical.com>
+
+---
+ utils/Immunix/AppArmor.pm |   21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+Index: b/utils/Immunix/AppArmor.pm
+===================================================================
+--- a/utils/Immunix/AppArmor.pm
++++ b/utils/Immunix/AppArmor.pm
+@@ -4804,13 +4804,9 @@ sub sub_mode_to_str($) {
+     $str .= "a" if ($mode & $AA_MAY_APPEND);
+     $str .= "l" if ($mode & $AA_MAY_LINK);
+     $str .= "k" if ($mode & $AA_MAY_LOCK);
+-    if ($mode & $AA_EXEC_UNCONFINED) {
+-	if ($mode & $AA_EXEC_UNSAFE) {
+-	    $str .= "u";
+-	} else {
+-	    $str .= "U";
+-	}
+-    }
++
++    # modes P and C *must* come before I and U; otherwise syntactically
++    # invalid profiles result
+     if ($mode & ($AA_EXEC_PROFILE | $AA_EXEC_NT)) {
+ 	if ($mode & $AA_EXEC_UNSAFE) {
+ 	    $str .= "p";
+@@ -4825,7 +4821,18 @@ sub sub_mode_to_str($) {
+ 	    $str .= "C";
+ 	}
+     }
++
++    # modes P and C *must* come before I and U; otherwise syntactically
++    # invalid profiles result
++    if ($mode & $AA_EXEC_UNCONFINED) {
++	if ($mode & $AA_EXEC_UNSAFE) {
++	    $str .= "u";
++	} else {
++	    $str .= "U";
++	}
++    }
+     $str .= "i" if ($mode & $AA_EXEC_INHERIT);
++
+     $str .= "x" if ($mode & $AA_MAY_EXEC);
+ 
+     return $str;
diff -Nru apparmor-2.7.102/debian/patches/0023-lp1091642-parser-reset_matchflags.patch apparmor-2.7.102/debian/patches/0023-lp1091642-parser-reset_matchflags.patch
--- apparmor-2.7.102/debian/patches/0023-lp1091642-parser-reset_matchflags.patch	1969-12-31 16:00:00.000000000 -0800
+++ apparmor-2.7.102/debian/patches/0023-lp1091642-parser-reset_matchflags.patch	2013-01-24 11:39:48.000000000 -0800
@@ -0,0 +1,102 @@
+Origin: upstream, http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/2085
+  and http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/2086
+Subject: reset match flags state
+Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1091642
+
+revno: 2059
+committer: John Johansen <john.johansen@canonical.com>
+branch nick: 2.8
+timestamp: Mon 2012-12-10 15:12:22 -0800
+message:
+  fix a nasty little bug that can surface in apparmor 2.8 when
+  Hats/children profiles are used.
+  
+  the matchflags in the dfa backend are not getting properly reset, which
+  results in a previously processed profiles match flags being used. This is
+  not a problem for most permissions but can result in x conflict errors.
+  
+  Note: this should not result in profiles with the wrong x transitions loaded
+  as it causes compilation to file with an x conflict.
+  
+  This is a minimal patch targeted at the 2.8 release. As such I have just
+  updated the delete_ruleset routine to clear the flags as it is already
+  being properly called for every rule set.
+  
+  Apparmor 2.9/3.0 will have a different approach where it is not possible
+  to reuse the flags.
+  
+  Signed-off-by: John Johansen <john.johansen@canonical.com>
+  Acked-by: Steve Beattie <sbeattie@ubuntu.com>
+
+revno: 2060
+committer: Steve Beattie <sbeattie@ubuntu.com>
+branch nick: 2.8
+timestamp: Mon 2012-12-10 17:01:24 -0800
+message:
+  Add a testcase for the issue fixed in commit 2059.
+  
+  Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
+  Acked-by: John Johansen <john.johansen@canonical.com>
+
+---
+ parser/libapparmor_re/aare_rules.cc           |    2 +
+ parser/tst/simple_tests/xtrans/x-conflict2.sd |   39 ++++++++++++++++++++++++++
+ 2 files changed, 41 insertions(+)
+
+Index: b/parser/libapparmor_re/aare_rules.cc
+===================================================================
+--- a/parser/libapparmor_re/aare_rules.cc
++++ b/parser/libapparmor_re/aare_rules.cc
+@@ -57,6 +57,8 @@ extern "C" void aare_delete_ruleset(aare
+ 		if (rules->root)
+ 			rules->root->release();
+ 		free(rules);
++
++		aare_reset_matchflags();
+ 	}
+ }
+ 
+Index: b/parser/tst/simple_tests/xtrans/x-conflict2.sd
+===================================================================
+--- /dev/null
++++ b/parser/tst/simple_tests/xtrans/x-conflict2.sd
+@@ -0,0 +1,39 @@
++#
++#=DESCRIPTION test for reused flag state
++#=EXRESULT PASS
++#
++
++/usr/bin/parent-profile {
++
++  /usr/bin/profile1 Cx -> profile1,
++  /usr/bin/profile2 Cx -> profile2,
++  /usr/bin/profile3 Cx -> profile3,
++  /usr/bin/profile4 Cx -> profile4,
++  /usr/bin/profile5 Cx -> profile5,
++  /usr/bin/profile6 Cx -> profile6,
++
++  profile profile1 {
++
++  }
++
++  profile profile2 {
++
++  }
++
++  profile profile3 {
++
++  }
++
++  profile profile4 {
++    /usr/bin/apt-get Ux,
++    /usr/bin/dpkg Ux,
++  }
++
++  profile profile5 {
++
++  }
++
++  profile profile6 {
++
++  }
++}
diff -Nru apparmor-2.7.102/debian/patches/0024-profiles-allow_exo-open-lp987578.patch apparmor-2.7.102/debian/patches/0024-profiles-allow_exo-open-lp987578.patch
--- apparmor-2.7.102/debian/patches/0024-profiles-allow_exo-open-lp987578.patch	1969-12-31 16:00:00.000000000 -0800
+++ apparmor-2.7.102/debian/patches/0024-profiles-allow_exo-open-lp987578.patch	2013-01-24 12:15:05.000000000 -0800
@@ -0,0 +1,32 @@
+Subject: ubuntu-integration does not work properly with exo-open
+Origin: http://bazaar.launchpad.net/~apparmor-dev/apparmor/2.8/revision/2063.1.4
+committer: Steve Beattie <sbeattie@ubuntu.com>
+Bug: https://launchpad.net/bugs/987578
+
+  Merge from trunk commit 2059:
+  
+  Original message:
+    Author: Mark Ramsell <mramsell@qazonline.net>
+    Description: ubuntu-integration does not work properly with exo-open
+    Bug-Ubuntu: https://launchpad.net/bugs/987578
+  
+    Acked-By: Jamie Strandboge <jamie@canonical.com>
+  
+  Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
+  Acked-by: John Johansen <john.johansen@canonical.com>
+
+---
+ profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration |    3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
+===================================================================
+--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
++++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
+@@ -29,3 +29,6 @@
+ 
+   # Exo-aware applications
+   /usr/bin/exo-open ixr,
++  /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
++  /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
++  /etc/xdg/xfce4/helpers.rc r,
diff -Nru apparmor-2.7.102/debian/patches/series apparmor-2.7.102/debian/patches/series
--- apparmor-2.7.102/debian/patches/series	2012-12-19 05:49:12.000000000 -0800
+++ apparmor-2.7.102/debian/patches/series	2013-01-24 12:14:50.000000000 -0800
@@ -19,3 +19,6 @@
 0019-lp1056391.patch
 0020-vdpau_wrapper.patch
 0021-fix-racy-onexec-test.patch
+0022-aa-logprof-PUx_rewrite_fix-lp982619.patch
+0023-lp1091642-parser-reset_matchflags.patch
+0024-profiles-allow_exo-open-lp987578.patch