diff --git a/autotests/folding/usr.bin.apparmor-profile-test.fold b/autotests/folding/usr.bin.apparmor-profile-test.fold --- a/autotests/folding/usr.bin.apparmor-profile-test.fold +++ b/autotests/folding/usr.bin.apparmor-profile-test.fold @@ -1,210 +1,157 @@ -# Example AppArmor Profile. +# Sample AppArmor Profile. # License: Public Domain -# Last change: August 29, 2017 - -# NOTE: This profile is not fully functional, since -# it is designed to test the syntax highlighting. +# Last change: January 25, 2018 include -# Declare an AppArmor variables to help with overrides -@{FOO_LIB}=/usr/lib{,64,/*-linux-gnu}/foo -@{USER_DIR}=@{HOME}/Public @{HOME}/Desktop +# Variable assignment +@{FOO_LIB}=/usr/lib{,32,64}/foo +@{USER_DIR} = @{HOME}/Public @{HOME}/Desktop +@{USER_DIR} += @{HOME}/Hello # Profile for /usr/bin/foo -/usr/bin/foo (attach_disconnected, enforce) { +/usr/bin/foo (attach_disconnected, enforce) { include include - include - include - include - include - include - include #include - #include - #include"/etc/apparmor.d/abstractions/open-browser" - include "/etc/apparmor.d/abstractions/open-email" - - /{,**/} r,# Read only directories - - owner /{home,media,mnt,srv,net}/** r, - owner @{USER_DIR}/{,**} rw, - - audit deny owner /**/* mx, - audit deny owner /**/**.py* r, - - # Files supported - /**.[tT][xX][tT] r, # txt - /**.[wW][bB][mM][pP] r, # wbmp - /**.[wW][eE][bB][pP] r, # webp - - # Local configuration - owner file @{HOME}/.local/share/foo/{,**} rwk, - owner @{HOME}/.local/share/RecentDocuments/* rwk, - owner @{HOME}/.config/foo/{,**} rwk, - owner @{HOME}/.config/foorc{,.lock} rwk, - owner @{HOME}/.config/.[a-zA-Z0-9]* rwk, - owner @{HOME}/.cache/foo/{,**} rwk, - - "/usr/share/**" r, - "/var/lib/flatpak/exports/share/**" r, - "/var/lib/flatpak/app/**/export/share/applications/*.desktop" r, - "/var/lib/snapd/desktop/applications/**" r, - - allow file /etc/nsswitch.conf r, - allow /etc/fstab r, - /etc/udev/udev.conf r, - /etc/passwd r, - /etc/xdg/{,**} r, - /etc/xdg/Trolltech.conf k, - deny /etc/xdg/{autostart,systemd}/{,**} rw, - deny /boot/** rwlkmx, - @{PROC}/[0-9]*/{cmdline,mountinfo,mounts,stat,status,vmstat} r, - /sys/devices/**/uevent r, - - # Libraries and binaries - /usr/bin/foo ixr, - /usr/bin/dolphin PUx, - /usr/bin/khelpcenter Cxr -> sanitized_helper, - /usr/bin/helloworld Cxr -> hello_world, - /usr/bin/* Pixr, - /usr/lib{,64}/** Pixr, - /usr/lib{,64,/*-linux-gnu}/qt5/plugins/{,**/}*.so m, - @{FOO_LIB}/{,**} mr, - - # Temporal files and sockets - owner /tmp/{*lock,kde-*/**} rwk, - owner /var/tmp/kdecache-*/* rwk, - owner /run/user/[0-9]*/{*-socket,bus,kdeinit5*,foo*} rwk, - owner /run/user/[0-9]*/ksocket-*/{,**} rwk, - /run/dbus/system_bus_socket w, - - /dev/{ati,dri}/** rw, - audit deny /dev/{audio,video}* rwlkmx, + #include + #include"/etc/apparmor.d/abstractions/ubuntu-konsole" + include "/etc/apparmor.d/abstractions/openssl" + + /{,**/} r,# Read only directories + + owner /{home,media,mnt,srv,net}/** r, + owner @{USER_DIR}/** rw, + audit deny owner /**/* mx, + /**.[tT][xX][tT] r, # txt + + owner file @{HOME}/.local/share/foo/{,**} rwkl, + owner @{HOME}/.config/foo/{,**} rwk, + owner @{HOME}/.config/* rw, + owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk, + owner @{HOME}/.cache/foo/{,**} rwk, + + "/usr/share/**" r, + "/var/lib/flatpak/exports/share/**" r, + "/var/lib/flatpak/app/**/export/share/applications/*.desktop" r, + + allow file /etc/nsswitch.conf r, + allow /etc/fstab r, + /etc/udev/udev.conf r, + /etc/xdg/** r, + /etc/xdg/Trolltech.conf k, + deny /etc/xdg/{autostart,systemd}/** r, + deny /boot/** rwlkmx, + + owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r, + /sys/devices/**/uevent r, + + /usr/bin/foo ixr, + /usr/bin/dolphin PUx, + /usr/bin/* Pixr, + /usr/bin/khelpcenter Cx -> sanitized_helper, + /usr/bin/helloworld Cxr -> + hello_world, + + /usr/lib{,32,64}/{,@{multiarch}/}qt5/plugins/{,**/}*.so m, + @{FOO_LIB}/{,**} mr, + + audit deny /dev/{audio,video}* rwlkmx, # Dbus rules - dbus (send) + dbus (send) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Introspectable - peer=(name=org.freedesktop.NetworkManager label=unconfined), - dbus (send receive) + peer=(name=org.freedesktop.NetworkManager label=unconfined), + dbus (send receive) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member={Introspect,state} - peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)), - dbus (send) + peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)), + dbus (send) bus=session path=/org/gnome/GConf/Database/* - member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}, + member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}, + dbus (bind) + bus=system + name=org.bluez, # Signal rules - signal (send) set=(term) peer=unconfined, - signal (send, receive) set=(int exists) peer=/usr/lib/hello/world//foo-helper, + signal (send) set=(term) peer=unconfined, + signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper, # Child profile profile hello_world { # File rules (three different ways) - file /usr/lib{,32,64}/helloworld/**.so mr, - /usr/lib{,32,64}/helloworld/** r, - rk /usr/lib{,32,64}/helloworld/hello,file, + file /usr/lib{,32,64}/helloworld/**.so mr, + /usr/lib{,32,64}/helloworld/** r, + rk /usr/lib{,32,64}/helloworld/hello,file, # Link rules (two ways) - l /foo1 -> /bar, - link /foo2 -> bar, - link /foo3 to bar, - link subset /link* -> /**, + l /foo1 -> /bar, + link /foo2 -> bar, + link /foo3 to bar, + link subset /link* -> /**, # Network rules - network inet6 tcp,#Allow access to tcp only for inet6 addresses - network netlink dgram, - network bluetooth, + network inet6 tcp, #Allow access to tcp only for inet6 addresses + network netlink dgram, + network bluetooth, + network unspec dgram, # Capability rules - capability dac_override, - capability sys_admin, - capability sys_chroot, + capability dac_override, + capability sys_admin, + capability sys_chroot, # Mount rules - mount options=(rw bind remount nodev noexec) fstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/, - mount options in (rw, bind) / -> /run/hellowordd/*.mnt, - umount /home/*/helloworld/, + mount options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/, + mount options in (rw, bind) / -> /run/hellowordd/*.mnt, + mount option=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*, + umount /home/*/helloworld/, # Pivot Root rules - pivot_root oldroot=/mnt/root/old/ /mnt/root/, - pivot_root /mnt/root/, + pivot_root oldroot=/mnt/root/old/ /mnt/root/, + pivot_root /mnt/root/, # Ptrace rules - ptrace (trace) peer=unconfined, - ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword, + ptrace (trace) peer=unconfined, + ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword, # Unix rules - unix (connect receive send) type=(stream) peer=(label=unconfined addr=@/tmp/ibus/dbus-*), - unix (send,receive) type=(stream) protocol=0 peer=(addr=none), - unix peer=(label=@{profile_name},addr=@helloworld), + unix (connect receive send) type=(stream) peer=(label=unconfined addr=@/tmp/ibus/dbus-*), + unix (send,receive) type=(stream) protocol=0 peer=(addr=none), + unix peer=(label=@{profile_name},addr=@helloworld), # Rlimit rule - set rlimit data <= 100M, - set rlimit nproc <= 10, - set rlimit nice <= 5, + set rlimit data <= 100M, + set rlimit nproc <= 10, + set rlimit memlock <= 2GB, + set rlimit rss <= infinity, # Change Profile rules - change_profile unsafe /** -> [^u/]**, - change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, - change_profile /bin/bash -> new_profile, + change_profile unsafe /** -> [^u/]**, + change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, + change_profile /bin/bash -> + new_profile, # Alias - alias /usr/ -> /mnt/usr/, + alias /usr/ -> /mnt/usr/, } # Hat ^foo-helper { - network unix stream, - unix stream, + network unix stream, + unix stream, - /usr/hi\"esc\x23esc\032esc\c3esc r, # Escape expressions + /usr/hi\"esc\x23esc\032esc\*es\{esc\ rw r, # Escape expressions # Text after a variable is highlighted as path - file /my/path r, - @{FOO_LIB}file r, - @{FOO_LIB}#my/path r, #Comment + file /my/path r, + @{FOO_LIB}file r, + @{FOO_LIB}#my/path r, #Comment } } - -# Profile for /usr/bin/error -profile syntax_error /usr/bin/error flags=(complain audit) { - # Syntax error highlighting: - - # Error: Include - include - include - #includefilepath - # include - file #include /hello r, - - # Error: Variable open or with characters not allowed - @{var - @{sdf&s} - - # Error: Open brackets - /{hello{ab,cd}world kr, - /{abc{abc kr, - /[abc kr, - /(abc kr, - - # Error: Empty brackets - /hello[]hello{}hello()he kr, - - # Error: Open rule - /home/*/file rw - capability dac_overridecapability dac_override - deny file /etc/fstab w - audit network ieee802154, - - dbus (receivedbus (receive - unix stream,unix stream, - unix stream,unix stream, -} diff --git a/autotests/html/usr.bin.apparmor-profile-test.html b/autotests/html/usr.bin.apparmor-profile-test.html --- a/autotests/html/usr.bin.apparmor-profile-test.html +++ b/autotests/html/usr.bin.apparmor-profile-test.html @@ -4,90 +4,65 @@ usr.bin.apparmor-profile-test 
-# Example AppArmor Profile.
+# Sample AppArmor Profile.
 # License: Public Domain
-# Last change: August 29, 2017
-
-# NOTE: This profile is not fully functional, since
-# it is designed to test the syntax highlighting.
+# Last change: January 25, 2018
 
 include <tunables/global>
 
-# Declare an AppArmor variables to help with overrides
-@{FOO_LIB}=/usr/lib{,64,/*-linux-gnu}/foo
-@{USER_DIR}=@{HOME}/Public @{HOME}/Desktop
+# Variable assignment
+@{FOO_LIB}=/usr/lib{,32,64}/foo
+@{USER_DIR} = @{HOME}/Public @{HOME}/Desktop
+@{USER_DIR} += @{HOME}/Hello
 
 # Profile for /usr/bin/foo
 /usr/bin/foo (attach_disconnected, enforce) {
 	include <abstractions/base>
 	include <abstractions/dbus>
-	include <abstractions/dbus-session>
-	include <abstractions/dbus-accessibility>
-	include <abstractions/fonts>
-	include <abstractions/X>
-	include <abstractions/kde>
-	include <abstractions/consoles>
 
 	#include <abstractions/ubuntu-helpers>
-	#include<abstractions/confidential-deny>
-	#include"/etc/apparmor.d/abstractions/open-browser"
-	include "/etc/apparmor.d/abstractions/open-email"
+	#include<abstractions/wayland>
+	#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
+	include "/etc/apparmor.d/abstractions/openssl"
 
 	/{,**/} r,# Read only directories
 
 	owner /{home,media,mnt,srv,net}/** r,
-	owner @{USER_DIR}/{,**} rw,
-
+	owner @{USER_DIR}/** rw,
 	audit deny owner /**/* mx,
-	audit deny owner /**/**.py* r,
-
-	# Files supported
-	/**.[tT][xX][tT] r, # txt
-	/**.[wW][bB][mM][pP] r, # wbmp
-	/**.[wW][eE][bB][pP] r, # webp
-
-	# Local configuration
-	owner file @{HOME}/.local/share/foo/{,**} rwk,
-	owner @{HOME}/.local/share/RecentDocuments/* rwk,
-	owner @{HOME}/.config/foo/{,**} rwk,	
-	owner @{HOME}/.config/foorc{,.lock} rwk,
-	owner @{HOME}/.config/.[a-zA-Z0-9]* rwk,
-	owner @{HOME}/.cache/foo/{,**} rwk,
+	/**.[tT][xX][tT] r,  # txt
+	
+	owner file @{HOME}/.local/share/foo/{,**} rwkl,
+	owner @{HOME}/.config/foo/{,**}           rwk,
+	owner @{HOME}/.config/*                   rw,
+	owner @{HOME}/.config/*.[a-zA-Z0-9]*      rwk,
+	owner @{HOME}/.cache/foo/{,**}            rwk,
 
 	"/usr/share/**" r,
 	"/var/lib/flatpak/exports/share/**" r,
 	"/var/lib/flatpak/app/**/export/share/applications/*.desktop" r,
-	"/var/lib/snapd/desktop/applications/**" r,
-
-	allow file /etc/nsswitch.conf r,
-	allow /etc/fstab r,
-	/etc/udev/udev.conf r,
-	/etc/passwd r,
-	/etc/xdg/{,**} r,
-	/etc/xdg/Trolltech.conf k,
-	deny /etc/xdg/{autostart,systemd}/{,**} rw,
-	deny /boot/** rwlkmx,
-	@{PROC}/[0-9]*/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
+
+	allow file /etc/nsswitch.conf           r,
+	allow /etc/fstab                        r,
+	/etc/udev/udev.conf                     r,
+	/etc/xdg/**                             r,
+	/etc/xdg/Trolltech.conf                 k,
+	deny /etc/xdg/{autostart,systemd}/**    r,
+	deny /boot/**                           rwlkmx,
+	
+	owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
 	/sys/devices/**/uevent r,
 
-	# Libraries and binaries
-	/usr/bin/foo ixr,
-	/usr/bin/dolphin PUx,
-	/usr/bin/khelpcenter Cxr -> sanitized_helper,
-	/usr/bin/helloworld Cxr -> hello_world,
-	/usr/bin/* Pixr,
-	/usr/lib{,64}/** Pixr,
-	/usr/lib{,64,/*-linux-gnu}/qt5/plugins/{,**/}*.so m,
+	/usr/bin/foo         ixr,
+	/usr/bin/dolphin     PUx,
+	/usr/bin/*           Pixr,
+	/usr/bin/khelpcenter Cx  -> sanitized_helper,
+	/usr/bin/helloworld  Cxr ->
+			hello_world,
+	
+	/usr/lib{,32,64}/{,@{multiarch}/}qt5/plugins/{,**/}*.so m,
 	@{FOO_LIB}/{,**} mr,
-
-	# Temporal files and sockets
-	owner /tmp/{*lock,kde-*/**} rwk,
-	owner /var/tmp/kdecache-*/* rwk,
-	owner /run/user/[0-9]*/{*-socket,bus,kdeinit5*,foo*} rwk,
-	owner /run/user/[0-9]*/ksocket-*/{,**} rwk,
-	/run/dbus/system_bus_socket w,
-
-	/dev/{ati,dri}/** rw,
+	
 	audit deny /dev/{audio,video}* rwlkmx,
 
 	# Dbus rules
@@ -106,37 +81,42 @@
 		bus=session
 		path=/org/gnome/GConf/Database/*
 		member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
+	dbus (bind)
+		bus=system
+		name=org.bluez,
 
 	# Signal rules
 	signal (send) set=(term) peer=unconfined,
-	signal (send, receive) set=(int exists) peer=/usr/lib/hello/world//foo-helper,
+	signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper,
 
 	# Child profile
-	profile hello_world {
+	profile hello_world {
 		# File rules (three different ways)
 		file /usr/lib{,32,64}/helloworld/**.so mr,
 		/usr/lib{,32,64}/helloworld/** r,
-		rk /usr/lib{,32,64}/helloworld/hello,file,
+		rk /usr/lib{,32,64}/helloworld/hello,file,
 
 		# Link rules (two ways)
-		l /foo1 -> /bar,
+		l /foo1 -> /bar,
 		link /foo2 -> bar,
 		link /foo3 to bar,
 		link subset /link* -> /**,
 
 		# Network rules
-		network inet6 tcp,#Allow access to tcp only for inet6 addresses
+		network inet6 tcp, #Allow access to tcp only for inet6 addresses
 		network netlink dgram,
 		network bluetooth,
+		network unspec dgram,
 
 		# Capability rules
 		capability dac_override,
 		capability sys_admin,
 		capability sys_chroot,
 
 		# Mount rules
-		mount options=(rw bind remount nodev noexec) fstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
+		mount options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
 		mount options in (rw, bind) / -> /run/hellowordd/*.mnt,
+		mount option=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
 		umount /home/*/helloworld/,
 
 		# Pivot Root rules
@@ -153,14 +133,16 @@
 		unix peer=(label=@{profile_name},addr=@helloworld),
 
 		# Rlimit rule
-		set rlimit data <= 100M,
+		set rlimit data  <= 100M,
 		set rlimit nproc <= 10,
-		set rlimit nice <= 5,
+		set rlimit memlock <= 2GB,
+		set rlimit rss <= infinity,
 
 		# Change Profile rules
-		change_profile unsafe /** -> [^u/]**,
-		change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
-		change_profile /bin/bash -> new_profile,
+		change_profile unsafe /** -> [^u/]**,
+		change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
+		change_profile /bin/bash  -> 
+			new_profile,
 
 		# Alias
 		alias /usr/ -> /mnt/usr/,
@@ -171,47 +153,12 @@
 		network unix stream,
 		unix stream,
 
-		/usr/hi\"esc\x23esc\032esc\c3esc r, # Escape expressions
+		/usr/hi\"esc\x23esc\032esc\*es\{esc\ rw r, # Escape expressions
 
 		# Text after a variable is highlighted as path
 		file /my/path r,
 		@{FOO_LIB}file r,
 		@{FOO_LIB}#my/path r, #Comment
 	}
 }
-
-# Profile for /usr/bin/error
-profile syntax_error /usr/bin/error flags=(complain audit) {
-	# Syntax error highlighting:
-
-	# Error: Include
-	include<filepath>
-	include <filepath >
-	#includefilepath
-	# include
-	file #include /hello r,
-
-	# Error: Variable open or with characters not allowed
-	@{var
-	@{sdf&s}
-
-	# Error: Open brackets
-	/{hello{ab,cd}world  kr,
-	/{abc{abc kr,
-	/[abc  kr,
-	/(abc kr,
-
-	# Error: Empty brackets
-	/hello[]hello{}hello()he  kr,
-
-	# Error: Open rule
-	/home/*/file rw
-	capability dac_override
-	deny file /etc/fstab w
-	audit network ieee802154,
-
-	dbus (receive
-	unix stream,
-	unix stream,
-}
diff --git a/autotests/input/usr.bin.apparmor-profile-test b/autotests/input/usr.bin.apparmor-profile-test --- a/autotests/input/usr.bin.apparmor-profile-test +++ b/autotests/input/usr.bin.apparmor-profile-test @@ -1,87 +1,62 @@ -# Example AppArmor Profile. +# Sample AppArmor Profile. # License: Public Domain -# Last change: August 29, 2017 - -# NOTE: This profile is not fully functional, since -# it is designed to test the syntax highlighting. +# Last change: January 25, 2018 include -# Declare an AppArmor variables to help with overrides -@{FOO_LIB}=/usr/lib{,64,/*-linux-gnu}/foo -@{USER_DIR}=@{HOME}/Public @{HOME}/Desktop +# Variable assignment +@{FOO_LIB}=/usr/lib{,32,64}/foo +@{USER_DIR} = @{HOME}/Public @{HOME}/Desktop +@{USER_DIR} += @{HOME}/Hello # Profile for /usr/bin/foo /usr/bin/foo (attach_disconnected, enforce) { include include - include - include - include - include - include - include #include - #include - #include"/etc/apparmor.d/abstractions/open-browser" - include "/etc/apparmor.d/abstractions/open-email" + #include + #include"/etc/apparmor.d/abstractions/ubuntu-konsole" + include "/etc/apparmor.d/abstractions/openssl" /{,**/} r,# Read only directories owner /{home,media,mnt,srv,net}/** r, - owner @{USER_DIR}/{,**} rw, - + owner @{USER_DIR}/** rw, audit deny owner /**/* mx, - audit deny owner /**/**.py* r, - - # Files supported - /**.[tT][xX][tT] r, # txt - /**.[wW][bB][mM][pP] r, # wbmp - /**.[wW][eE][bB][pP] r, # webp - - # Local configuration - owner file @{HOME}/.local/share/foo/{,**} rwk, - owner @{HOME}/.local/share/RecentDocuments/* rwk, - owner @{HOME}/.config/foo/{,**} rwk, - owner @{HOME}/.config/foorc{,.lock} rwk, - owner @{HOME}/.config/.[a-zA-Z0-9]* rwk, - owner @{HOME}/.cache/foo/{,**} rwk, + /**.[tT][xX][tT] r, # txt + + owner file @{HOME}/.local/share/foo/{,**} rwkl, + owner @{HOME}/.config/foo/{,**} rwk, + owner @{HOME}/.config/* rw, + owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk, + owner @{HOME}/.cache/foo/{,**} rwk, "/usr/share/**" r, "/var/lib/flatpak/exports/share/**" r, "/var/lib/flatpak/app/**/export/share/applications/*.desktop" r, - "/var/lib/snapd/desktop/applications/**" r, - - allow file /etc/nsswitch.conf r, - allow /etc/fstab r, - /etc/udev/udev.conf r, - /etc/passwd r, - /etc/xdg/{,**} r, - /etc/xdg/Trolltech.conf k, - deny /etc/xdg/{autostart,systemd}/{,**} rw, - deny /boot/** rwlkmx, - @{PROC}/[0-9]*/{cmdline,mountinfo,mounts,stat,status,vmstat} r, + + allow file /etc/nsswitch.conf r, + allow /etc/fstab r, + /etc/udev/udev.conf r, + /etc/xdg/** r, + /etc/xdg/Trolltech.conf k, + deny /etc/xdg/{autostart,systemd}/** r, + deny /boot/** rwlkmx, + + owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r, /sys/devices/**/uevent r, - # Libraries and binaries - /usr/bin/foo ixr, - /usr/bin/dolphin PUx, - /usr/bin/khelpcenter Cxr -> sanitized_helper, - /usr/bin/helloworld Cxr -> hello_world, - /usr/bin/* Pixr, - /usr/lib{,64}/** Pixr, - /usr/lib{,64,/*-linux-gnu}/qt5/plugins/{,**/}*.so m, + /usr/bin/foo ixr, + /usr/bin/dolphin PUx, + /usr/bin/* Pixr, + /usr/bin/khelpcenter Cx -> sanitized_helper, + /usr/bin/helloworld Cxr -> + hello_world, + + /usr/lib{,32,64}/{,@{multiarch}/}qt5/plugins/{,**/}*.so m, @{FOO_LIB}/{,**} mr, - - # Temporal files and sockets - owner /tmp/{*lock,kde-*/**} rwk, - owner /var/tmp/kdecache-*/* rwk, - owner /run/user/[0-9]*/{*-socket,bus,kdeinit5*,foo*} rwk, - owner /run/user/[0-9]*/ksocket-*/{,**} rwk, - /run/dbus/system_bus_socket w, - - /dev/{ati,dri}/** rw, + audit deny /dev/{audio,video}* rwlkmx, # Dbus rules @@ -100,10 +75,13 @@ bus=session path=/org/gnome/GConf/Database/* member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}, + dbus (bind) + bus=system + name=org.bluez, # Signal rules signal (send) set=(term) peer=unconfined, - signal (send, receive) set=(int exists) peer=/usr/lib/hello/world//foo-helper, + signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper, # Child profile profile hello_world { @@ -119,18 +97,20 @@ link subset /link* -> /**, # Network rules - network inet6 tcp,#Allow access to tcp only for inet6 addresses + network inet6 tcp, #Allow access to tcp only for inet6 addresses network netlink dgram, network bluetooth, + network unspec dgram, # Capability rules capability dac_override, capability sys_admin, capability sys_chroot, # Mount rules - mount options=(rw bind remount nodev noexec) fstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/, + mount options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/, mount options in (rw, bind) / -> /run/hellowordd/*.mnt, + mount option=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*, umount /home/*/helloworld/, # Pivot Root rules @@ -147,14 +127,16 @@ unix peer=(label=@{profile_name},addr=@helloworld), # Rlimit rule - set rlimit data <= 100M, + set rlimit data <= 100M, set rlimit nproc <= 10, - set rlimit nice <= 5, + set rlimit memlock <= 2GB, + set rlimit rss <= infinity, # Change Profile rules change_profile unsafe /** -> [^u/]**, change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, - change_profile /bin/bash -> new_profile, + change_profile /bin/bash -> + new_profile, # Alias alias /usr/ -> /mnt/usr/, @@ -165,46 +147,11 @@ network unix stream, unix stream, - /usr/hi\"esc\x23esc\032esc\c3esc r, # Escape expressions + /usr/hi\"esc\x23esc\032esc\*es\{esc\ rw r, # Escape expressions # Text after a variable is highlighted as path file /my/path r, @{FOO_LIB}file r, @{FOO_LIB}#my/path r, #Comment } } - -# Profile for /usr/bin/error -profile syntax_error /usr/bin/error flags=(complain audit) { - # Syntax error highlighting: - - # Error: Include - include - include - #includefilepath - # include - file #include /hello r, - - # Error: Variable open or with characters not allowed - @{var - @{sdf&s} - - # Error: Open brackets - /{hello{ab,cd}world kr, - /{abc{abc kr, - /[abc kr, - /(abc kr, - - # Error: Empty brackets - /hello[]hello{}hello()he kr, - - # Error: Open rule - /home/*/file rw - capability dac_override - deny file /etc/fstab w - audit network ieee802154, - - dbus (receive - unix stream, - unix stream, -} diff --git a/autotests/reference/usr.bin.apparmor-profile-test.ref b/autotests/reference/usr.bin.apparmor-profile-test.ref --- a/autotests/reference/usr.bin.apparmor-profile-test.ref +++ b/autotests/reference/usr.bin.apparmor-profile-test.ref @@ -1,210 +1,157 @@ -# Example AppArmor Profile.
+# Sample AppArmor Profile.
# License: Public Domain
-# Last change: August 29, 2017
-
-# NOTE: This profile is not fully functional, since
-# it is designed to test the syntax highlighting.
+# Last change: January 25, 2018

include

-# Declare an AppArmor variables to help with overrides
-@{FOO_LIB}=/usr/lib{,64,/*-linux-gnu}/foo
-@{USER_DIR}=@{HOME}/Public @{HOME}/Desktop
+# Variable assignment
+@{FOO_LIB}=/usr/lib{,32,64}/foo
+@{USER_DIR} = @{HOME}/Public @{HOME}/Desktop
+@{USER_DIR} += @{HOME}/Hello

# Profile for /usr/bin/foo
/usr/bin/foo (attach_disconnected, enforce) {
include
include
- include
- include
- include
- include
- include
- include

#include
- #include
- #include"/etc/apparmor.d/abstractions/open-browser"
- include "/etc/apparmor.d/abstractions/open-email"
-
- /{,**/} r,# Read only directories
-
- owner /{home,media,mnt,srv,net}/** r,
- owner @{USER_DIR}/{,**} rw,
-
- audit deny owner /**/* mx,
- audit deny owner /**/**.py* r,
-
- # Files supported
- /**.[tT][xX][tT] r, # txt
- /**.[wW][bB][mM][pP] r, # wbmp
- /**.[wW][eE][bB][pP] r, # webp
-
- # Local configuration
- owner file @{HOME}/.local/share/foo/{,**} rwk,
- owner @{HOME}/.local/share/RecentDocuments/* rwk,
- owner @{HOME}/.config/foo/{,**} rwk,
- owner @{HOME}/.config/foorc{,.lock} rwk,
- owner @{HOME}/.config/.[a-zA-Z0-9]* rwk,
- owner @{HOME}/.cache/foo/{,**} rwk,
-
- "/usr/share/**" r,
- "/var/lib/flatpak/exports/share/**" r,
- "/var/lib/flatpak/app/**/export/share/applications/*.desktop" r,
- "/var/lib/snapd/desktop/applications/**" r,
-
- allow file /etc/nsswitch.conf r,
- allow /etc/fstab r,
- /etc/udev/udev.conf r,
- /etc/passwd r,
- /etc/xdg/{,**} r,
- /etc/xdg/Trolltech.conf k,
- deny /etc/xdg/{autostart,systemd}/{,**} rw,
- deny /boot/** rwlkmx,
- @{PROC}/[0-9]*/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
- /sys/devices/**/uevent r,
-
- # Libraries and binaries
- /usr/bin/foo ixr,
- /usr/bin/dolphin PUx,
- /usr/bin/khelpcenter Cxr -> sanitized_helper,
- /usr/bin/helloworld Cxr -> hello_world,
- /usr/bin/* Pixr,
- /usr/lib{,64}/** Pixr,
- /usr/lib{,64,/*-linux-gnu}/qt5/plugins/{,**/}*.so m,
- @{FOO_LIB}/{,**} mr,
-
- # Temporal files and sockets
- owner /tmp/{*lock,kde-*/**} rwk,
- owner /var/tmp/kdecache-*/* rwk,
- owner /run/user/[0-9]*/{*-socket,bus,kdeinit5*,foo*} rwk,
- owner /run/user/[0-9]*/ksocket-*/{,**} rwk,
- /run/dbus/system_bus_socket w,
-
- /dev/{ati,dri}/** rw,
- audit deny /dev/{audio,video}* rwlkmx,
+ #include
+ #include"/etc/apparmor.d/abstractions/ubuntu-konsole"
+ include "/etc/apparmor.d/abstractions/openssl"
+
+ /{,**/} r,# Read only directories
+
+ owner /{home,media,mnt,srv,net}/** r,
+ owner @{USER_DIR}/** rw,
+ audit deny owner /**/* mx,
+ /**.[tT][xX][tT] r, # txt
+
+ owner file @{HOME}/.local/share/foo/{,**} rwkl,
+ owner @{HOME}/.config/foo/{,**} rwk,
+ owner @{HOME}/.config/* rw,
+ owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,
+ owner @{HOME}/.cache/foo/{,**} rwk,
+
+ "/usr/share/**" r,
+ "/var/lib/flatpak/exports/share/**" r,
+ "/var/lib/flatpak/app/**/export/share/applications/*.desktop" r,
+
+ allow file /etc/nsswitch.conf r,
+ allow /etc/fstab r,
+ /etc/udev/udev.conf r,
+ /etc/xdg/** r,
+ /etc/xdg/Trolltech.conf k,
+ deny /etc/xdg/{autostart,systemd}/** r,
+ deny /boot/** rwlkmx,
+
+ owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
+ /sys/devices/**/uevent r,
+
+ /usr/bin/foo ixr,
+ /usr/bin/dolphin PUx,
+ /usr/bin/* Pixr,
+ /usr/bin/khelpcenter Cx -> sanitized_helper,
+ /usr/bin/helloworld Cxr ->
+ hello_world,
+
+ /usr/lib{,32,64}/{,@{multiarch}/}qt5/plugins/{,**/}*.so m,
+ @{FOO_LIB}/{,**} mr,
+
+ audit deny /dev/{audio,video}* rwlkmx,

# Dbus rules
dbus (send)
=system
=/org/freedesktop/NetworkManager
=org.freedesktop.DBus.Introspectable
- =(name=org.freedesktop.NetworkManager label=unconfined),
+ =(name=org.freedesktop.NetworkManager label=unconfined),
dbus (send receive)
=system
=/org/freedesktop/NetworkManager
=org.freedesktop.NetworkManager
={Introspect,state}
- =(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
+ =(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
dbus (send)
=session
=/org/gnome/GConf/Database/*
- ={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
+ ={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
+ dbus (bind)
+ =system
+ =org.bluez,

# Signal rules
- signal (send) =(term) =unconfined,
- signal (send, receive) =(int exists) =/usr/lib/hello/world//foo-helper,
+ signal (send) =(term) =unconfined,
+ signal (send, receive) =(int exists rtmin+8) =/usr/lib/hello/world//foo-helper,

# Child profile
- profile hello_world {
+ profile hello_world {
# File rules (three different ways)
- file /usr/lib{,32,64}/helloworld/**.so mr,
- /usr/lib{,32,64}/helloworld/** r,
- rk /usr/lib{,32,64}/helloworld/hello,file,
+ file /usr/lib{,32,64}/helloworld/**.so mr,
+ /usr/lib{,32,64}/helloworld/** r,
+ rk /usr/lib{,32,64}/helloworld/hello,file,

# Link rules (two ways)
- l /foo1 -> /bar,
- link /foo2 -> bar,
- link /foo3 to bar,
- link subset /link* -> /**,
+ l /foo1 -> /bar,
+ link /foo2 -> bar,
+ link /foo3 to bar,
+ link subset /link* -> /**,

# Network rules
- network inet6 tcp,#Allow access to tcp only for inet6 addresses
- network netlink dgram,
- network bluetooth,
+ network inet6 tcp, #Allow access to tcp only for inet6 addresses
+ network netlink dgram,
+ network bluetooth,
+ network unspec dgram,

# Capability rules
- capability dac_override,
- capability sys_admin,
- capability sys_chroot,
+ capability dac_override,
+ capability sys_admin,
+ capability sys_chroot,

# Mount rules
- mount =(rw bind remount nodev noexec) =ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
- mount in (rw, bind) / -> /run/hellowordd/*.mnt,
- umount /home/*/helloworld/,
+ mount =(rw bind remount nodev noexec) =ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
+ mount in (rw, bind) / -> /run/hellowordd/*.mnt,
+ mount =read-only =btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
+ umount /home/*/helloworld/,

# Pivot Root rules
- pivot_root =/mnt/root/old/ /mnt/root/,
- pivot_root /mnt/root/,
+ pivot_root =/mnt/root/old/ /mnt/root/,
+ pivot_root /mnt/root/,

# Ptrace rules
- ptrace (trace) =unconfined,
- ptrace (read, trace, tracedby) =/usr/lib/hello/helloword,
+ ptrace (trace) =unconfined,
+ ptrace (read, trace, tracedby) =/usr/lib/hello/helloword,

# Unix rules
- unix (connect receive send) =(stream) =(label=unconfined addr=@/tmp/ibus/dbus-*),
- unix (send,receive) =(stream) =0 =(addr=none),
- unix =(label=@{profile_name},addr=@helloworld),
+ unix (connect receive send) =(stream) =(label=unconfined addr=@/tmp/ibus/dbus-*),
+ unix (send,receive) =(stream) =0 =(addr=none),
+ unix =(label=@{profile_name},addr=@helloworld),

# Rlimit rule
- set rlimit data <= 100M,
- set rlimit nproc <= 10,
- set rlimit nice <= 5,
+ set rlimit data <= 100M,
+ set rlimit nproc <= 10,
+ set rlimit memlock <= 2GB,
+ set rlimit rss <= infinity,

# Change Profile rules
- change_profile unsafe /** -> [^u/]**,
- change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
- change_profile /bin/bash -> new_profile,
+ change_profile unsafe /** -> [^u/]**,
+ change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
+ change_profile /bin/bash ->
+ new_profile,

# Alias
- alias /usr/ -> /mnt/usr/,
+ alias /usr/ -> /mnt/usr/,
}

# Hat
^foo-helper {
- network unix stream,
- unix stream,
+ network unix stream,
+ unix stream,

- /usr/hi\"esc\x23esc\032esc\c3esc r, # Escape expressions
+ /usr/hi\"esc\x23esc\032esc\*es\{esc\ rw r, # Escape expressions

# Text after a variable is highlighted as path
- file /my/path r,
- @{FOO_LIB}file r,
- @{FOO_LIB}#my/path r, #Comment
+ file /my/path r,
+ @{FOO_LIB}file r,
+ @{FOO_LIB}#my/path r, #Comment
}
}
-
-# Profile for /usr/bin/error
-profile syntax_error /usr/bin/error =(complain audit) {
- # Syntax error highlighting:
-
- # Error: Include
- include
- include <filepath >
- #includefilepath
- # include
- file #include /hello r,
-
- # Error: Variable open or with characters not allowed
- @{var
- @{sdf&s}
-
- # Error: Open brackets
- /{hello{ab,cd}world kr,
- /{abc{abc kr,
- /[abc kr,
- /(abc kr,
-
- # Error: Empty brackets
- /hello[]hello{}hello()he kr,
-
- # Error: Open rule
- /home/*/file rw
- capability dac_override
- deny file /etc/fstab w
- audit network ieee802154,
-
- dbus (receive
- unix stream,
- unix stream,
-}
diff --git a/data/syntax/apparmor.xml b/data/syntax/apparmor.xml --- a/data/syntax/apparmor.xml +++ b/data/syntax/apparmor.xml @@ -1,59 +1,62 @@ + - + - ]> mediate_deleted attach_disconnected chroot_relative + chroot_attach + chroot_no_attach + delegate_deleted + no_attach_disconnected + namespace_relative allow deny + + owner + + audit - + - - - - set - - - alias - - - owner - file - - capability - network - mount - remount - umount - pivot_root - ptrace - signal - dbus - unix - link - change_profile - rlimit - + @@ -201,6 +186,8 @@ vsock mpls ib + kcm + smc @@ -216,59 +203,74 @@ icmp - + unix - + fstype vfstype options + option + r + w rw ro - bind - remount - nosuid + read-only suid - nodev + nosuid dev - noexec + nodev exec + noexec sync async + remount mand nomand dirsync - noatime atime - nodiratime + noatime diratime - rbind + nodiratime + bind + B move + M + rbind + R verbose silent loud acl noacl unbindable + make-unbindable runbindable + make-runbindable private + make-private rprivate + make-rprivate slave + make-slave rslave + make-rslave shared + make-shared rshared + make-rshared relatime norelatime iversion noiversion strictatime - nouser user + nouser @@ -304,6 +306,7 @@ romfs rootfs securityfs + selinuxfs sockfs specfs squashfs @@ -368,8 +371,7 @@ peer - - read + readby trace tracedby @@ -417,9 +419,7 @@ exists - - read - write + send receive @@ -438,6 +438,7 @@ label + send receive bind @@ -460,7 +461,7 @@ opt - + send receive bind @@ -506,508 +507,687 @@ safe unsafe - - - + + + rw r w + read + write + + + + + profile_name + + HOME + HOMEDIRS + multiarch + pid + pids + PROC + securityfs + apparmorfs + sys + tid + XDG_DESKTOP_DIR + XDG_DOWNLOAD_DIR + XDG_TEMPLATES_DIR + XDG_PUBLICSHARE_DIR + XDG_DOCUMENTS_DIR + XDG_MUSIC_DIR + XDG_PICTURES_DIR + XDG_VIDEOS_DIR + + abstractions/ + apache2-common + aspell + audio + authentication + base + bash + consoles + cups-client + dbus + dbus-accessibility + dbus-accessibility-strict + dbus-session + dbus-session-strict + dbus-strict + dconf + dovecot-common + enchant + fcitx + fcitx-strict + fonts + freedesktop.org + gnome + gnupg + ibus + kde + kerberosclient + launchpad-integration + ldapclient + libpam-systemd + likewise + mdns + mir + mozc + mysql + nameservice + nis + nvidia + openssl + orbit2 + p11-kit + perl + php + php5 + postfix-common + private-files + private-files-strict + python + ruby + samba + smbpass + ssl_certs + ssl_keys + svn-repositories + ubuntu-bittorrent-clients + ubuntu-browsers + ubuntu-console-browsers + ubuntu-console-email + ubuntu-email + ubuntu-feed-readers + ubuntu-gnome-terminal + ubuntu-helpers + ubuntu-konsole + ubuntu-media-players + ubuntu-unity7-base + ubuntu-unity7-launcher + ubuntu-unity7-messaging + ubuntu-xterm + user-download + user-mail + user-manpages + user-tmp + user-write + video + wayland + web-data + winbind + wutmp + X + xad + xdg-desktop + + ubuntu-browsers.d/ + java + mailto + multimedia + plugins-common + productivity + text-editors + ubuntu-integration + ubuntu-integration-xul + user-files + + apparmor_api/ + change_profile + examine + find_mountpoint + introspect + is_enabled + + tunables/ + alias + apparmorfs + dovecot + global + home + kernelvars + multiarch + ntpd + proc + securityfs + sys + xdg-user-dirs + home.d/ + multiarch.d/ + xdg-user-dirs.d/ + site.local + local/ + + + + True + False + + unspec none unconfined + + + mount + remount + umount + + alias + file + capability + network + pivot_root + ptrace + signal + dbus + unix + link + change_profile + rlimit + set + + + - + - + - + - - + + + + + + + - + - - + - - + + + + - - - - - - + + + - + + - - + + + + + + + + + + - - - - - - - - - + + + + + + + + + + + + + - - - - + - - + - - - - - - - - + - + - - - - + + + + + + + + + - - - - + + - - + + + + - + - - - - - - + + + + + - - - + + + - - + + + - - + - + - + + + + + + + + + + + + + - + - - + + - + - - + + - - - - - - - - - - - - - + + + + + + + + + + - - + - + - - - + + + - - - - - + + + + + + - - - + + + + + + + + + + + + - - - - - + - + - - - - - - - - + + + - - + + + + + - - - - + - - - - - - - - + + + - - + + + + + - + - - - - - - - - - - + + + - + + + + + - - - + + - - - - - - - - + + + - - - + + + + + + + - - - - - - - - - + + + - + + + + - + + - + - + + + + + - + + - + + + - + - + - - + - - - - - - - - + + + + + - + + - - - + + + + - - - - - - - - - - - + + + - - - - + + + + + - - - + + + - - - + - - - + + + + + - - - + + - + + + - + - + - - - - - - + + + - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + @@ -1018,73 +1198,79 @@ - - - + - + - + - - + + + + + - + + - - - + + - - + + + - + - - - + + + + + - - + + + - - - - + + + + - - - + - - + + + + - + - - - + + + + @@ -1095,30 +1281,23 @@ - + - - - - + + + - - + - - - - - @@ -1133,13 +1312,14 @@ + - + @@ -1153,26 +1333,26 @@ - + - + - + - - + +