diff --git a/autotests/folding/usr.bin.apparmor-profile-test.fold b/autotests/folding/usr.bin.apparmor-profile-test.fold --- a/autotests/folding/usr.bin.apparmor-profile-test.fold +++ b/autotests/folding/usr.bin.apparmor-profile-test.fold @@ -1,66 +1,63 @@ # Sample AppArmor Profile. # License: Public Domain -# Last change: January 25, 2018 + +# NOTE: This profile is not fully functional, since +# it is designed to test the syntax highlighting. include # Variable assignment @{FOO_LIB}=/usr/lib{,32,64}/foo -@{USER_DIR} = @{HOME}/Public @{HOME}/Desktop -@{USER_DIR} += @{HOME}/Hello +@{USER_DIR} + = @{HOME}/Public @{HOME}/Desktop #No-Comment +@{USER_DIR} += @{HOME}/Hello \ +deny owner #No-comment +${BOOL} = true # Profile for /usr/bin/foo -/usr/bin/foo (attach_disconnected, enforce) { - include - include - +/usr/bin/foo (attach_disconnected enforce) { + include #include #include #include #include"/etc/apparmor.d/abstractions/ubuntu-konsole" include "/etc/apparmor.d/abstractions/openssl" + include if exists - /{,**/} r,# Read only directories - + /{,**/} r, owner /{home,media,mnt,srv,net}/** r, owner @{USER_DIR}/** rw, audit deny owner /**/* mx, /**.[tT][xX][tT] r, # txt owner file @{HOME}/.local/share/foo/{,**} rwkl, - owner @{HOME}/.config/foo/{,**} rwk, owner @{HOME}/.config/* rw, owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk, - owner @{HOME}/.cache/foo/{,**} rwk, "/usr/share/**" r, "/var/lib/flatpak/exports/share/**" r, - "/var/lib/flatpak/app/**/export/share/applications/*.desktop" r, + "/var/lib/{spaces in + string,hello}/a[^ a]a/**" r, allow file /etc/nsswitch.conf r, allow /etc/fstab r, - /etc/udev/udev.conf r, - /etc/xdg/** r, - /etc/xdg/Trolltech.conf k, + deny /etc/udev/udev.conf a, deny /etc/xdg/{autostart,systemd}/** r, deny /boot/** rwlkmx, owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r, /sys/devices/**/uevent r, /usr/bin/foo ixr, - /usr/bin/dolphin PUx, + /usr/bin/dolphin pUx, /usr/bin/* Pixr, /usr/bin/khelpcenter Cx -> sanitized_helper, - /usr/bin/helloworld Cxr -> + /usr/bin/helloworld cxr -> hello_world, - /usr/lib{,32,64}/{,@{multiarch}/}qt5/plugins/{,**/}*.so m, - @{FOO_LIB}/{,**} mr, + @{FOO_LIB}/{@{multiarch},64}/** mr, - audit deny /dev/{audio,video}* rwlkmx, - # Dbus rules - dbus (send) + dbus (send) #No-Comment bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Introspectable @@ -80,7 +77,7 @@ name=org.bluez, # Signal rules - signal (send) set=(term) peer=unconfined, + signal (send) set=(term) peer="/usr/lib/hello/world// foo helper", signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper, # Child profile @@ -97,7 +94,7 @@ link subset /link* -> /**, # Network rules - network inet6 tcp, #Allow access to tcp only for inet6 addresses + network inet6 tcp, network netlink dgram, network bluetooth, network unspec dgram, @@ -122,7 +119,7 @@ ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword, # Unix rules - unix (connect receive send) type=(stream) peer=(label=unconfined addr=@/tmp/ibus/dbus-*), + unix (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined), unix (send,receive) type=(stream) protocol=0 peer=(addr=none), unix peer=(label=@{profile_name},addr=@helloworld), @@ -136,22 +133,24 @@ change_profile unsafe /** -> [^u/]**, change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, change_profile /bin/bash -> - new_profile, + new_profile//hat, # Alias alias /usr/ -> /mnt/usr/, } # Hat - ^foo-helper { + ^foo-\/helper { network unix stream, unix stream, - /usr/hi\"esc\x23esc\032esc\*es\{esc\ rw r, # Escape expressions + /usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions # Text after a variable is highlighted as path file /my/path r, @{FOO_LIB}file r, @{FOO_LIB}#my/path r, #Comment + @{FOO_LIB}ñ* r, + unix (/path\t{aa}*,*a @{var}*path,* @{var},*), } } diff --git a/autotests/html/usr.bin.apparmor-profile-test.html b/autotests/html/usr.bin.apparmor-profile-test.html --- a/autotests/html/usr.bin.apparmor-profile-test.html +++ b/autotests/html/usr.bin.apparmor-profile-test.html @@ -6,104 +6,101 @@

 # Sample AppArmor Profile.
 # License: Public Domain
-# Last change: January 25, 2018
+
+# NOTE: This profile is not fully functional, since
+# it is designed to test the syntax highlighting.
 
 include <tunables/global>
 
 # Variable assignment
-@{FOO_LIB}=/usr/lib{,32,64}/foo
-@{USER_DIR} = @{HOME}/Public @{HOME}/Desktop
-@{USER_DIR} += @{HOME}/Hello
+@{FOO_LIB}=/usr/lib{,32,64}/foo
+@{USER_DIR}
+  = @{HOME}/Public @{HOME}/Desktop #No-Comment
+@{USER_DIR} += @{HOME}/Hello \
+deny owner #No-comment
+${BOOL} = true
 
 # Profile for /usr/bin/foo
-/usr/bin/foo (attach_disconnected, enforce) {
-	include <abstractions/base>
-	include <abstractions/dbus>
-
+/usr/bin/foo (attach_disconnected enforce) {
+	include <include_tests/includes_okay_helper.include> #include <includes/base>
 	#include <abstractions/ubuntu-helpers>
 	#include<abstractions/wayland>
 	#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
 	include "/etc/apparmor.d/abstractions/openssl"
+	include if exists <path with spaces>
 
-	/{,**/} r,# Read only directories
-
-	owner /{home,media,mnt,srv,net}/** r,
+	/{,**/} r,
+	owner /{home,media,mnt,srv,net}/** r,
 	owner @{USER_DIR}/** rw,
 	audit deny owner /**/* mx,
-	/**.[tT][xX][tT] r,  # txt
+	/**.[tT][xX][tT] r,  # txt
 	
-	owner file @{HOME}/.local/share/foo/{,**} rwkl,
-	owner @{HOME}/.config/foo/{,**}           rwk,
+	owner file @{HOME}/.local/share/foo/{,**} rwkl,
 	owner @{HOME}/.config/*                   rw,
-	owner @{HOME}/.config/*.[a-zA-Z0-9]*      rwk,
-	owner @{HOME}/.cache/foo/{,**}            rwk,
+	owner @{HOME}/.config/*.[a-zA-Z0-9]*      rwk,
 
 	"/usr/share/**" r,
 	"/var/lib/flatpak/exports/share/**" r,
-	"/var/lib/flatpak/app/**/export/share/applications/*.desktop" r,
+	"/var/lib/{spaces in
+		string,hello}/a[^ a]a/**" r,
 
 	allow file /etc/nsswitch.conf           r,
 	allow /etc/fstab                        r,
-	/etc/udev/udev.conf                     r,
-	/etc/xdg/**                             r,
-	/etc/xdg/Trolltech.conf                 k,
-	deny /etc/xdg/{autostart,systemd}/**    r,
+	deny /etc/udev/udev.conf                a,
+	deny /etc/xdg/{autostart,systemd}/**    r,
 	deny /boot/**                           rwlkmx,
 	
-	owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
+	owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
 	/sys/devices/**/uevent r,
 
 	/usr/bin/foo         ixr,
-	/usr/bin/dolphin     PUx,
+	/usr/bin/dolphin     pUx,
 	/usr/bin/*           Pixr,
 	/usr/bin/khelpcenter Cx  -> sanitized_helper,
-	/usr/bin/helloworld  Cxr ->
+	/usr/bin/helloworld  cxr ->
 			hello_world,
 	
-	/usr/lib{,32,64}/{,@{multiarch}/}qt5/plugins/{,**/}*.so m,
-	@{FOO_LIB}/{,**} mr,
+	@{FOO_LIB}/{@{multiarch},64}/** mr,
 	
-	audit deny /dev/{audio,video}* rwlkmx,
-
 	# Dbus rules
-	dbus (send)
+	dbus (send)  #No-Comment
 		bus=system
 		path=/org/freedesktop/NetworkManager
 		interface=org.freedesktop.DBus.Introspectable
 		peer=(name=org.freedesktop.NetworkManager label=unconfined),
 	dbus (send receive)
 		bus=system
 		path=/org/freedesktop/NetworkManager
 		interface=org.freedesktop.NetworkManager
-		member={Introspect,state}
-		peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
+		member={Introspect,state}
+		peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
 	dbus (send)
 		bus=session
 		path=/org/gnome/GConf/Database/*
-		member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
+		member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
 	dbus (bind)
 		bus=system
 		name=org.bluez,
 
 	# Signal rules
-	signal (send) set=(term) peer=unconfined,
+	signal (send) set=(term) peer="/usr/lib/hello/world// foo helper",
 	signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper,
 
 	# Child profile
 	profile hello_world {
 		# File rules (three different ways)
-		file /usr/lib{,32,64}/helloworld/**.so mr,
-		/usr/lib{,32,64}/helloworld/** r,
-		rk /usr/lib{,32,64}/helloworld/hello,file,
+		file /usr/lib{,32,64}/helloworld/**.so mr,
+		/usr/lib{,32,64}/helloworld/** r,
+		rk /usr/lib{,32,64}/helloworld/hello,file,
 
 		# Link rules (two ways)
 		l /foo1 -> /bar,
 		link /foo2 -> bar,
-		link /foo3 to bar,
+		link /foo3 to bar,
 		link subset /link* -> /**,
 
 		# Network rules
-		network inet6 tcp, #Allow access to tcp only for inet6 addresses
+		network inet6 tcp,
 		network netlink dgram,
 		network bluetooth,
 		network unspec dgram,
@@ -115,8 +112,8 @@
 
 		# Mount rules
 		mount options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
-		mount options in (rw, bind) / -> /run/hellowordd/*.mnt,
-		mount option=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
+		mount options in (rw, bind) / -> /run/hellowordd/*.mnt,
+		mount option=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
 		umount /home/*/helloworld/,
 
 		# Pivot Root rules
@@ -128,37 +125,39 @@
 		ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword,
 
 		# Unix rules
-		unix (connect receive send) type=(stream) peer=(label=unconfined addr=@/tmp/ibus/dbus-*),
+		unix (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined),
 		unix (send,receive) type=(stream) protocol=0 peer=(addr=none),
 		unix peer=(label=@{profile_name},addr=@helloworld),
 
 		# Rlimit rule
-		set rlimit data  <= 100M,
+		set rlimit data  <= 100M,
 		set rlimit nproc <= 10,
-		set rlimit memlock <= 2GB,
-		set rlimit rss <= infinity,
+		set rlimit memlock <= 2GB,
+		set rlimit rss <= infinity,
 
 		# Change Profile rules
-		change_profile unsafe /** -> [^u/]**,
+		change_profile unsafe /** -> [^u/]**,
 		change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
 		change_profile /bin/bash  -> 
-			new_profile,
+			new_profile//hat,
 
 		# Alias
 		alias /usr/ -> /mnt/usr/,
 	}
 
 	# Hat
-	^foo-helper {
+	^foo-\/helper {
 		network unix stream,
 		unix stream,
 
-		/usr/hi\"esc\x23esc\032esc\*es\{esc\ rw r, # Escape expressions
+		/usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions
 
 		# Text after a variable is highlighted as path
 		file /my/path r,
 		@{FOO_LIB}file r,
 		@{FOO_LIB}#my/path r, #Comment
+		@{FOO_LIB}ñ* r,
+		unix (/path\t{aa}*,*a @{var}*path,* @{var},*),
 	}
 }

diff --git a/autotests/input/usr.bin.apparmor-profile-test b/autotests/input/usr.bin.apparmor-profile-test --- a/autotests/input/usr.bin.apparmor-profile-test +++ b/autotests/input/usr.bin.apparmor-profile-test @@ -1,66 +1,63 @@ # Sample AppArmor Profile. # License: Public Domain -# Last change: January 25, 2018 + +# NOTE: This profile is not fully functional, since +# it is designed to test the syntax highlighting. include # Variable assignment @{FOO_LIB}=/usr/lib{,32,64}/foo -@{USER_DIR} = @{HOME}/Public @{HOME}/Desktop -@{USER_DIR} += @{HOME}/Hello +@{USER_DIR} + = @{HOME}/Public @{HOME}/Desktop #No-Comment +@{USER_DIR} += @{HOME}/Hello \ +deny owner #No-comment +${BOOL} = true # Profile for /usr/bin/foo -/usr/bin/foo (attach_disconnected, enforce) { - include - include - +/usr/bin/foo (attach_disconnected enforce) { + include #include #include #include #include"/etc/apparmor.d/abstractions/ubuntu-konsole" include "/etc/apparmor.d/abstractions/openssl" + include if exists - /{,**/} r,# Read only directories - + /{,**/} r, owner /{home,media,mnt,srv,net}/** r, owner @{USER_DIR}/** rw, audit deny owner /**/* mx, /**.[tT][xX][tT] r, # txt owner file @{HOME}/.local/share/foo/{,**} rwkl, - owner @{HOME}/.config/foo/{,**} rwk, owner @{HOME}/.config/* rw, owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk, - owner @{HOME}/.cache/foo/{,**} rwk, "/usr/share/**" r, "/var/lib/flatpak/exports/share/**" r, - "/var/lib/flatpak/app/**/export/share/applications/*.desktop" r, + "/var/lib/{spaces in + string,hello}/a[^ a]a/**" r, allow file /etc/nsswitch.conf r, allow /etc/fstab r, - /etc/udev/udev.conf r, - /etc/xdg/** r, - /etc/xdg/Trolltech.conf k, + deny /etc/udev/udev.conf a, deny /etc/xdg/{autostart,systemd}/** r, deny /boot/** rwlkmx, owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r, /sys/devices/**/uevent r, /usr/bin/foo ixr, - /usr/bin/dolphin PUx, + /usr/bin/dolphin pUx, /usr/bin/* Pixr, /usr/bin/khelpcenter Cx -> sanitized_helper, - /usr/bin/helloworld Cxr -> + /usr/bin/helloworld cxr -> hello_world, - /usr/lib{,32,64}/{,@{multiarch}/}qt5/plugins/{,**/}*.so m, - @{FOO_LIB}/{,**} mr, + @{FOO_LIB}/{@{multiarch},64}/** mr, - audit deny /dev/{audio,video}* rwlkmx, - # Dbus rules - dbus (send) + dbus (send) #No-Comment bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Introspectable @@ -80,7 +77,7 @@ name=org.bluez, # Signal rules - signal (send) set=(term) peer=unconfined, + signal (send) set=(term) peer="/usr/lib/hello/world// foo helper", signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper, # Child profile @@ -97,7 +94,7 @@ link subset /link* -> /**, # Network rules - network inet6 tcp, #Allow access to tcp only for inet6 addresses + network inet6 tcp, network netlink dgram, network bluetooth, network unspec dgram, @@ -122,7 +119,7 @@ ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword, # Unix rules - unix (connect receive send) type=(stream) peer=(label=unconfined addr=@/tmp/ibus/dbus-*), + unix (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined), unix (send,receive) type=(stream) protocol=0 peer=(addr=none), unix peer=(label=@{profile_name},addr=@helloworld), @@ -136,22 +133,24 @@ change_profile unsafe /** -> [^u/]**, change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, change_profile /bin/bash -> - new_profile, + new_profile//hat, # Alias alias /usr/ -> /mnt/usr/, } # Hat - ^foo-helper { + ^foo-\/helper { network unix stream, unix stream, - /usr/hi\"esc\x23esc\032esc\*es\{esc\ rw r, # Escape expressions + /usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions # Text after a variable is highlighted as path file /my/path r, @{FOO_LIB}file r, @{FOO_LIB}#my/path r, #Comment + @{FOO_LIB}ñ* r, + unix (/path\t{aa}*,*a @{var}*path,* @{var},*), } } diff --git a/autotests/reference/usr.bin.apparmor-profile-test.ref b/autotests/reference/usr.bin.apparmor-profile-test.ref --- a/autotests/reference/usr.bin.apparmor-profile-test.ref +++ b/autotests/reference/usr.bin.apparmor-profile-test.ref @@ -1,157 +1,156 @@ # Sample AppArmor Profile.
# License: Public Domain
-# Last change: January 25, 2018
-
+
+# NOTE: This profile is not fully functional, since
+# it is designed to test the syntax highlighting.
+
include
-
+
# Variable assignment
-@{FOO_LIB}=/usr/lib{,32,64}/foo
-@{USER_DIR} = @{HOME}/Public @{HOME}/Desktop
-@{USER_DIR} += @{HOME}/Hello
-
+@{FOO_LIB}=/usr/lib{,32,64}/foo
+@{USER_DIR}
+ = @{HOME}/Public @{HOME}/Desktop #No-Comment
+@{USER_DIR} += @{HOME}/Hello \
+deny owner #No-comment
+${BOOL} = true
+
# Profile for /usr/bin/foo
-/usr/bin/foo (attach_disconnected, enforce) {
- include
- include
-
+/usr/bin/foo (attach_disconnected enforce) {
+ include #include
#include
#include
#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
include "/etc/apparmor.d/abstractions/openssl"
-
- /{,**/} r,# Read only directories
-
- owner /{home,media,mnt,srv,net}/** r,
- owner @{USER_DIR}/** rw,
- audit deny owner /**/* mx,
- /**.[tT][xX][tT] r, # txt
+ include if exists
+
+ /{,**/} r,
+ owner /{home,media,mnt,srv,net}/** r,
+ owner @{USER_DIR}/** rw,
+ audit deny owner /**/* mx,
+ /**.[tT][xX][tT] r, # txt

- owner file @{HOME}/.local/share/foo/{,**} rwkl,
- owner @{HOME}/.config/foo/{,**} rwk,
- owner @{HOME}/.config/* rw,
- owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,
- owner @{HOME}/.cache/foo/{,**} rwk,
-
- "/usr/share/**" r,
- "/var/lib/flatpak/exports/share/**" r,
- "/var/lib/flatpak/app/**/export/share/applications/*.desktop" r,
-
+ owner file @{HOME}/.local/share/foo/{,**} rwkl,
+ owner @{HOME}/.config/* rw,
+ owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,
+
+ "/usr/share/**" r,
+ "/var/lib/flatpak/exports/share/**" r,
+ "/var/lib/{spaces in
+ string,hello}/a[^ a]a/**" r,
+
allow file /etc/nsswitch.conf r,
allow /etc/fstab r,
- /etc/udev/udev.conf r,
- /etc/xdg/** r,
- /etc/xdg/Trolltech.conf k,
- deny /etc/xdg/{autostart,systemd}/** r,
- deny /boot/** rwlkmx,
+ deny /etc/udev/udev.conf a,
+ deny /etc/xdg/{autostart,systemd}/** r,
+ deny /boot/** rwlkmx,

- owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
- /sys/devices/**/uevent r,
-
+ owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
+ /sys/devices/**/uevent r,
+
/usr/bin/foo ixr,
- /usr/bin/dolphin PUx,
- /usr/bin/* Pixr,
+ /usr/bin/dolphin pUx,
+ /usr/bin/* Pixr,
/usr/bin/khelpcenter Cx -> sanitized_helper,
- /usr/bin/helloworld Cxr ->
+ /usr/bin/helloworld cxr ->
hello_world,

- /usr/lib{,32,64}/{,@{multiarch}/}qt5/plugins/{,**/}*.so m,
- @{FOO_LIB}/{,**} mr,
+ @{FOO_LIB}/{@{multiarch},64}/** mr,

- audit deny /dev/{audio,video}* rwlkmx,
-
# Dbus rules
- dbus (send)
+ dbus (send) #No-Comment
=system
=/org/freedesktop/NetworkManager
=org.freedesktop.DBus.Introspectable
=(name=org.freedesktop.NetworkManager label=unconfined),
dbus (send receive)
=system
=/org/freedesktop/NetworkManager
=org.freedesktop.NetworkManager
- ={Introspect,state}
- =(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
+ ={Introspect,state}
+ =(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
dbus (send)
=session
- =/org/gnome/GConf/Database/*
- ={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
+ =/org/gnome/GConf/Database/*
+ ={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
dbus (bind)
=system
=org.bluez,
-
+
# Signal rules
- signal (send) =(term) =unconfined,
- signal (send, receive) =(int exists rtmin+8) =/usr/lib/hello/world//foo-helper,
-
+ signal (send) =(term) ="/usr/lib/hello/world// foo helper",
+ signal (send, receive) =(int exists rtmin+8) =/usr/lib/hello/world//foo-helper,
+
# Child profile
- profile hello_world {
+ profile hello_world {
# File rules (three different ways)
- file /usr/lib{,32,64}/helloworld/**.so mr,
- /usr/lib{,32,64}/helloworld/** r,
- rk /usr/lib{,32,64}/helloworld/hello,file,
-
+ file /usr/lib{,32,64}/helloworld/**.so mr,
+ /usr/lib{,32,64}/helloworld/** r,
+ rk /usr/lib{,32,64}/helloworld/hello,file,
+
# Link rules (two ways)
l /foo1 -> /bar,
link /foo2 -> bar,
- link /foo3 to bar,
- link subset /link* -> /**,
-
+ link /foo3 to bar,
+ link subset /link* -> /**,
+
# Network rules
- network inet6 tcp, #Allow access to tcp only for inet6 addresses
+ network inet6 tcp,
network netlink dgram,
network bluetooth,
network unspec dgram,
-
+
# Capability rules
capability dac_override,
capability sys_admin,
capability sys_chroot,
-
+
# Mount rules
- mount =(rw bind remount nodev noexec) =ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
- mount in (rw, bind) / -> /run/hellowordd/*.mnt,
- mount =read-only =btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
- umount /home/*/helloworld/,
-
+ mount =(rw bind remount nodev noexec) =ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
+ mount in (rw, bind) / -> /run/hellowordd/*.mnt,
+ mount =read-only =btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
+ umount /home/*/helloworld/,
+
# Pivot Root rules
pivot_root =/mnt/root/old/ /mnt/root/,
pivot_root /mnt/root/,
-
+
# Ptrace rules
ptrace (trace) =unconfined,
ptrace (read, trace, tracedby) =/usr/lib/hello/helloword,
-
+
# Unix rules
- unix (connect receive send) =(stream) =(label=unconfined addr=@/tmp/ibus/dbus-*),
+ unix (connect receive send) =(stream) =(addr=@/tmp/ibus/dbus-*,label=unconfined),
unix (send,receive) =(stream) =0 =(addr=none),
unix =(label=@{profile_name},addr=@helloworld),
-
+
# Rlimit rule
- set rlimit data <= 100M,
+ set rlimit data <= 100M,
set rlimit nproc <= 10,
- set rlimit memlock <= 2GB,
- set rlimit rss <= infinity,
-
+ set rlimit memlock <= 2GB,
+ set rlimit rss <= infinity,
+
# Change Profile rules
- change_profile unsafe /** -> [^u/]**,
- change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
+ change_profile unsafe /** -> [^u/]**,
+ change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
change_profile /bin/bash ->
- new_profile,
-
+ new_profile//hat,
+
# Alias
alias /usr/ -> /mnt/usr/,
- }
-
+ }
+
# Hat
- ^foo-helper {
+ ^foo-\/helper {
network unix stream,
unix stream,
-
- /usr/hi\"esc\x23esc\032esc\*es\{esc\ rw r, # Escape expressions
-
+
+ /usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions
+
# Text after a variable is highlighted as path
file /my/path r,
@{FOO_LIB}file r,
@{FOO_LIB}#my/path r, #Comment
- }
-}
+ @{FOO_LIB}ñ* r,
+ unix (/path\t{aa}*,*a @{var}*path,* @{var},*),
+ }
+}
diff --git a/data/syntax/apparmor.xml b/data/syntax/apparmor.xml --- a/data/syntax/apparmor.xml +++ b/data/syntax/apparmor.xml @@ -1,16 +1,21 @@ - - - + + + + + + + + ]> flags + xattrs audit @@ -99,8 +106,9 @@ audit - + + + Also: unix --> inet ax25 ipx @@ -192,7 +200,7 @@ smc + Also: packet --> stream dgram seqpacket @@ -206,7 +214,7 @@ + to avoid conflicts with the 'unix' rule name. --> unix @@ -275,7 +283,12 @@ nouser + ecryptfs + overlayfs + unionfs + shm + apparmorfs autofs bdev bpf @@ -291,22 +304,23 @@ devfs devpts devtmpfs - ecryptfs efs fuse fuseblk fusectl + futexfs hugetlbfs - iso9660 kernfs mqueue pipefs proc procfs + pstorefs pstore ramfs romfs rootfs + sdcardfs securityfs selinuxfs sockfs @@ -318,21 +332,33 @@ tmpfs usbfs vfat + functionfs + inotifyfs + labeledfs + oemfs adfs affs + afs apfs + bfs btrfs + ceph coda exfat ext2 ext3 ext4 f2fs fatx + gfs hfs hfsplus hpfs + ifs + iso9660 + jffs2 + jffs jfs lvm2 minix @@ -342,9 +368,9 @@ nilfs2 nfs nfs4 - ntfs ntfs-3g - openzfs + ntfs + ocfs qnx4 qnx6 reiser4 @@ -357,7 +383,9 @@ ufs umsdos urefs - xenix + xenix + yaffs2 + yaffs xfs zfs @@ -452,7 +480,7 @@ - + peer set label @@ -509,6 +537,11 @@ safe unsafe + + + if + exists + @@ -520,8 +553,8 @@ + NOTE: The following keywords are not used for highlighting. The purpose of these + is to provide autocomplete suggestions when writing Include rules and variables. --> profile_name @@ -562,6 +595,8 @@ dbus-strict dconf dovecot-common + dri-common + dri-enumerate enchant fcitx fcitx-strict @@ -577,12 +612,19 @@ libpam-systemd likewise mdns + mesa mir mozc mysql nameservice nis nvidia + opencl + opencl-common + opencl-intel + opencl-mesa + opencl-nvidia + opencl-pocl openssl orbit2 p11-kit @@ -593,6 +635,7 @@ private-files private-files-strict python + qt5 ruby samba smbpass @@ -619,6 +662,7 @@ user-tmp user-write video + vulkan wayland web-data winbind @@ -667,18 +711,22 @@ - True - False + true + false unspec none unconfined + NOTE: + - Each rule name is a keyword in separate lists, since each + has a different context and for a correct delimitation of the words. + - The content of a rule is found in the contexts "_default_rule" + and "_default_rule_with_comments". + - When adding a new rule, add it also in "_end_rule_irnc". --> mount remount @@ -699,7 +747,7 @@ set + if, else, not, defined, other, rewrite, quiet, kill, nokill --> @@ -716,16 +764,26 @@ + + + + + - - - + + - - + + @@ -749,185 +807,231 @@ - - - + + + + - - - - + + + + + + + + + + - - + + + - - - - - + + + + + + + + - + - + - - - - - - + + + + + + + + + + - - - - + - + - + + + + + - + - - - - - - + + + + + + - + + + + + + + + + + + + + - - - + + + - - - + + + + + - - - - - - - - - + + + + + + + + + + + + (these are carried through to the policy). This is an AppArmor bug, therefore, the hash + character after a space is highlighted as "Error". Check this when the bug has been fixed. --> - + + + + + + - - - - + + + - - + + - - + + - - - - - - - - - + + + + + + + + + + + + + + - - + + + - + + + + + + + - - - - - - - - - - - - + + + + + + + + - + - - + + - + + @@ -954,7 +1058,7 @@ - + @@ -977,7 +1081,7 @@ - + @@ -994,13 +1098,13 @@ - + - + @@ -1013,7 +1117,7 @@ - + @@ -1024,16 +1128,16 @@ - - + + + - @@ -1050,15 +1154,17 @@ - - - - - - - + + + + + + + + + @@ -1085,90 +1191,99 @@ - - - + + + - - + + + - + - + - - - + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + - + - - - + + + + + - - - - - - - - - - - - - - - - - - - - + + + - - + + + + - - + + + - - + - @@ -1186,27 +1301,33 @@ + ('unix' is also a domain of the network rule; 'remount' is also a flag of the mount rule). --> - - - - + + + - - + + + + + + + + + + + + - - - @@ -1217,150 +1338,185 @@ - - + + - - + + + - - - + + - - - - - - - - - - - - - + + + - + + + + - - - - - - - - - - + + + + - - - + + + + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + - - - + + + - - - - - + - + + + + + + + + + + - + + + + + - + + + + + - - + + + - + - - - - - - - - - - + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + - + +