diff --git a/autotests/folding/usr.bin.apparmor-profile-test.fold b/autotests/folding/usr.bin.apparmor-profile-test.fold --- a/autotests/folding/usr.bin.apparmor-profile-test.fold +++ b/autotests/folding/usr.bin.apparmor-profile-test.fold @@ -11,26 +11,31 @@ @{USER_DIR} = @{HOME}/Public @{HOME}/Desktop #No-Comment @{USER_DIR} += @{HOME}/Hello \ -deny owner #No-comment +deny owner #No-comment aa#aa ${BOOL} = true +# Alias +alias /usr/ -> /mnt/usr/, + # Profile for /usr/bin/foo -/usr/bin/foo (attach_disconnected enforce) { - include #include +profile foo /usr/bin/foo flags=(attach_disconnected enforce) { #include #include #include"/etc/apparmor.d/abstractions/ubuntu-konsole" include "/etc/apparmor.d/abstractions/openssl" + include if exists + include #include + /some/file mr, #include /bin/true Px, + # File rules /{,**/} r, owner /{home,media,mnt,srv,net}/** r, owner @{USER_DIR}/** rw, audit deny owner /**/* mx, /**.[tT][xX][tT] r, # txt owner file @{HOME}/.local/share/foo/{,**} rwkl, - owner @{HOME}/.config/* rw, owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk, "/usr/share/**" r, @@ -40,22 +45,20 @@ allow file /etc/nsswitch.conf r, allow /etc/fstab r, - deny /etc/udev/udev.conf a, deny /etc/xdg/{autostart,systemd}/** r, deny /boot/** rwlkmx, - + owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r, /sys/devices/**/uevent r, + @{FOO_LIB}/{@{multiarch},64}/** mr, /usr/bin/foo ixr, /usr/bin/dolphin pUx, /usr/bin/* Pixr, /usr/bin/khelpcenter Cx -> sanitized_helper, /usr/bin/helloworld cxr -> hello_world, - - @{FOO_LIB}/{@{multiarch},64}/** mr, - + # Dbus rules dbus (send) #No-Comment bus=system @@ -134,13 +137,10 @@ change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, change_profile /bin/bash -> new_profile//hat, - - # Alias - alias /usr/ -> /mnt/usr/, } # Hat - ^foo-\/helper { + ^foo-helper\/ { network unix stream, unix stream, @@ -154,3 +154,117 @@ unix (/path\t{aa}*,*a @{var}*path,* @{var},*), } } + +# Syntax Error +/usr/bin/error (complain, audit) { + file #include /hello r, + + # Error: Variable open or with characters not allowed + @{var + @{sdf&s} + + # Error: Open brackets + /{hello{ab,cd}world kr, + /{abc{abc kr, + /[abc kr, + /(abc kr, + + # Error: Empty brackets + /hello[]hello{}hello()he kr, + + # Comments not allowed + dbus (send) #No comment + path=/org/hello + #No comment + interface=org.hello #No comment + peer=(name=org.hello #No comment + label=unconfined), #Comment + @{VARIABLE} = val1 val2 val3 #No comment + + # Error: Open rule + /home/*/file rw + capability dac_overridecapability dac_override + deny file /etc/fstab w + audit network ieee802154, + + dbus (receive + unix stream,unix stream, + unix stream, +} + +profile other_tests { + # set rlimit + set rlimit nice <= 3, + rlimit nice <= 3, # Without "set" + set #comment + rlimit + nice <= 3, + + # "remount" keyword + mount remount + remount, + remount remount + remount, + dbus remount + remount,remount, + unix remount + remount,remount, + # "unix" keyword + network unix + unix, + ptrace unix + unix,unix, + unix unix + unix,unix, + + # Transition rules + /usr/bin/foo cx -> hello*, + /usr/bin/foo Cx -> path/, + /usr/bin/foo cx -> ab[ad/]hello, + /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, + /usr/bin/foo Cx -> ab[hello/path, + + /usr/bin/foo cx -> "hello*", + /usr/bin/foo Cx -> "path/", + /usr/bin/foo cx -> "ab[ad/]hello", + /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", + /usr/bin/foo Cx -> "ab[hello/path", + + /usr/bin/foo cx -> holas//hello/sa, + /usr/bin/foo cx -> df///dd//hat, + /usr/bin/foo cx -> holas,#sd\323fsdf, + + # Access modes + /hello/lib/foo rwklms, # s invalid + /hello/lib/foo rwmaix, # w & a incompatible + /hello/lib/foo kalmw, + /hello/lib/foo wa, + # OK + /hello/lib/foo rrwrwwrwrw, + /hello/lib/foo ixixix, + # Incompatible exec permissions + ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx, + pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx, + Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx, + # Test valid permissions + r w a k l m l x ix ux Ux px Px cx Cx , + pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx, + rwklmx raklmx, + r rw rwk rwkl rwklm, + rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx, + rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk, + rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl, + + # Profile name + profile holas { ... } + profile { ... } + profile /path { ... } + profile holas/abc { ... } + profile holas\/abc { ... } + profile + #holas { ... } + + profile flags=(complain)#asd { ... } + profile flags flags=(complain) { ... } + profile flags(complain) { ... } +} diff --git a/autotests/html/usr.bin.apparmor-profile-test.html b/autotests/html/usr.bin.apparmor-profile-test.html --- a/autotests/html/usr.bin.apparmor-profile-test.html +++ b/autotests/html/usr.bin.apparmor-profile-test.html @@ -13,55 +13,58 @@ include <tunables/global> # Variable assignment -@{FOO_LIB}=/usr/lib{,32,64}/foo +@{FOO_LIB}=/usr/lib{,32,64}/foo @{USER_DIR} = @{HOME}/Public @{HOME}/Desktop #No-Comment @{USER_DIR} += @{HOME}/Hello \ -deny owner #No-comment +deny owner #No-comment aa#aa ${BOOL} = true +# Alias +alias /usr/ -> /mnt/usr/, + # Profile for /usr/bin/foo -/usr/bin/foo (attach_disconnected enforce) { - include <include_tests/includes_okay_helper.include> #include <includes/base> +profile foo /usr/bin/foo flags=(attach_disconnected enforce) { #include <abstractions/ubuntu-helpers> #include<abstractions/wayland> #include"/etc/apparmor.d/abstractions/ubuntu-konsole" include "/etc/apparmor.d/abstractions/openssl" + include if exists <path with spaces> + include <include_tests/includes_okay_helper.include> #include <includes/base> + /some/file mr, #include <includes/base> /bin/true Px, - /{,**/} r, - owner /{home,media,mnt,srv,net}/** r, + # File rules + /{,**/} r, + owner /{home,media,mnt,srv,net}/** r, owner @{USER_DIR}/** rw, audit deny owner /**/* mx, /**.[tT][xX][tT] r, # txt - owner file @{HOME}/.local/share/foo/{,**} rwkl, - owner @{HOME}/.config/* rw, + owner file @{HOME}/.local/share/foo/{,**} rwkl, owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk, "/usr/share/**" r, "/var/lib/flatpak/exports/share/**" r, "/var/lib/{spaces in - string,hello}/a[^ a]a/**" r, + string,hello}/a[^ a]a/**" r, allow file /etc/nsswitch.conf r, allow /etc/fstab r, - deny /etc/udev/udev.conf a, - deny /etc/xdg/{autostart,systemd}/** r, + deny /etc/xdg/{autostart,systemd}/** r, deny /boot/** rwlkmx, - - owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r, + + owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r, /sys/devices/**/uevent r, + @{FOO_LIB}/{@{multiarch},64}/** mr, /usr/bin/foo ixr, /usr/bin/dolphin pUx, /usr/bin/* Pixr, /usr/bin/khelpcenter Cx -> sanitized_helper, /usr/bin/helloworld cxr -> hello_world, - - @{FOO_LIB}/{@{multiarch},64}/** mr, - + # Dbus rules dbus (send) #No-Comment bus=system @@ -72,12 +75,12 @@ bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager - member={Introspect,state} - peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)), + member={Introspect,state} + peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)), dbus (send) bus=session path=/org/gnome/GConf/Database/* - member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}, + member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}, dbus (bind) bus=system name=org.bluez, @@ -89,9 +92,9 @@ # Child profile profile hello_world { # File rules (three different ways) - file /usr/lib{,32,64}/helloworld/**.so mr, - /usr/lib{,32,64}/helloworld/** r, - rk /usr/lib{,32,64}/helloworld/hello,file, + file /usr/lib{,32,64}/helloworld/**.so mr, + /usr/lib{,32,64}/helloworld/** r, + rk /usr/lib{,32,64}/helloworld/hello,file, # Link rules (two ways) l /foo1 -> /bar, @@ -130,23 +133,20 @@ unix peer=(label=@{profile_name},addr=@helloworld), # Rlimit rule - set rlimit data <= 100M, + set rlimit data <= 100M, set rlimit nproc <= 10, - set rlimit memlock <= 2GB, + set rlimit memlock <= 2GB, set rlimit rss <= infinity, # Change Profile rules change_profile unsafe /** -> [^u/]**, change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, change_profile /bin/bash -> new_profile//hat, - - # Alias - alias /usr/ -> /mnt/usr/, } # Hat - ^foo-\/helper { + ^foo-helper\/ { network unix stream, unix stream, @@ -160,4 +160,118 @@ unix (/path\t{aa}*,*a @{var}*path,* @{var},*), } } + +# Syntax Error +/usr/bin/error (complain, audit) { + file #include /hello r, + + # Error: Variable open or with characters not allowed + @{var + @{sdf&s} + + # Error: Open brackets + /{hello{ab,cd}world kr, + /{abc{abc kr, + /[abc kr, + /(abc kr, + + # Error: Empty brackets + /hello[]hello{}hello()he kr, + + # Comments not allowed + dbus (send) #No comment + path=/org/hello + #No comment + interface=org.hello #No comment + peer=(name=org.hello #No comment + label=unconfined), #Comment + @{VARIABLE} = val1 val2 val3 #No comment + + # Error: Open rule + /home/*/file rw + capability dac_override + deny file /etc/fstab w + audit network ieee802154, + + dbus (receive + unix stream, + unix stream, +} + +profile other_tests { + # set rlimit + set rlimit nice <= 3, + rlimit nice <= 3, # Without "set" + set #comment + rlimit + nice <= 3, + + # "remount" keyword + mount remount + remount, + remount remount + remount, + dbus remount + remount, + unix remount + remount, + # "unix" keyword + network unix + unix, + ptrace unix + unix, + unix unix + unix, + + # Transition rules + /usr/bin/foo cx -> hello*, + /usr/bin/foo Cx -> path/, + /usr/bin/foo cx -> ab[ad/]hello, + /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, + /usr/bin/foo Cx -> ab[hello/path, + + /usr/bin/foo cx -> "hello*", + /usr/bin/foo Cx -> "path/", + /usr/bin/foo cx -> "ab[ad/]hello", + /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", + /usr/bin/foo Cx -> "ab[hello/path", + + /usr/bin/foo cx -> holas//hello/sa, + /usr/bin/foo cx -> df///dd//hat, + /usr/bin/foo cx -> holas,#sd\323fsdf, + + # Access modes + /hello/lib/foo rwklms, # s invalid + /hello/lib/foo rwmaix, # w & a incompatible + /hello/lib/foo kalmw, + /hello/lib/foo wa, + # OK + /hello/lib/foo rrwrwwrwrw, + /hello/lib/foo ixixix, + # Incompatible exec permissions + ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx, + pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx, + Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx, + # Test valid permissions + r w a k l m l x ix ux Ux px Px cx Cx , + pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx, + rwklmx raklmx, + r rw rwk rwkl rwklm, + rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx, + rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk, + rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl, + + # Profile name + profile holas { ... } + profile { ... } + profile /path { ... } + profile holas/abc { ... } + profile holas\/abc { ... } + profile + #holas { ... } + + profile flags=(complain)#asd { ... } + profile flags flags=(complain) { ... } + profile flags(complain) { ... } +} diff --git a/autotests/input/usr.bin.apparmor-profile-test b/autotests/input/usr.bin.apparmor-profile-test --- a/autotests/input/usr.bin.apparmor-profile-test +++ b/autotests/input/usr.bin.apparmor-profile-test @@ -11,26 +11,31 @@ @{USER_DIR} = @{HOME}/Public @{HOME}/Desktop #No-Comment @{USER_DIR} += @{HOME}/Hello \ -deny owner #No-comment +deny owner #No-comment aa#aa ${BOOL} = true +# Alias +alias /usr/ -> /mnt/usr/, + # Profile for /usr/bin/foo -/usr/bin/foo (attach_disconnected enforce) { - include #include +profile foo /usr/bin/foo flags=(attach_disconnected enforce) { #include #include #include"/etc/apparmor.d/abstractions/ubuntu-konsole" include "/etc/apparmor.d/abstractions/openssl" + include if exists + include #include + /some/file mr, #include /bin/true Px, + # File rules /{,**/} r, owner /{home,media,mnt,srv,net}/** r, owner @{USER_DIR}/** rw, audit deny owner /**/* mx, /**.[tT][xX][tT] r, # txt owner file @{HOME}/.local/share/foo/{,**} rwkl, - owner @{HOME}/.config/* rw, owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk, "/usr/share/**" r, @@ -40,22 +45,20 @@ allow file /etc/nsswitch.conf r, allow /etc/fstab r, - deny /etc/udev/udev.conf a, deny /etc/xdg/{autostart,systemd}/** r, deny /boot/** rwlkmx, - + owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r, /sys/devices/**/uevent r, + @{FOO_LIB}/{@{multiarch},64}/** mr, /usr/bin/foo ixr, /usr/bin/dolphin pUx, /usr/bin/* Pixr, /usr/bin/khelpcenter Cx -> sanitized_helper, /usr/bin/helloworld cxr -> hello_world, - - @{FOO_LIB}/{@{multiarch},64}/** mr, - + # Dbus rules dbus (send) #No-Comment bus=system @@ -134,13 +137,10 @@ change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, change_profile /bin/bash -> new_profile//hat, - - # Alias - alias /usr/ -> /mnt/usr/, } # Hat - ^foo-\/helper { + ^foo-helper\/ { network unix stream, unix stream, @@ -154,3 +154,117 @@ unix (/path\t{aa}*,*a @{var}*path,* @{var},*), } } + +# Syntax Error +/usr/bin/error (complain, audit) { + file #include /hello r, + + # Error: Variable open or with characters not allowed + @{var + @{sdf&s} + + # Error: Open brackets + /{hello{ab,cd}world kr, + /{abc{abc kr, + /[abc kr, + /(abc kr, + + # Error: Empty brackets + /hello[]hello{}hello()he kr, + + # Comments not allowed + dbus (send) #No comment + path=/org/hello + #No comment + interface=org.hello #No comment + peer=(name=org.hello #No comment + label=unconfined), #Comment + @{VARIABLE} = val1 val2 val3 #No comment + + # Error: Open rule + /home/*/file rw + capability dac_override + deny file /etc/fstab w + audit network ieee802154, + + dbus (receive + unix stream, + unix stream, +} + +profile other_tests { + # set rlimit + set rlimit nice <= 3, + rlimit nice <= 3, # Without "set" + set #comment + rlimit + nice <= 3, + + # "remount" keyword + mount remount + remount, + remount remount + remount, + dbus remount + remount, + unix remount + remount, + # "unix" keyword + network unix + unix, + ptrace unix + unix, + unix unix + unix, + + # Transition rules + /usr/bin/foo cx -> hello*, + /usr/bin/foo Cx -> path/, + /usr/bin/foo cx -> ab[ad/]hello, + /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, + /usr/bin/foo Cx -> ab[hello/path, + + /usr/bin/foo cx -> "hello*", + /usr/bin/foo Cx -> "path/", + /usr/bin/foo cx -> "ab[ad/]hello", + /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", + /usr/bin/foo Cx -> "ab[hello/path", + + /usr/bin/foo cx -> holas//hello/sa, + /usr/bin/foo cx -> df///dd//hat, + /usr/bin/foo cx -> holas,#sd\323fsdf, + + # Access modes + /hello/lib/foo rwklms, # s invalid + /hello/lib/foo rwmaix, # w & a incompatible + /hello/lib/foo kalmw, + /hello/lib/foo wa, + # OK + /hello/lib/foo rrwrwwrwrw, + /hello/lib/foo ixixix, + # Incompatible exec permissions + ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx, + pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx, + Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx, + # Test valid permissions + r w a k l m l x ix ux Ux px Px cx Cx , + pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx, + rwklmx raklmx, + r rw rwk rwkl rwklm, + rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx, + rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk, + rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl, + + # Profile name + profile holas { ... } + profile { ... } + profile /path { ... } + profile holas/abc { ... } + profile holas\/abc { ... } + profile + #holas { ... } + + profile flags=(complain)#asd { ... } + profile flags flags=(complain) { ... } + profile flags(complain) { ... } +} diff --git a/autotests/reference/usr.bin.apparmor-profile-test.ref b/autotests/reference/usr.bin.apparmor-profile-test.ref --- a/autotests/reference/usr.bin.apparmor-profile-test.ref +++ b/autotests/reference/usr.bin.apparmor-profile-test.ref @@ -11,26 +11,31 @@ @{USER_DIR}
= @{HOME}/Public @{HOME}/Desktop #No-Comment
@{USER_DIR} += @{HOME}/Hello \
-deny owner #No-comment
+deny owner #No-comment aa#aa
${BOOL} = true

+# Alias
+alias /usr/ -> /mnt/usr/,
+
# Profile for /usr/bin/foo
-/usr/bin/foo (attach_disconnected enforce) {
- include #include
+profile foo /usr/bin/foo =(attach_disconnected enforce) {
#include
#include
#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
include "/etc/apparmor.d/abstractions/openssl"
+
include if exists
+ include #include
+ /some/file mr, #include /bin/true Px,

+ # File rules
/{,**/} r,
owner /{home,media,mnt,srv,net}/** r,
owner @{USER_DIR}/** rw,
audit deny owner /**/* mx,
/**.[tT][xX][tT] r, # txt

owner file @{HOME}/.local/share/foo/{,**} rwkl,
- owner @{HOME}/.config/* rw,
owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,

"/usr/share/**" r,
@@ -40,22 +45,20 @@
allow file /etc/nsswitch.conf r,
allow /etc/fstab r,
- deny /etc/udev/udev.conf a,
deny /etc/xdg/{autostart,systemd}/** r,
deny /boot/** rwlkmx,
-
+
owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
/sys/devices/**/uevent r,
+ @{FOO_LIB}/{@{multiarch},64}/** mr,

/usr/bin/foo ixr,
/usr/bin/dolphin pUx,
/usr/bin/* Pixr,
/usr/bin/khelpcenter Cx -> sanitized_helper,
/usr/bin/helloworld cxr ->
hello_world,
-
- @{FOO_LIB}/{@{multiarch},64}/** mr,
-
+
# Dbus rules
dbus (send) #No-Comment
=system
@@ -134,13 +137,10 @@ change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
change_profile /bin/bash ->
new_profile//hat,
-
- # Alias
- alias /usr/ -> /mnt/usr/,
}

# Hat
- ^foo-\/helper {
+ ^foo-helper\/ {
network unix stream,
unix stream,

@@ -154,3 +154,117 @@ unix (/path\t{aa}*,*a @{var}*path,* @{var},*),
}
}
+
+# Syntax Error
+/usr/bin/error (complain, audit) {
+ file #include /hello r,
+
+ # Error: Variable open or with characters not allowed
+ @{var
+ @{sdf&s}
+
+ # Error: Open brackets
+ /{hello{ab,cd}world kr,
+ /{abc{abc kr,
+ /[abc kr,
+ /(abc kr,
+
+ # Error: Empty brackets
+ /hello[]hello{}hello()he kr,
+
+ # Comments not allowed
+ dbus (send) #No comment
+ =/org/hello
+ #No comment
+ =org.hello #No comment
+ =(name=org.hello #No comment
+ label=unconfined), #Comment
+ @{VARIABLE} = val1 val2 val3 #No comment
+
+ # Error: Open rule
+ /home/*/file rw
+ capability dac_override
+ deny file /etc/fstab w
+ audit network ieee802154,
+
+ dbus (receive
+ unix stream,
+ unix stream,
+}
+
+profile other_tests {
+ # set rlimit
+ set rlimit nice <= 3,
+ rlimit nice <= 3, # Without "set"
+ set #comment
+ rlimit
+ nice <= 3,
+
+ # "remount" keyword
+ mount remount
+ remount,
+ remount remount
+ remount,
+ dbus remount
+ remount,
+ unix remount
+ remount,
+ # "unix" keyword
+ network unix
+ unix,
+ ptrace unix
+ unix,
+ unix unix
+ unix,
+
+ # Transition rules
+ /usr/bin/foo cx -> hello*,
+ /usr/bin/foo Cx -> path/,
+ /usr/bin/foo cx -> ab[ad/]hello,
+ /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path,
+ /usr/bin/foo Cx -> ab[hello/path,
+
+ /usr/bin/foo cx -> "hello*",
+ /usr/bin/foo Cx -> "path/",
+ /usr/bin/foo cx -> "ab[ad/]hello",
+ /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path",
+ /usr/bin/foo Cx -> "ab[hello/path",
+
+ /usr/bin/foo cx -> holas//hello/sa,
+ /usr/bin/foo cx -> df///dd//hat,
+ /usr/bin/foo cx -> holas,#sd\323fsdf,
+
+ # Access modes
+ /hello/lib/foo rwklms, # s invalid
+ /hello/lib/foo rwmaix, # w & a incompatible
+ /hello/lib/foo kalmw,
+ /hello/lib/foo wa,
+ # OK
+ /hello/lib/foo rrwrwwrwrw,
+ /hello/lib/foo ixixix,
+ # Incompatible exec permissions
+ ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx,
+ pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx,
+ Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx,
+ # Test valid permissions
+ r w a k l m l x ix ux Ux px Px cx Cx ,
+ pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx,
+ rwklmx raklmx,
+ r rw rwk rwkl rwklm,
+ rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx,
+ rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk,
+ rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl,
+
+ # Profile name
+ profile holas { ... }
+ profile { ... }
+ profile /path { ... }
+ profile holas/abc { ... }
+ profile holas\/abc { ... }
+ profile
+ #holas { ... }
+
+ profile flags=(complain)#asd { ... }
+ profile flags =(complain) { ... }
+ profile flags(complain) { ... }
+}
diff --git a/data/syntax/apparmor.xml b/data/syntax/apparmor.xml --- a/data/syntax/apparmor.xml +++ b/data/syntax/apparmor.xml @@ -15,36 +15,39 @@ AppArmor Profiles Syntax Highlighting Definition for the KDE KSyntaxHighlighting Framework ========================================================================================== This file is part of the KDE's KSyntaxHighlighting framework. - + Copyright (c) 2017-2018 Nibaldo González S. (nibgonz@gmail.com) - + Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - + The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ========================================================================================== - + Last update: Syntax highlighting based in AppArmor 2.13.0 For more details about the syntax of AppArmor profiles, visit: https://gitlab.com/apparmor/apparmor/wikis/Documentation - http://manpages.ubuntu.com/manpages/bionic/en/man5/apparmor.d.5.html - + http://manpages.ubuntu.com/manpages/cosmic/en/man5/apparmor.d.5.html + Change log: + * Version 7 [15-Sep-2018]: + - Update itemData's style for the new Solarized color schemes. + - Fixes in "_end_rule_irnc". * Version 6 [24-Jul-2018, by Nibaldo G.]: (AppArmor 2.13.0) - Fixes for Include rules, add 'if exists'. Fix escapes & globbing in text quoted. - - Improvements in paths that start with variables, hats, comments and variable + - Improvements in paths that start with variables, hats, comments and variable assignments and others. Add some abstractions & filesystems. * Version 4 [25-Jan-2018, by Nibaldo G.]: (AppArmor 2.12.0) - New keywords: network and mount rules, default abstractions, variables and others. @@ -61,17 +64,17 @@ --> - + version="7" + kateversion="5.0" + section="Markup" + extensions="usr.bin.*;usr.sbin.*;bin.*;sbin.*;usr.lib.*;usr.lib64.*;usr.lib32.*;usr.libx32.*;usr.libexec.*;usr.local.bin.*;usr.local.sbin.*;usr.local.lib*;opt.*;etc.cron.*;snap.*;snap-update-ns.*;snap-confine.*" + priority="0" + mimetype="" + author="Nibaldo González (nibgonz@gmail.com)" + license="MIT"> + - + profile @@ -109,7 +112,7 @@ - + @@ -213,11 +216,11 @@ icmp - unix - + fstype @@ -288,6 +291,8 @@ unionfs shm + cryfs + encfs apparmorfs autofs bdev @@ -478,7 +483,7 @@ system session - + peer @@ -542,22 +547,22 @@ if exists - + rw r w read write - + profile_name - + HOME HOMEDIRS multiarch @@ -605,6 +610,9 @@ gnome gnupg ibus + kde-icon-cache-write + kde-globals-write + kde-language-write kde kerberosclient launchpad-integration @@ -635,7 +643,10 @@ private-files private-files-strict python + qt5-compose-cache-write + qt5-settings-write qt5 + recent-documents-write ruby samba smbpass @@ -746,24 +757,24 @@ rlimit set - - + - + - + @@ -832,9 +843,9 @@ - + - + @@ -941,9 +952,9 @@ - - @@ -959,8 +970,8 @@ - - + + @@ -989,7 +1000,7 @@ - + @@ -999,7 +1010,7 @@ - + @@ -1009,7 +1020,7 @@ - + @@ -1030,7 +1041,7 @@ - + @@ -1106,7 +1117,7 @@ - + @@ -1144,7 +1155,7 @@ - + @@ -1185,8 +1196,8 @@ - - @@ -1272,38 +1283,60 @@ - + - + - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + @@ -1349,7 +1382,7 @@ - + @@ -1435,7 +1468,7 @@ - + @@ -1453,20 +1486,20 @@ - + - + - + - - + + @@ -1476,21 +1509,21 @@ - + - + - + @@ -1512,7 +1545,7 @@ - +