diff --git a/autotests/folding/usr.bin.apparmor-profile-test.fold b/autotests/folding/usr.bin.apparmor-profile-test.fold
--- a/autotests/folding/usr.bin.apparmor-profile-test.fold
+++ b/autotests/folding/usr.bin.apparmor-profile-test.fold
@@ -11,26 +11,31 @@
@{USER_DIR}
= @{HOME}/Public @{HOME}/Desktop #No-Comment
@{USER_DIR} += @{HOME}/Hello \
-deny owner #No-comment
+deny owner #No-comment aa#aa
${BOOL} = true
+# Alias
+alias /usr/ -> /mnt/usr/,
+
# Profile for /usr/bin/foo
-/usr/bin/foo (attach_disconnected enforce) {
- include #include
+profile foo /usr/bin/foo flags=(attach_disconnected enforce) {
#include
#include
#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
include "/etc/apparmor.d/abstractions/openssl"
+
include if exists
+ include #include
+ /some/file mr, #include /bin/true Px,
+ # File rules
/{,**/} r,
owner /{home,media,mnt,srv,net}/** r,
owner @{USER_DIR}/** rw,
audit deny owner /**/* mx,
/**.[tT][xX][tT] r, # txt
owner file @{HOME}/.local/share/foo/{,**} rwkl,
- owner @{HOME}/.config/* rw,
owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,
"/usr/share/**" r,
@@ -40,22 +45,20 @@
allow file /etc/nsswitch.conf r,
allow /etc/fstab r,
- deny /etc/udev/udev.conf a,
deny /etc/xdg/{autostart,systemd}/** r,
deny /boot/** rwlkmx,
-
+
owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
/sys/devices/**/uevent r,
+ @{FOO_LIB}/{@{multiarch},64}/** mr,
/usr/bin/foo ixr,
/usr/bin/dolphin pUx,
/usr/bin/* Pixr,
/usr/bin/khelpcenter Cx -> sanitized_helper,
/usr/bin/helloworld cxr ->
hello_world,
-
- @{FOO_LIB}/{@{multiarch},64}/** mr,
-
+
# Dbus rules
dbus (send) #No-Comment
bus=system
@@ -134,13 +137,10 @@
change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
change_profile /bin/bash ->
new_profile//hat,
-
- # Alias
- alias /usr/ -> /mnt/usr/,
}
# Hat
- ^foo-\/helper {
+ ^foo-helper\/ {
network unix stream,
unix stream,
@@ -154,3 +154,117 @@
unix (/path\t{aa}*,*a @{var}*path,* @{var},*),
}
}
+
+# Syntax Error
+/usr/bin/error (complain, audit) {
+ file #include /hello r,
+
+ # Error: Variable open or with characters not allowed
+ @{var
+ @{sdf&s}
+
+ # Error: Open brackets
+ /{hello{ab,cd}world kr,
+ /{abc{abc kr,
+ /[abc kr,
+ /(abc kr,
+
+ # Error: Empty brackets
+ /hello[]hello{}hello()he kr,
+
+ # Comments not allowed
+ dbus (send) #No comment
+ path=/org/hello
+ #No comment
+ interface=org.hello #No comment
+ peer=(name=org.hello #No comment
+ label=unconfined), #Comment
+ @{VARIABLE} = val1 val2 val3 #No comment
+
+ # Error: Open rule
+ /home/*/file rw
+ capability dac_overridecapability dac_override
+ deny file /etc/fstab w
+ audit network ieee802154,
+
+ dbus (receive
+ unix stream,unix stream,
+ unix stream,
+}
+
+profile other_tests {
+ # set rlimit
+ set rlimit nice <= 3,
+ rlimit nice <= 3, # Without "set"
+ set #comment
+ rlimit
+ nice <= 3,
+
+ # "remount" keyword
+ mount remount
+ remount,
+ remount remount
+ remount,
+ dbus remount
+ remount,remount,
+ unix remount
+ remount,remount,
+ # "unix" keyword
+ network unix
+ unix,
+ ptrace unix
+ unix,unix,
+ unix unix
+ unix,unix,
+
+ # Transition rules
+ /usr/bin/foo cx -> hello*,
+ /usr/bin/foo Cx -> path/,
+ /usr/bin/foo cx -> ab[ad/]hello,
+ /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path,
+ /usr/bin/foo Cx -> ab[hello/path,
+
+ /usr/bin/foo cx -> "hello*",
+ /usr/bin/foo Cx -> "path/",
+ /usr/bin/foo cx -> "ab[ad/]hello",
+ /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path",
+ /usr/bin/foo Cx -> "ab[hello/path",
+
+ /usr/bin/foo cx -> holas//hello/sa,
+ /usr/bin/foo cx -> df///dd//hat,
+ /usr/bin/foo cx -> holas,#sd\323fsdf,
+
+ # Access modes
+ /hello/lib/foo rwklms, # s invalid
+ /hello/lib/foo rwmaix, # w & a incompatible
+ /hello/lib/foo kalmw,
+ /hello/lib/foo wa,
+ # OK
+ /hello/lib/foo rrwrwwrwrw,
+ /hello/lib/foo ixixix,
+ # Incompatible exec permissions
+ ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx,
+ pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx,
+ Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx,
+ # Test valid permissions
+ r w a k l m l x ix ux Ux px Px cx Cx ,
+ pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx,
+ rwklmx raklmx,
+ r rw rwk rwkl rwklm,
+ rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx,
+ rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk,
+ rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl,
+
+ # Profile name
+ profile holas { ... }
+ profile { ... }
+ profile /path { ... }
+ profile holas/abc { ... }
+ profile holas\/abc { ... }
+ profile
+ #holas { ... }
+
+ profile flags=(complain)#asd { ... }
+ profile flags flags=(complain) { ... }
+ profile flags(complain) { ... }
+}
diff --git a/autotests/html/usr.bin.apparmor-profile-test.html b/autotests/html/usr.bin.apparmor-profile-test.html
--- a/autotests/html/usr.bin.apparmor-profile-test.html
+++ b/autotests/html/usr.bin.apparmor-profile-test.html
@@ -13,55 +13,58 @@
include <tunables/global>
# Variable assignment
-@{FOO_LIB}=/usr/lib{,32,64}/foo
+@{FOO_LIB}=/usr/lib{,32,64}/foo
@{USER_DIR}
= @{HOME}/Public @{HOME}/Desktop #No-Comment
@{USER_DIR} += @{HOME}/Hello \
-deny owner #No-comment
+deny owner #No-comment aa#aa
${BOOL} = true
+# Alias
+alias /usr/ -> /mnt/usr/,
+
# Profile for /usr/bin/foo
-/usr/bin/foo (attach_disconnected enforce) {
- include <include_tests/includes_okay_helper.include> #include <includes/base>
+profile foo /usr/bin/foo flags=(attach_disconnected enforce) {
#include <abstractions/ubuntu-helpers>
#include<abstractions/wayland>
#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
include "/etc/apparmor.d/abstractions/openssl"
+
include if exists <path with spaces>
+ include <include_tests/includes_okay_helper.include> #include <includes/base>
+ /some/file mr, #include <includes/base> /bin/true Px,
- /{,**/} r,
- owner /{home,media,mnt,srv,net}/** r,
+ # File rules
+ /{,**/} r,
+ owner /{home,media,mnt,srv,net}/** r,
owner @{USER_DIR}/** rw,
audit deny owner /**/* mx,
/**.[tT][xX][tT] r, # txt
- owner file @{HOME}/.local/share/foo/{,**} rwkl,
- owner @{HOME}/.config/* rw,
+ owner file @{HOME}/.local/share/foo/{,**} rwkl,
owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,
"/usr/share/**" r,
"/var/lib/flatpak/exports/share/**" r,
"/var/lib/{spaces in
- string,hello}/a[^ a]a/**" r,
+ string,hello}/a[^ a]a/**" r,
allow file /etc/nsswitch.conf r,
allow /etc/fstab r,
- deny /etc/udev/udev.conf a,
- deny /etc/xdg/{autostart,systemd}/** r,
+ deny /etc/xdg/{autostart,systemd}/** r,
deny /boot/** rwlkmx,
-
- owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
+
+ owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
/sys/devices/**/uevent r,
+ @{FOO_LIB}/{@{multiarch},64}/** mr,
/usr/bin/foo ixr,
/usr/bin/dolphin pUx,
/usr/bin/* Pixr,
/usr/bin/khelpcenter Cx -> sanitized_helper,
/usr/bin/helloworld cxr ->
hello_world,
-
- @{FOO_LIB}/{@{multiarch},64}/** mr,
-
+
# Dbus rules
dbus (send) #No-Comment
bus=system
@@ -72,12 +75,12 @@
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
- member={Introspect,state}
- peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
+ member={Introspect,state}
+ peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
dbus (send)
bus=session
path=/org/gnome/GConf/Database/*
- member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
+ member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
dbus (bind)
bus=system
name=org.bluez,
@@ -89,9 +92,9 @@
# Child profile
profile hello_world {
# File rules (three different ways)
- file /usr/lib{,32,64}/helloworld/**.so mr,
- /usr/lib{,32,64}/helloworld/** r,
- rk /usr/lib{,32,64}/helloworld/hello,file,
+ file /usr/lib{,32,64}/helloworld/**.so mr,
+ /usr/lib{,32,64}/helloworld/** r,
+ rk /usr/lib{,32,64}/helloworld/hello,file,
# Link rules (two ways)
l /foo1 -> /bar,
@@ -130,23 +133,20 @@
unix peer=(label=@{profile_name},addr=@helloworld),
# Rlimit rule
- set rlimit data <= 100M,
+ set rlimit data <= 100M,
set rlimit nproc <= 10,
- set rlimit memlock <= 2GB,
+ set rlimit memlock <= 2GB,
set rlimit rss <= infinity,
# Change Profile rules
change_profile unsafe /** -> [^u/]**,
change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
change_profile /bin/bash ->
new_profile//hat,
-
- # Alias
- alias /usr/ -> /mnt/usr/,
}
# Hat
- ^foo-\/helper {
+ ^foo-helper\/ {
network unix stream,
unix stream,
@@ -160,4 +160,118 @@
unix (/path\t{aa}*,*a @{var}*path,* @{var},*),
}
}
+
+# Syntax Error
+/usr/bin/error (complain, audit) {
+ file #include /hello r,
+
+ # Error: Variable open or with characters not allowed
+ @{var
+ @{sdf&s}
+
+ # Error: Open brackets
+ /{hello{ab,cd}world kr,
+ /{abc{abc kr,
+ /[abc kr,
+ /(abc kr,
+
+ # Error: Empty brackets
+ /hello[]hello{}hello()he kr,
+
+ # Comments not allowed
+ dbus (send) #No comment
+ path=/org/hello
+ #No comment
+ interface=org.hello #No comment
+ peer=(name=org.hello #No comment
+ label=unconfined), #Comment
+ @{VARIABLE} = val1 val2 val3 #No comment
+
+ # Error: Open rule
+ /home/*/file rw
+ capability dac_override
+ deny file /etc/fstab w
+ audit network ieee802154,
+
+ dbus (receive
+ unix stream,
+ unix stream,
+}
+
+profile other_tests {
+ # set rlimit
+ set rlimit nice <= 3,
+ rlimit nice <= 3, # Without "set"
+ set #comment
+ rlimit
+ nice <= 3,
+
+ # "remount" keyword
+ mount remount
+ remount,
+ remount remount
+ remount,
+ dbus remount
+ remount,
+ unix remount
+ remount,
+ # "unix" keyword
+ network unix
+ unix,
+ ptrace unix
+ unix,
+ unix unix
+ unix,
+
+ # Transition rules
+ /usr/bin/foo cx -> hello*,
+ /usr/bin/foo Cx -> path/,
+ /usr/bin/foo cx -> ab[ad/]hello,
+ /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path,
+ /usr/bin/foo Cx -> ab[hello/path,
+
+ /usr/bin/foo cx -> "hello*",
+ /usr/bin/foo Cx -> "path/",
+ /usr/bin/foo cx -> "ab[ad/]hello",
+ /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path",
+ /usr/bin/foo Cx -> "ab[hello/path",
+
+ /usr/bin/foo cx -> holas//hello/sa,
+ /usr/bin/foo cx -> df///dd//hat,
+ /usr/bin/foo cx -> holas,#sd\323fsdf,
+
+ # Access modes
+ /hello/lib/foo rwklms, # s invalid
+ /hello/lib/foo rwmaix, # w & a incompatible
+ /hello/lib/foo kalmw,
+ /hello/lib/foo wa,
+ # OK
+ /hello/lib/foo rrwrwwrwrw,
+ /hello/lib/foo ixixix,
+ # Incompatible exec permissions
+ ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx,
+ pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx,
+ Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx,
+ # Test valid permissions
+ r w a k l m l x ix ux Ux px Px cx Cx ,
+ pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx,
+ rwklmx raklmx,
+ r rw rwk rwkl rwklm,
+ rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx,
+ rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk,
+ rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl,
+
+ # Profile name
+ profile holas { ... }
+ profile { ... }
+ profile /path { ... }
+ profile holas/abc { ... }
+ profile holas\/abc { ... }
+ profile
+ #holas { ... }
+
+ profile flags=(complain)#asd { ... }
+ profile flags flags=(complain) { ... }
+ profile flags(complain) { ... }
+}