diff --git a/autotests/folding/usr.bin.apparmor-profile-test.fold b/autotests/folding/usr.bin.apparmor-profile-test.fold
--- a/autotests/folding/usr.bin.apparmor-profile-test.fold
+++ b/autotests/folding/usr.bin.apparmor-profile-test.fold
@@ -15,256 +15,261 @@
${BOOL} = true
# Alias
-alias /usr/ -> /mnt/usr/,
+alias /usr/ -> /mnt/usr/,
# Profile for /usr/bin/foo
-profile foo /usr/bin/foo flags=(attach_disconnected enforce) {
+profile foo /usr/bin/foo flags=(attach_disconnected enforce) {
#include
#include
#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
include "/etc/apparmor.d/abstractions/openssl"
include if exists
include #include
- /some/file mr, #include /bin/true Px,
+ /some/file mr, #include /bin/true Px,
# File rules
- /{,**/} r,
- owner /{home,media,mnt,srv,net}/** r,
- owner @{USER_DIR}/** rw,
- audit deny owner /**/* mx,
- /**.[tT][xX][tT] r, # txt
-
- owner file @{HOME}/.local/share/foo/{,**} rwkl,
- owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,
-
- "/usr/share/**" r,
- "/var/lib/flatpak/exports/share/**" r,
+ /{,**/} r,
+ owner /{home,media,mnt,srv,net}/** r,
+ owner @{USER_DIR}/** rw,
+ audit deny owner /**/* mx,
+ /**.[tT][xX][tT] r, # txt
+
+ owner file @{HOME}/.local/share/foo/{,**} rwkl,
+ owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,
+
+ "/usr/share/**" r,
+ "/var/lib/flatpak/exports/share/**" r,
"/var/lib/{spaces in
- string,hello}/a[^ a]a/**" r,
+ string,hello}/a[^ a]a/**" r,
- allow file /etc/nsswitch.conf r,
- allow /etc/fstab r,
- deny /etc/xdg/{autostart,systemd}/** r,
- deny /boot/** rwlkmx,
+ allow file /etc/nsswitch.conf r,
+ allow /etc/fstab r,
+ deny /etc/xdg/{autostart,systemd}/** r,
+ deny /boot/** rwlkmx,
- owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
- /sys/devices/**/uevent r,
- @{FOO_LIB}/{@{multiarch},64}/** mr,
+ owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
+ /sys/devices/**/uevent r,
+ @{FOO_LIB}/{@{multiarch},64}/** mr,
- /usr/bin/foo ixr,
- /usr/bin/dolphin pUx,
- /usr/bin/* Pixr,
- /usr/bin/khelpcenter Cx -> sanitized_helper,
+ /usr/bin/foo ixr,
+ /usr/bin/dolphin pUx,
+ /usr/bin/* Pixr,
+ /usr/bin/khelpcenter Cx -> sanitized_helper,
/usr/bin/helloworld cxr ->
- hello_world,
+ hello_world,
# Dbus rules
- dbus (send) #No-Comment
+ dbus (send) #No-Comment
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Introspectable
- peer=(name=org.freedesktop.NetworkManager label=unconfined),
- dbus (send receive)
+ peer=(name=org.freedesktop.NetworkManager label=unconfined),
+ dbus (send receive)
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={Introspect,state}
- peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
- dbus (send)
+ peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
+ dbus (send)
bus=session
path=/org/gnome/GConf/Database/*
- member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
- dbus (bind)
+ member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
+ dbus (bind)
bus=system
- name=org.bluez,
+ name=org.bluez,
# Signal rules
- signal (send) set=(term) peer="/usr/lib/hello/world// foo helper",
- signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper,
+ signal (send) set=(term) peer="/usr/lib/hello/world// foo helper",
+ signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper,
# Child profile
- profile hello_world {
+ profile hello_world {
# File rules (three different ways)
- file /usr/lib{,32,64}/helloworld/**.so mr,
- /usr/lib{,32,64}/helloworld/** r,
- rk /usr/lib{,32,64}/helloworld/hello,file,
+ file /usr/lib{,32,64}/helloworld/**.so mr,
+ /usr/lib{,32,64}/helloworld/** r,
+ rk /usr/lib{,32,64}/helloworld/hello,file,
# Link rules (two ways)
- l /foo1 -> /bar,
- link /foo2 -> bar,
- link /foo3 to bar,
- link subset /link* -> /**,
+ l /foo1 -> /bar,
+ link /foo2 -> bar,
+ link /foo3 to bar,
+ link subset /link* -> /**,
# Network rules
- network inet6 tcp,
- network netlink dgram,
- network bluetooth,
- network unspec dgram,
+ network inet6 tcp,
+ network netlink dgram,
+ network bluetooth,
+ network unspec dgram,
# Capability rules
- capability dac_override,
- capability sys_admin,
- capability sys_chroot,
+ capability dac_override,
+ capability sys_admin,
+ capability sys_chroot,
# Mount rules
- mount options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
- mount options in (rw, bind) / -> /run/hellowordd/*.mnt,
- mount option=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
- umount /home/*/helloworld/,
+ mount options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
+ mount options in (rw, bind) / -> /run/hellowordd/*.mnt,
+ mount option=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
+ umount /home/*/helloworld/,
# Pivot Root rules
- pivot_root oldroot=/mnt/root/old/ /mnt/root/,
- pivot_root /mnt/root/,
+ pivot_root oldroot=/mnt/root/old/ /mnt/root/,
+ pivot_root /mnt/root/,
# Ptrace rules
- ptrace (trace) peer=unconfined,
- ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword,
+ ptrace (trace) peer=unconfined,
+ ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword,
# Unix rules
- unix (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined),
- unix (send,receive) type=(stream) protocol=0 peer=(addr=none),
- unix peer=(label=@{profile_name},addr=@helloworld),
+ unix (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined),
+ unix (send,receive) type=(stream) protocol=0 peer=(addr=none),
+ unix peer=(label=@{profile_name},addr=@helloworld),
# Rlimit rule
- set rlimit data <= 100M,
- set rlimit nproc <= 10,
- set rlimit memlock <= 2GB,
- set rlimit rss <= infinity,
+ set rlimit data <= 100M,
+ set rlimit nproc <= 10,
+ set rlimit memlock <= 2GB,
+ set rlimit rss <= infinity,
# Change Profile rules
- change_profile unsafe /** -> [^u/]**,
- change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
- change_profile /bin/bash ->
- new_profile//hat,
- }
+ change_profile unsafe /** -> [^u/]**,
+ change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
+ change_profile /bin/bash ->
+ new_profile//hat,
+ }
# Hat
- ^foo-helper\/ {
- network unix stream,
- unix stream,
+ ^foo-helper\/ {
+ network unix stream,
+ unix stream,
- /usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions
+ /usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions
# Text after a variable is highlighted as path
- file /my/path r,
- @{FOO_LIB}file r,
- @{FOO_LIB}#my/path r, #Comment
- @{FOO_LIB}ñ* r,
- unix (/path\t{aa}*,*a @{var}*path,* @{var},*),
- }
-}
+ file /my/path r,
+ @{FOO_LIB}file r,
+ @{FOO_LIB}#my/path r, #Comment
+ @{FOO_LIB}ñ* r,
+ unix (/path\t{aa}*,*a @{var}*path,* @{var},*),
+ }
+}
# Syntax Error
-/usr/bin/error (complain, audit) {
- file #include /hello r,
+/usr/bin/error (complain, audit) {
+ file #include /hello r,
# Error: Variable open or with characters not allowed
- @{var
- @{sdf&s}
+ @{var
+ @{sdf&s}
# Error: Open brackets
- /{hello{ab,cd}world kr,
- /{abc{abc kr,
- /[abc kr,
- /(abc kr,
+ /{hello{ab,cd}world kr,
+ /{abc{abc kr,
+ /[abc kr,
+ /(abc kr,
# Error: Empty brackets
- /hello[]hello{}hello()he kr,
+ /hello[]hello{}hello()he kr,
# Comments not allowed
- dbus (send) #No comment
+ dbus (send) #No comment
path=/org/hello
#No comment
interface=org.hello #No comment
peer=(name=org.hello #No comment
- label=unconfined), #Comment
- @{VARIABLE} = val1 val2 val3 #No comment
+ label=unconfined), #Comment
+
+ # Don't allow assignment of variables within profiles
+ @{VARIABLE} = val1 val2 val3 # Comment
+
+ # Alias rules not allowed within profiles
+ alias /run/ -> /mnt/run/,
# Error: Open rule
/home/*/file rw
- capability dac_override
- deny file /etc/fstab w
- audit network ieee802154,
+ capability dac_override
+ deny file /etc/fstab w
+ audit network ieee802154,
- dbus (receive
- unix stream,
- unix stream,
-}
+ dbus (receive
+ unix stream,
+ unix stream,
+}
-profile other_tests {
+profile other_tests {
# set rlimit
- set rlimit nice <= 3,
- rlimit nice <= 3, # Without "set"
+ set rlimit nice <= 3,
+ rlimit nice <= 3, # Without "set"
set #comment
- rlimit
- nice <= 3,
+ rlimit
+ nice <= 3,
# "remount" keyword
- mount remount
- remount,
- remount remount
- remount,
- dbus remount
- remount,
- unix remount
- remount,
+ mount remount
+ remount,
+ remount remount
+ remount,
+ dbus remount
+ remount,
+ unix remount
+ remount,
# "unix" keyword
- network unix
- unix,
- ptrace unix
- unix,
- unix unix
- unix,
+ network unix
+ unix,
+ ptrace unix
+ unix,
+ unix unix
+ unix,
# Transition rules
- /usr/bin/foo cx -> hello*,
- /usr/bin/foo Cx -> path/,
- /usr/bin/foo cx -> ab[ad/]hello,
- /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path,
- /usr/bin/foo Cx -> ab[hello/path,
-
- /usr/bin/foo cx -> "hello*",
- /usr/bin/foo Cx -> "path/",
- /usr/bin/foo cx -> "ab[ad/]hello",
- /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path",
- /usr/bin/foo Cx -> "ab[hello/path",
-
- /usr/bin/foo cx -> holas//hello/sa,
- /usr/bin/foo cx -> df///dd//hat,
- /usr/bin/foo cx -> holas,#sd\323fsdf,
+ /usr/bin/foo cx -> hello*, # profile name
+ /usr/bin/foo Cx -> path/, # path
+ /usr/bin/foo cx -> ab[ad/]hello, # profile name
+ /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, # path
+ /usr/bin/foo Cx -> ab[hello/path, # profile name
+
+ /usr/bin/foo cx -> "hello*", # profile name
+ /usr/bin/foo Cx -> "path/", # path
+ /usr/bin/foo cx -> "ab[ad/]hello", # profile name
+ /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", # path
+ /usr/bin/foo Cx -> "ab[hello/path", # profile name
+
+ /usr/bin/foo cx -> holas//hello/sa, # path
+ /usr/bin/foo cx -> df///dd//hat, # path + hat
+ /usr/bin/foo cx -> holas,#sd\323fsdf, # profile name
# Access modes
/hello/lib/foo rwklms, # s invalid
- /hello/lib/foo rwmaix, # w & a incompatible
+ /hello/lib/foo rwmaix, # w & a incompatible
/hello/lib/foo kalmw,
/hello/lib/foo wa,
# OK
- /hello/lib/foo rrwrwwrwrw,
- /hello/lib/foo ixixix,
+ /hello/lib/foo rrwrwwrwrw,
+ /hello/lib/foo ixixix,
# Incompatible exec permissions
ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx,
pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx,
Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx,
# Test valid permissions
- r w a k l m l x ix ux Ux px Px cx Cx ,
- pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx,
- rwklmx raklmx,
- r rw rwk rwkl rwklm,
- rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx,
- rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk,
- rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl,
+ r w a k l m l x ix ux Ux px Px cx Cx ,
+ pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx,
+ rwklmx raklmx,
+ r rw rwk rwkl rwklm,
+ rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx,
+ rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk,
+ rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl,
# Profile name
- profile holas { ... }
- profile { ... }
- profile /path { ... }
- profile holas/abc { ... }
- profile holas\/abc { ... }
+ profile holas { ... }
+ profile { ... }
+ profile /path { ... }
+ profile holas/abc { ... }
+ profile holas\/abc { ... }
profile
- #holas { ... }
+ #holas { ... }
- profile flags=(complain)#asd { ... }
- profile flags flags=(complain) { ... }
- profile flags(complain) { ... }
-}
+ profile flags=(complain)#asd { ... }
+ profile flags flags=(complain) { ... }
+ profile flags(complain) { ... }
+}
diff --git a/autotests/html/usr.bin.apparmor-profile-test.html b/autotests/html/usr.bin.apparmor-profile-test.html
--- a/autotests/html/usr.bin.apparmor-profile-test.html
+++ b/autotests/html/usr.bin.apparmor-profile-test.html
@@ -40,7 +40,7 @@
owner @{USER_DIR}/** rw,
audit deny owner /**/* mx,
/**.[tT][xX][tT] r, # txt
-
+
owner file @{HOME}/.local/share/foo/{,**} rwkl,
owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,
@@ -141,7 +141,7 @@
# Change Profile rules
change_profile unsafe /** -> [^u/]**,
change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
- change_profile /bin/bash ->
+ change_profile /bin/bash ->
new_profile//hat,
}
@@ -185,7 +185,12 @@
interface=org.hello #No comment
peer=(name=org.hello #No comment
label=unconfined), #Comment
- @{VARIABLE} = val1 val2 val3 #No comment
+
+ # Don't allow assignment of variables within profiles
+ @{VARIABLE} = val1 val2 val3 # Comment
+
+ # Alias rules not allowed within profiles
+ alias /run/ -> /mnt/run/,
# Error: Open rule
/home/*/file rw
@@ -224,25 +229,25 @@
unix,
# Transition rules
- /usr/bin/foo cx -> hello*,
- /usr/bin/foo Cx -> path/,
- /usr/bin/foo cx -> ab[ad/]hello,
- /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path,
- /usr/bin/foo Cx -> ab[hello/path,
-
- /usr/bin/foo cx -> "hello*",
- /usr/bin/foo Cx -> "path/",
- /usr/bin/foo cx -> "ab[ad/]hello",
- /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path",
- /usr/bin/foo Cx -> "ab[hello/path",
-
- /usr/bin/foo cx -> holas//hello/sa,
- /usr/bin/foo cx -> df///dd//hat,
- /usr/bin/foo cx -> holas,#sd\323fsdf,
+ /usr/bin/foo cx -> hello*, # profile name
+ /usr/bin/foo Cx -> path/, # path
+ /usr/bin/foo cx -> ab[ad/]hello, # profile name
+ /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, # path
+ /usr/bin/foo Cx -> ab[hello/path, # profile name
+
+ /usr/bin/foo cx -> "hello*", # profile name
+ /usr/bin/foo Cx -> "path/", # path
+ /usr/bin/foo cx -> "ab[ad/]hello", # profile name
+ /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", # path
+ /usr/bin/foo Cx -> "ab[hello/path", # profile name
+
+ /usr/bin/foo cx -> holas//hello/sa, # path
+ /usr/bin/foo cx -> df///dd//hat, # path + hat
+ /usr/bin/foo cx -> holas,#sd\323fsdf, # profile name
# Access modes
/hello/lib/foo rwklms, # s invalid
- /hello/lib/foo rwmaix, # w & a incompatible
+ /hello/lib/foo rwmaix, # w & a incompatible
/hello/lib/foo kalmw,
/hello/lib/foo wa,
# OK
diff --git a/autotests/input/usr.bin.apparmor-profile-test b/autotests/input/usr.bin.apparmor-profile-test
--- a/autotests/input/usr.bin.apparmor-profile-test
+++ b/autotests/input/usr.bin.apparmor-profile-test
@@ -34,7 +34,7 @@
owner @{USER_DIR}/** rw,
audit deny owner /**/* mx,
/**.[tT][xX][tT] r, # txt
-
+
owner file @{HOME}/.local/share/foo/{,**} rwkl,
owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,
@@ -135,7 +135,7 @@
# Change Profile rules
change_profile unsafe /** -> [^u/]**,
change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
- change_profile /bin/bash ->
+ change_profile /bin/bash ->
new_profile//hat,
}
@@ -179,7 +179,12 @@
interface=org.hello #No comment
peer=(name=org.hello #No comment
label=unconfined), #Comment
- @{VARIABLE} = val1 val2 val3 #No comment
+
+ # Don't allow assignment of variables within profiles
+ @{VARIABLE} = val1 val2 val3 # Comment
+
+ # Alias rules not allowed within profiles
+ alias /run/ -> /mnt/run/,
# Error: Open rule
/home/*/file rw
@@ -218,25 +223,25 @@
unix,
# Transition rules
- /usr/bin/foo cx -> hello*,
- /usr/bin/foo Cx -> path/,
- /usr/bin/foo cx -> ab[ad/]hello,
- /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path,
- /usr/bin/foo Cx -> ab[hello/path,
-
- /usr/bin/foo cx -> "hello*",
- /usr/bin/foo Cx -> "path/",
- /usr/bin/foo cx -> "ab[ad/]hello",
- /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path",
- /usr/bin/foo Cx -> "ab[hello/path",
-
- /usr/bin/foo cx -> holas//hello/sa,
- /usr/bin/foo cx -> df///dd//hat,
- /usr/bin/foo cx -> holas,#sd\323fsdf,
+ /usr/bin/foo cx -> hello*, # profile name
+ /usr/bin/foo Cx -> path/, # path
+ /usr/bin/foo cx -> ab[ad/]hello, # profile name
+ /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, # path
+ /usr/bin/foo Cx -> ab[hello/path, # profile name
+
+ /usr/bin/foo cx -> "hello*", # profile name
+ /usr/bin/foo Cx -> "path/", # path
+ /usr/bin/foo cx -> "ab[ad/]hello", # profile name
+ /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", # path
+ /usr/bin/foo Cx -> "ab[hello/path", # profile name
+
+ /usr/bin/foo cx -> holas//hello/sa, # path
+ /usr/bin/foo cx -> df///dd//hat, # path + hat
+ /usr/bin/foo cx -> holas,#sd\323fsdf, # profile name
# Access modes
/hello/lib/foo rwklms, # s invalid
- /hello/lib/foo rwmaix, # w & a incompatible
+ /hello/lib/foo rwmaix, # w & a incompatible
/hello/lib/foo kalmw,
/hello/lib/foo wa,
# OK
diff --git a/autotests/reference/usr.bin.apparmor-profile-test.ref b/autotests/reference/usr.bin.apparmor-profile-test.ref
--- a/autotests/reference/usr.bin.apparmor-profile-test.ref
+++ b/autotests/reference/usr.bin.apparmor-profile-test.ref
@@ -34,7 +34,7 @@
owner @{USER_DIR}/** rw,
audit deny owner /**/* mx,
/**.[tT][xX][tT] r, # txt
-
+
owner file @{HOME}/.local/share/foo/{,**} rwkl,
owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,
@@ -135,7 +135,7 @@
# Change Profile rules
change_profile unsafe /** -> [^u/]**,
change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
- change_profile /bin/bash ->
+ change_profile /bin/bash ->
new_profile//hat,
}
@@ -179,7 +179,12 @@
=org.hello #No comment
=(name=org.hello #No comment
label=unconfined), #Comment
- @{VARIABLE} = val1 val2 val3 #No comment
+
+ # Don't allow assignment of variables within profiles
+ @{VARIABLE} = val1 val2 val3 # Comment
+
+ # Alias rules not allowed within profiles
+ alias /run/ -> /mnt/run/,
# Error: Open rule
/home/*/file rw
@@ -218,25 +223,25 @@
unix,
# Transition rules
- /usr/bin/foo cx -> hello*,
- /usr/bin/foo Cx -> path/,
- /usr/bin/foo cx -> ab[ad/]hello,
- /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path,
- /usr/bin/foo Cx -> ab[hello/path,
-
- /usr/bin/foo cx -> "hello*",
- /usr/bin/foo Cx -> "path/",
- /usr/bin/foo cx -> "ab[ad/]hello",
- /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path",
- /usr/bin/foo Cx -> "ab[hello/path",
-
- /usr/bin/foo cx -> holas//hello/sa,
- /usr/bin/foo cx -> df///dd//hat,
- /usr/bin/foo cx -> holas,#sd\323fsdf,
+ /usr/bin/foo cx -> hello*, # profile name
+ /usr/bin/foo Cx -> path/, # path
+ /usr/bin/foo cx -> ab[ad/]hello, # profile name
+ /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, # path
+ /usr/bin/foo Cx -> ab[hello/path, # profile name
+
+ /usr/bin/foo cx -> "hello*", # profile name
+ /usr/bin/foo Cx -> "path/", # path
+ /usr/bin/foo cx -> "ab[ad/]hello", # profile name
+ /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", # path
+ /usr/bin/foo Cx -> "ab[hello/path", # profile name
+
+ /usr/bin/foo cx -> holas//hello/sa, # path
+ /usr/bin/foo cx -> df///dd//hat, # path + hat
+ /usr/bin/foo cx -> holas,#sd\323fsdf, # profile name
# Access modes
/hello/lib/foo rwklms, # s invalid
- /hello/lib/foo rwmaix, # w & a incompatible
+ /hello/lib/foo rwmaix, # w & a incompatible
/hello/lib/foo kalmw,
/hello/lib/foo wa,
# OK
diff --git a/data/syntax/apparmor.xml b/data/syntax/apparmor.xml
--- a/data/syntax/apparmor.xml
+++ b/data/syntax/apparmor.xml
@@ -36,12 +36,16 @@
==========================================================================================
Last update:
- Syntax highlighting based in AppArmor 2.13.0
+ Syntax highlighting based on AppArmor 2.13.2
For more details about the syntax of AppArmor profiles, visit:
https://gitlab.com/apparmor/apparmor/wikis/Documentation
http://manpages.ubuntu.com/manpages/cosmic/en/man5/apparmor.d.5.html
Change log:
+ * Version 8 [02-Apr-2019]: (AppArmor 2.13.2)
+ - Do not highlight variable assignments and alias rules within profiles.
+ - Add keywords of "tunables/share" variables.
+ - Change style of "Other Option" attribute and remove one indentation.
* Version 7 [15-Sep-2018]:
- Update itemData's style for the new Solarized color schemes.
- Fixes in "_end_rule_irnc".
@@ -64,7 +68,7 @@
-->
unsafe
+
- if
- exists
@@ -581,6 +586,9 @@
- XDG_MUSIC_DIR
- XDG_PICTURES_DIR
- XDG_VIDEOS_DIR
+ - flatpak_exports_root
+ - system_share_dirs
+ - user_share_dirs
- abstractions/
@@ -737,7 +745,7 @@
has a different context and for a correct delimitation of the words.
- The content of a rule is found in the contexts "_default_rule"
and "_default_rule_with_comments".
- - When adding a new rule, add it also in "_end_rule_irnc". -->
+ - When adding a new rule, add it also in "_end_rule_irnc"! -->
- mount
- remount
@@ -762,50 +770,65 @@
-
-
-
-
-
-
-
-
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
-
@@ -818,6 +841,7 @@
+
@@ -837,9 +861,10 @@
+
-
+
@@ -966,6 +991,21 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1198,7 +1238,7 @@
+ Highlight the profile name in File Rules (Execute Mode) and Change Profile Rules. -->
@@ -1258,7 +1298,8 @@
-
+
@@ -1301,7 +1342,6 @@
-
@@ -1315,6 +1355,7 @@
('unix' is also a domain of the network rule; 'remount' is also a flag of the mount rule). -->
+
@@ -1324,7 +1365,6 @@
-
@@ -1337,6 +1377,7 @@
+
@@ -1511,7 +1552,7 @@
-
+