usr.bin.apparmor-profile-test

diff --git a/autotests/folding/usr.bin.apparmor-profile-test.fold b/autotests/folding/usr.bin.apparmor-profile-test.fold new file mode 100644 --- /dev/null +++ b/autotests/folding/usr.bin.apparmor-profile-test.fold @@ -0,0 +1,210 @@ +# Example AppArmor Profile. +# License: Public Domain +# Last change: August 29, 2017 + +# NOTE: This profile is not fully functional, since +# it is designed to test the syntax highlighting. + +include + +# Declare an AppArmor variables to help with overrides +@{FOO_LIB}=/usr/lib{,64,/*-linux-gnu}/foo +@{USER_DIR}=@{HOME}/Public @{HOME}/Desktop + +# Profile for /usr/bin/foo +/usr/bin/foo (attach_disconnected, enforce) { + include + include + include + include + include + include + include + include + + #include + #include + #include"/etc/apparmor.d/abstractions/open-browser" + include "/etc/apparmor.d/abstractions/open-email" + + /{,**/} r,# Read only directories + + owner /{home,media,mnt,srv,net}/** r, + owner @{USER_DIR}/{,**} rw, + + audit deny owner /**/* mx, + audit deny owner /**/**.py* r, + + # Files supported + /**.[tT][xX][tT] r, # txt + /**.[wW][bB][mM][pP] r, # wbmp + /**.[wW][eE][bB][pP] r, # webp + + # Local configuration + owner file @{HOME}/.local/share/foo/{,**} rwk, + owner @{HOME}/.local/share/RecentDocuments/* rwk, + owner @{HOME}/.config/foo/{,**} rwk, + owner @{HOME}/.config/foorc{,.lock} rwk, + owner @{HOME}/.config/.[a-zA-Z0-9]* rwk, + owner @{HOME}/.cache/foo/{,**} rwk, + + "/usr/share/**" r, + "/var/lib/flatpak/exports/share/**" r, + "/var/lib/flatpak/app/**/export/share/applications/*.desktop" r, + "/var/lib/snapd/desktop/applications/**" r, + + allow file /etc/nsswitch.conf r, + allow /etc/fstab r, + /etc/udev/udev.conf r, + /etc/passwd r, + /etc/xdg/{,**} r, + /etc/xdg/Trolltech.conf k, + deny /etc/xdg/{autostart,systemd}/{,**} rw, + deny /boot/** rwlkmx, + @{PROC}/[0-9]*/{cmdline,mountinfo,mounts,stat,status,vmstat} r, + /sys/devices/**/uevent r, + + # Libraries and binaries + /usr/bin/foo ixr, + /usr/bin/dolphin PUx, + /usr/bin/khelpcenter Cxr -> sanitized_helper, + /usr/bin/helloworld Cxr -> hello_world, + /usr/bin/* Pixr, + /usr/lib{,64}/** Pixr, + /usr/lib{,64,/*-linux-gnu}/qt5/plugins/{,**/}*.so m, + @{FOO_LIB}/{,**} mr, + + # Temporal files and sockets + owner /tmp/{*lock,kde-*/**} rwk, + owner /var/tmp/kdecache-*/* rwk, + owner /run/user/[0-9]*/{*-socket,bus,kdeinit5*,foo*} rwk, + owner /run/user/[0-9]*/ksocket-*/{,**} rwk, + /run/dbus/system_bus_socket w, + + /dev/{ati,dri}/** rw, + audit deny /dev/{audio,video}* rwlkmx, + + # Dbus rules + dbus (send) + bus=system + path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Introspectable + peer=(name=org.freedesktop.NetworkManager label=unconfined), + dbus (send receive) + bus=system + path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={Introspect,state} + peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)), + dbus (send) + bus=session + path=/org/gnome/GConf/Database/* + member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}, + + # Signal rules + signal (send) set=(term) peer=unconfined, + signal (send, receive) set=(int exists) peer=/usr/lib/hello/world//foo-helper, + + # Child profile + profile hello_world { + # File rules (three different ways) + file /usr/lib{,32,64}/helloworld/**.so mr, + /usr/lib{,32,64}/helloworld/** r, + rk /usr/lib{,32,64}/helloworld/hello,file, + + # Link rules (two ways) + l /foo1 -> /bar, + link /foo2 -> bar, + link /foo3 to bar, + link subset /link* -> /**, + + # Network rules + network inet6 tcp,#Allow access to tcp only for inet6 addresses + network netlink dgram, + network bluetooth, + + # Capability rules + capability dac_override, + capability sys_admin, + capability sys_chroot, + + # Mount rules + mount options=(rw bind remount nodev noexec) fstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/, + mount options in (rw, bind) / -> /run/hellowordd/*.mnt, + umount /home/*/helloworld/, + + # Pivot Root rules + pivot_root oldroot=/mnt/root/old/ /mnt/root/, + pivot_root /mnt/root/, + + # Ptrace rules + ptrace (trace) peer=unconfined, + ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword, + + # Unix rules + unix (connect receive send) type=(stream) peer=(label=unconfined addr=@/tmp/ibus/dbus-*), + unix (send,receive) type=(stream) protocol=0 peer=(addr=none), + unix peer=(label=@{profile_name},addr=@helloworld), + + # Rlimit rule + set rlimit data <= 100M, + set rlimit nproc <= 10, + set rlimit nice <= 5, + + # Change Profile rules + change_profile unsafe /** -> [^u/]**, + change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, + change_profile /bin/bash -> new_profile, + + # Alias + alias /usr/ -> /mnt/usr/, + } + + # Hat + ^foo-helper { + network unix stream, + unix stream, + + /usr/hi\"esc\x23esc\032esc\c3esc r, # Escape expressions + + # Text after a variable is highlighted as path + file /my/path r, + @{FOO_LIB}file r, + @{FOO_LIB}#my/path r, #Comment + } +} + +# Profile for /usr/bin/error +profile syntax_error /usr/bin/error flags=(complain audit) { + # Syntax error highlighting: + + # Error: Include + include + include + #includefilepath + # include + file #include /hello r, + + # Error: Variable open or with characters not allowed + @{var + @{sdf&s} + + # Error: Open brackets + /{hello{ab,cd}world kr, + /{abc{abc kr, + /[abc kr, + /(abc kr, + + # Error: Empty brackets + /hello[]hello{}hello()he kr, + + # Error: Open rule + /home/*/file rw + capability dac_overridecapability dac_override + deny file /etc/fstab w + audit network ieee802154, + + dbus (receivedbus (receive + unix stream,unix stream, + unix stream,unix stream, +} diff --git a/autotests/html/usr.bin.apparmor-profile-test.html b/autotests/html/usr.bin.apparmor-profile-test.html new file mode 100644 --- /dev/null +++ b/autotests/html/usr.bin.apparmor-profile-test.html @@ -0,0 +1,217 @@ + + + +usr.bin.apparmor-profile-test + +

+# Example AppArmor Profile.
+# License: Public Domain
+# Last change: August 29, 2017
+
+# NOTE: This profile is not fully functional, since
+# it is designed to test the syntax highlighting.
+
+include <tunables/global>
+
+# Declare an AppArmor variables to help with overrides
+@{FOO_LIB}=/usr/lib{,64,/*-linux-gnu}/foo
+@{USER_DIR}=@{HOME}/Public @{HOME}/Desktop
+
+# Profile for /usr/bin/foo
+/usr/bin/foo (attach_disconnected, enforce) {
+	include <abstractions/base>
+	include <abstractions/dbus>
+	include <abstractions/dbus-session>
+	include <abstractions/dbus-accessibility>
+	include <abstractions/fonts>
+	include <abstractions/X>
+	include <abstractions/kde>
+	include <abstractions/consoles>
+
+	#include <abstractions/ubuntu-helpers>
+	#include<abstractions/confidential-deny>
+	#include"/etc/apparmor.d/abstractions/open-browser"
+	include "/etc/apparmor.d/abstractions/open-email"
+
+	/{,**/} r,# Read only directories
+
+	owner /{home,media,mnt,srv,net}/** r,
+	owner @{USER_DIR}/{,**} rw,
+
+	audit deny owner /**/* mx,
+	audit deny owner /**/**.py* r,
+
+	# Files supported
+	/**.[tT][xX][tT] r, # txt
+	/**.[wW][bB][mM][pP] r, # wbmp
+	/**.[wW][eE][bB][pP] r, # webp
+
+	# Local configuration
+	owner file @{HOME}/.local/share/foo/{,**} rwk,
+	owner @{HOME}/.local/share/RecentDocuments/* rwk,
+	owner @{HOME}/.config/foo/{,**} rwk,	
+	owner @{HOME}/.config/foorc{,.lock} rwk,
+	owner @{HOME}/.config/.[a-zA-Z0-9]* rwk,
+	owner @{HOME}/.cache/foo/{,**} rwk,
+
+	"/usr/share/**" r,
+	"/var/lib/flatpak/exports/share/**" r,
+	"/var/lib/flatpak/app/**/export/share/applications/*.desktop" r,
+	"/var/lib/snapd/desktop/applications/**" r,
+
+	allow file /etc/nsswitch.conf r,
+	allow /etc/fstab r,
+	/etc/udev/udev.conf r,
+	/etc/passwd r,
+	/etc/xdg/{,**} r,
+	/etc/xdg/Trolltech.conf k,
+	deny /etc/xdg/{autostart,systemd}/{,**} rw,
+	deny /boot/** rwlkmx,
+	@{PROC}/[0-9]*/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
+	/sys/devices/**/uevent r,
+
+	# Libraries and binaries
+	/usr/bin/foo ixr,
+	/usr/bin/dolphin PUx,
+	/usr/bin/khelpcenter Cxr -> sanitized_helper,
+	/usr/bin/helloworld Cxr -> hello_world,
+	/usr/bin/* Pixr,
+	/usr/lib{,64}/** Pixr,
+	/usr/lib{,64,/*-linux-gnu}/qt5/plugins/{,**/}*.so m,
+	@{FOO_LIB}/{,**} mr,
+
+	# Temporal files and sockets
+	owner /tmp/{*lock,kde-*/**} rwk,
+	owner /var/tmp/kdecache-*/* rwk,
+	owner /run/user/[0-9]*/{*-socket,bus,kdeinit5*,foo*} rwk,
+	owner /run/user/[0-9]*/ksocket-*/{,**} rwk,
+	/run/dbus/system_bus_socket w,
+
+	/dev/{ati,dri}/** rw,
+	audit deny /dev/{audio,video}* rwlkmx,
+
+	# Dbus rules
+	dbus (send)
+		bus=system
+		path=/org/freedesktop/NetworkManager
+		interface=org.freedesktop.DBus.Introspectable
+		peer=(name=org.freedesktop.NetworkManager label=unconfined),
+	dbus (send receive)
+		bus=system
+		path=/org/freedesktop/NetworkManager
+		interface=org.freedesktop.NetworkManager
+		member={Introspect,state}
+		peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
+	dbus (send)
+		bus=session
+		path=/org/gnome/GConf/Database/*
+		member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
+
+	# Signal rules
+	signal (send) set=(term) peer=unconfined,
+	signal (send, receive) set=(int exists) peer=/usr/lib/hello/world//foo-helper,
+
+	# Child profile
+	profile hello_world {
+		# File rules (three different ways)
+		file /usr/lib{,32,64}/helloworld/**.so mr,
+		/usr/lib{,32,64}/helloworld/** r,
+		rk /usr/lib{,32,64}/helloworld/hello,file,
+
+		# Link rules (two ways)
+		l /foo1 -> /bar,
+		link /foo2 -> bar,
+		link /foo3 to bar,
+		link subset /link* -> /**,
+
+		# Network rules
+		network inet6 tcp,#Allow access to tcp only for inet6 addresses
+		network netlink dgram,
+		network bluetooth,
+
+		# Capability rules
+		capability dac_override,
+		capability sys_admin,
+		capability sys_chroot,
+
+		# Mount rules
+		mount options=(rw bind remount nodev noexec) fstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
+		mount options in (rw, bind) / -> /run/hellowordd/*.mnt,
+		umount /home/*/helloworld/,
+
+		# Pivot Root rules
+		pivot_root oldroot=/mnt/root/old/ /mnt/root/,
+		pivot_root /mnt/root/,
+
+		# Ptrace rules
+		ptrace (trace) peer=unconfined,
+		ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword,
+
+		# Unix rules
+		unix (connect receive send) type=(stream) peer=(label=unconfined addr=@/tmp/ibus/dbus-*),
+		unix (send,receive) type=(stream) protocol=0 peer=(addr=none),
+		unix peer=(label=@{profile_name},addr=@helloworld),
+
+		# Rlimit rule
+		set rlimit data <= 100M,
+		set rlimit nproc <= 10,
+		set rlimit nice <= 5,
+
+		# Change Profile rules
+		change_profile unsafe /** -> [^u/]**,
+		change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
+		change_profile /bin/bash -> new_profile,
+
+		# Alias
+		alias /usr/ -> /mnt/usr/,
+	}
+
+	# Hat
+	^foo-helper {
+		network unix stream,
+		unix stream,
+
+		/usr/hi\"esc\x23esc\032esc\c3esc r, # Escape expressions
+
+		# Text after a variable is highlighted as path
+		file /my/path r,
+		@{FOO_LIB}file r,
+		@{FOO_LIB}#my/path r, #Comment
+	}
+}
+
+# Profile for /usr/bin/error
+profile syntax_error /usr/bin/error flags=(complain audit) {
+	# Syntax error highlighting:
+
+	# Error: Include
+	include<filepath>
+	include <filepath >
+	#includefilepath
+	# include
+	file #include /hello r,
+
+	# Error: Variable open or with characters not allowed
+	@{var
+	@{sdf&s}
+
+	# Error: Open brackets
+	/{hello{ab,cd}world  kr,
+	/{abc{abc kr,
+	/[abc  kr,
+	/(abc kr,
+
+	# Error: Empty brackets
+	/hello[]hello{}hello()he  kr,
+
+	# Error: Open rule
+	/home/*/file rw
+	capability dac_override
+	deny file /etc/fstab w
+	audit network ieee802154,
+
+	dbus (receive
+	unix stream,
+	unix stream,
+}
+

diff --git a/autotests/input/usr.bin.apparmor-profile-test b/autotests/input/usr.bin.apparmor-profile-test new file mode 100755 --- /dev/null +++ b/autotests/input/usr.bin.apparmor-profile-test @@ -0,0 +1,210 @@ +# Example AppArmor Profile. +# License: Public Domain +# Last change: August 29, 2017 + +# NOTE: This profile is not fully functional, since +# it is designed to test the syntax highlighting. + +include + +# Declare an AppArmor variables to help with overrides +@{FOO_LIB}=/usr/lib{,64,/*-linux-gnu}/foo +@{USER_DIR}=@{HOME}/Public @{HOME}/Desktop + +# Profile for /usr/bin/foo +/usr/bin/foo (attach_disconnected, enforce) { + include + include + include + include + include + include + include + include + + #include + #include + #include"/etc/apparmor.d/abstractions/open-browser" + include "/etc/apparmor.d/abstractions/open-email" + + /{,**/} r,# Read only directories + + owner /{home,media,mnt,srv,net}/** r, + owner @{USER_DIR}/{,**} rw, + + audit deny owner /**/* mx, + audit deny owner /**/**.py* r, + + # Files supported + /**.[tT][xX][tT] r, # txt + /**.[wW][bB][mM][pP] r, # wbmp + /**.[wW][eE][bB][pP] r, # webp + + # Local configuration + owner file @{HOME}/.local/share/foo/{,**} rwk, + owner @{HOME}/.local/share/RecentDocuments/* rwk, + owner @{HOME}/.config/foo/{,**} rwk, + owner @{HOME}/.config/foorc{,.lock} rwk, + owner @{HOME}/.config/.[a-zA-Z0-9]* rwk, + owner @{HOME}/.cache/foo/{,**} rwk, + + "/usr/share/**" r, + "/var/lib/flatpak/exports/share/**" r, + "/var/lib/flatpak/app/**/export/share/applications/*.desktop" r, + "/var/lib/snapd/desktop/applications/**" r, + + allow file /etc/nsswitch.conf r, + allow /etc/fstab r, + /etc/udev/udev.conf r, + /etc/passwd r, + /etc/xdg/{,**} r, + /etc/xdg/Trolltech.conf k, + deny /etc/xdg/{autostart,systemd}/{,**} rw, + deny /boot/** rwlkmx, + @{PROC}/[0-9]*/{cmdline,mountinfo,mounts,stat,status,vmstat} r, + /sys/devices/**/uevent r, + + # Libraries and binaries + /usr/bin/foo ixr, + /usr/bin/dolphin PUx, + /usr/bin/khelpcenter Cxr -> sanitized_helper, + /usr/bin/helloworld Cxr -> hello_world, + /usr/bin/* Pixr, + /usr/lib{,64}/** Pixr, + /usr/lib{,64,/*-linux-gnu}/qt5/plugins/{,**/}*.so m, + @{FOO_LIB}/{,**} mr, + + # Temporal files and sockets + owner /tmp/{*lock,kde-*/**} rwk, + owner /var/tmp/kdecache-*/* rwk, + owner /run/user/[0-9]*/{*-socket,bus,kdeinit5*,foo*} rwk, + owner /run/user/[0-9]*/ksocket-*/{,**} rwk, + /run/dbus/system_bus_socket w, + + /dev/{ati,dri}/** rw, + audit deny /dev/{audio,video}* rwlkmx, + + # Dbus rules + dbus (send) + bus=system + path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Introspectable + peer=(name=org.freedesktop.NetworkManager label=unconfined), + dbus (send receive) + bus=system + path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member={Introspect,state} + peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)), + dbus (send) + bus=session + path=/org/gnome/GConf/Database/* + member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}, + + # Signal rules + signal (send) set=(term) peer=unconfined, + signal (send, receive) set=(int exists) peer=/usr/lib/hello/world//foo-helper, + + # Child profile + profile hello_world { + # File rules (three different ways) + file /usr/lib{,32,64}/helloworld/**.so mr, + /usr/lib{,32,64}/helloworld/** r, + rk /usr/lib{,32,64}/helloworld/hello,file, + + # Link rules (two ways) + l /foo1 -> /bar, + link /foo2 -> bar, + link /foo3 to bar, + link subset /link* -> /**, + + # Network rules + network inet6 tcp,#Allow access to tcp only for inet6 addresses + network netlink dgram, + network bluetooth, + + # Capability rules + capability dac_override, + capability sys_admin, + capability sys_chroot, + + # Mount rules + mount options=(rw bind remount nodev noexec) fstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/, + mount options in (rw, bind) / -> /run/hellowordd/*.mnt, + umount /home/*/helloworld/, + + # Pivot Root rules + pivot_root oldroot=/mnt/root/old/ /mnt/root/, + pivot_root /mnt/root/, + + # Ptrace rules + ptrace (trace) peer=unconfined, + ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword, + + # Unix rules + unix (connect receive send) type=(stream) peer=(label=unconfined addr=@/tmp/ibus/dbus-*), + unix (send,receive) type=(stream) protocol=0 peer=(addr=none), + unix peer=(label=@{profile_name},addr=@helloworld), + + # Rlimit rule + set rlimit data <= 100M, + set rlimit nproc <= 10, + set rlimit nice <= 5, + + # Change Profile rules + change_profile unsafe /** -> [^u/]**, + change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, + change_profile /bin/bash -> new_profile, + + # Alias + alias /usr/ -> /mnt/usr/, + } + + # Hat + ^foo-helper { + network unix stream, + unix stream, + + /usr/hi\"esc\x23esc\032esc\c3esc r, # Escape expressions + + # Text after a variable is highlighted as path + file /my/path r, + @{FOO_LIB}file r, + @{FOO_LIB}#my/path r, #Comment + } +} + +# Profile for /usr/bin/error +profile syntax_error /usr/bin/error flags=(complain audit) { + # Syntax error highlighting: + + # Error: Include + include + include + #includefilepath + # include + file #include /hello r, + + # Error: Variable open or with characters not allowed + @{var + @{sdf&s} + + # Error: Open brackets + /{hello{ab,cd}world kr, + /{abc{abc kr, + /[abc kr, + /(abc kr, + + # Error: Empty brackets + /hello[]hello{}hello()he kr, + + # Error: Open rule + /home/*/file rw + capability dac_override + deny file /etc/fstab w + audit network ieee802154, + + dbus (receive + unix stream, + unix stream, +} diff --git a/autotests/reference/usr.bin.apparmor-profile-test.ref b/autotests/reference/usr.bin.apparmor-profile-test.ref new file mode 100644 --- /dev/null +++ b/autotests/reference/usr.bin.apparmor-profile-test.ref @@ -0,0 +1,210 @@ +# Example AppArmor Profile.
+# License: Public Domain
+# Last change: August 29, 2017
+
+# NOTE: This profile is not fully functional, since
+# it is designed to test the syntax highlighting.
+
+include
+
+# Declare an AppArmor variables to help with overrides
+@{FOO_LIB}=/usr/lib{,64,/*-linux-gnu}/foo
+@{USER_DIR}=@{HOME}/Public @{HOME}/Desktop
+
+# Profile for /usr/bin/foo
+/usr/bin/foo (attach_disconnected, enforce) {
+ include
+ include
+ include
+ include
+ include
+ include
+ include
+ include
+
+ #include
+ #include
+ #include"/etc/apparmor.d/abstractions/open-browser"
+ include "/etc/apparmor.d/abstractions/open-email"
+
+ /{,**/} r,# Read only directories
+
+ owner /{home,media,mnt,srv,net}/** r,
+ owner @{USER_DIR}/{,**} rw,
+
+ audit deny owner /**/* mx,
+ audit deny owner /**/**.py* r,
+
+ # Files supported
+ /**.[tT][xX][tT] r, # txt
+ /**.[wW][bB][mM][pP] r, # wbmp
+ /**.[wW][eE][bB][pP] r, # webp
+
+ # Local configuration
+ owner file @{HOME}/.local/share/foo/{,**} rwk,
+ owner @{HOME}/.local/share/RecentDocuments/* rwk,
+ owner @{HOME}/.config/foo/{,**} rwk,
+ owner @{HOME}/.config/foorc{,.lock} rwk,
+ owner @{HOME}/.config/.[a-zA-Z0-9]* rwk,
+ owner @{HOME}/.cache/foo/{,**} rwk,
+
+ "/usr/share/**" r,
+ "/var/lib/flatpak/exports/share/**" r,
+ "/var/lib/flatpak/app/**/export/share/applications/*.desktop" r,
+ "/var/lib/snapd/desktop/applications/**" r,
+
+ allow file /etc/nsswitch.conf r,
+ allow /etc/fstab r,
+ /etc/udev/udev.conf r,
+ /etc/passwd r,
+ /etc/xdg/{,**} r,
+ /etc/xdg/Trolltech.conf k,
+ deny /etc/xdg/{autostart,systemd}/{,**} rw,
+ deny /boot/** rwlkmx,
+ @{PROC}/[0-9]*/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
+ /sys/devices/**/uevent r,
+
+ # Libraries and binaries
+ /usr/bin/foo ixr,
+ /usr/bin/dolphin PUx,
+ /usr/bin/khelpcenter Cxr -> sanitized_helper,
+ /usr/bin/helloworld Cxr -> hello_world,
+ /usr/bin/* Pixr,
+ /usr/lib{,64}/** Pixr,
+ /usr/lib{,64,/*-linux-gnu}/qt5/plugins/{,**/}*.so m,
+ @{FOO_LIB}/{,**} mr,
+
+ # Temporal files and sockets
+ owner /tmp/{*lock,kde-*/**} rwk,
+ owner /var/tmp/kdecache-*/* rwk,
+ owner /run/user/[0-9]*/{*-socket,bus,kdeinit5*,foo*} rwk,
+ owner /run/user/[0-9]*/ksocket-*/{,**} rwk,
+ /run/dbus/system_bus_socket w,
+
+ /dev/{ati,dri}/** rw,
+ audit deny /dev/{audio,video}* rwlkmx,
+
+ # Dbus rules
+ dbus (send)
+ =system
+ =/org/freedesktop/NetworkManager
+ =org.freedesktop.DBus.Introspectable
+ =(name=org.freedesktop.NetworkManager label=unconfined),
+ dbus (send receive)
+ =system
+ =/org/freedesktop/NetworkManager
+ =org.freedesktop.NetworkManager
+ ={Introspect,state}
+ =(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
+ dbus (send)
+ =session
+ =/org/gnome/GConf/Database/*
+ ={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
+
+ # Signal rules
+ signal (send) =(term) =unconfined,
+ signal (send, receive) =(int exists) =/usr/lib/hello/world//foo-helper,
+
+ # Child profile
+ profile hello_world {
+ # File rules (three different ways)
+ file /usr/lib{,32,64}/helloworld/**.so mr,
+ /usr/lib{,32,64}/helloworld/** r,
+ rk /usr/lib{,32,64}/helloworld/hello,file,
+
+ # Link rules (two ways)
+ l /foo1 -> /bar,
+ link /foo2 -> bar,
+ link /foo3 to bar,
+ link subset /link* -> /**,
+
+ # Network rules
+ network inet6 tcp,#Allow access to tcp only for inet6 addresses
+ network netlink dgram,
+ network bluetooth,
+
+ # Capability rules
+ capability dac_override,
+ capability sys_admin,
+ capability sys_chroot,
+
+ # Mount rules
+ mount =(rw bind remount nodev noexec) =ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
+ mount in (rw, bind) / -> /run/hellowordd/*.mnt,
+ umount /home/*/helloworld/,
+
+ # Pivot Root rules
+ pivot_root =/mnt/root/old/ /mnt/root/,
+ pivot_root /mnt/root/,
+
+ # Ptrace rules
+ ptrace (trace) =unconfined,
+ ptrace (read, trace, tracedby) =/usr/lib/hello/helloword,
+
+ # Unix rules
+ unix (connect receive send) =(stream) =(label=unconfined addr=@/tmp/ibus/dbus-*),
+ unix (send,receive) =(stream) =0 =(addr=none),
+ unix =(label=@{profile_name},addr=@helloworld),
+
+ # Rlimit rule
+ set rlimit data <= 100M,
+ set rlimit nproc <= 10,
+ set rlimit nice <= 5,
+
+ # Change Profile rules
+ change_profile unsafe /** -> [^u/]**,
+ change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
+ change_profile /bin/bash -> new_profile,
+
+ # Alias
+ alias /usr/ -> /mnt/usr/,
+ }
+
+ # Hat
+ ^foo-helper {
+ network unix stream,
+ unix stream,
+
+ /usr/hi\"esc\x23esc\032esc\c3esc r, # Escape expressions
+
+ # Text after a variable is highlighted as path
+ file /my/path r,
+ @{FOO_LIB}file r,
+ @{FOO_LIB}#my/path r, #Comment
+ }
+}
+
+# Profile for /usr/bin/error
+profile syntax_error /usr/bin/error =(complain audit) {
+ # Syntax error highlighting:
+
+ # Error: Include
+ include
+ include <filepath >
+ #includefilepath
+ # include
+ file #include /hello r,
+
+ # Error: Variable open or with characters not allowed
+ @{var
+ @{sdf&s}
+
+ # Error: Open brackets
+ /{hello{ab,cd}world kr,
+ /{abc{abc kr,
+ /[abc kr,
+ /(abc kr,
+
+ # Error: Empty brackets
+ /hello[]hello{}hello()he kr,
+
+ # Error: Open rule
+ /home/*/file rw
+ capability dac_override
+ deny file /etc/fstab w
+ audit network ieee802154,
+
+ dbus (receive
+ unix stream,
+ unix stream,
+}
diff --git a/data/syntax/apparmor.xml b/data/syntax/apparmor.xml new file mode 100755 --- /dev/null +++ b/data/syntax/apparmor.xml @@ -0,0 +1,1161 @@ + + + + + + +]> + + + + + + + + + + profile + hat + + + flags + + + audit + complain + enforce + mediate_deleted + attach_disconnected + chroot_relative + + + + + allow + deny + + + audit + + + + + + set + + + alias + + + owner + file + + capability + network + mount + remount + umount + pivot_root + ptrace + signal + dbus + unix + link + change_profile + rlimit + + + + audit_control + audit_read + audit_write + block_suspend + chown + dac_override + dac_read_search + fowner + fsetid + ipc_lock + ipc_owner + kill + lease + linux_immutable + mac_admin + mac_override + mknod + net_admin + net_bind_service + net_broadcast + net_raw + setgid + setfcap + setpcap + setuid + sys_admin + sys_boot + sys_chroot + sys_module + sys_nice + sys_pacct + sys_ptrace + sys_rawio + sys_resource + sys_time + sys_tty_config + syslog + wake_alarm + + + + + + inet + ax25 + ipx + appletalk + netrom + bridge + atmpvc + x25 + inet6 + rose + netbeui + security + key + packet + ash + econet + atmsvc + sna + irda + pppox + wanpipe + bluetooth + netlink + rds + llc + can + tipc + iucv + rxrpc + isdn + phonet + ieee802154 + caif + alg + nfc + vsock + mpls + ib + + + stream + dgram + seqpacket + rdm + raw + + + tcp + udp + icmp + + + + unix + + + + + fstype + vfstype + options + + + rw + ro + bind + remount + nosuid + suid + nodev + dev + noexec + exec + sync + async + mand + nomand + dirsync + noatime + atime + nodiratime + diratime + rbind + move + verbose + silent + loud + acl + noacl + unbindable + runbindable + private + rprivate + slave + rslave + shared + rshared + relatime + norelatime + iversion + noiversion + strictatime + nouser + user + + + + autofs + bdev + bpf + cachefs + cgroup + cgroup2 + cifs + coherent + configfs + cpuset + cramfs + debugfs + devfs + devpts + devtmpfs + ecryptfs + efs + fuse + fuseblk + fusectl + hugetlbfs + iso9660 + kernfs + mqueue + pipefs + proc + procfs + pstore + ramfs + romfs + rootfs + securityfs + sockfs + specfs + squashfs + swapfs + sysfs + sysv + tmpfs + usbfs + vfat + + adfs + affs + apfs + btrfs + coda + exfat + ext2 + ext3 + ext4 + f2fs + fatx + hfs + hfsplus + hpfs + jfs + lvm2 + minix + msdos + ncpfs + nilfs + nilfs2 + nfs + nfs4 + ntfs + ntfs-3g + openzfs + qnx4 + qnx6 + reiser4 + reiserfs + smbfs + swap + tracefs + ubifs + udf + ufs + umsdos + urefs + xenix + xfs + zfs + + + + + + oldroot + + + + + peer + + + + read + readby + trace + tracedby + + + + + set + peer + + + + bus + hup + int + quit + ill + trap + abrt + fpe + kill + usr1 + segv + usr2 + pipe + alrm + term + stkflt + chld + cont + stop + stp + ttin + ttou + urg + xcpu + xfsz + vtalrm + prof + winch + io + pwr + sys + emt + exists + + + + read + write + send + receive + + + + + peer + bus + path + interface + member + + + name + label + + + send + receive + bind + eavesdrop + + + system + session + + + + + peer + set + label + type + protocol + addr + attr + opt + + + + send + receive + bind + create + listen + accept + connect + shutdown + getattr + setattr + getopt + setopt + + + + + cpu + fsize + data + stack + core + rss + nofile + ofile + as + nproc + memlock + locks + sigpending + msgqueue + nice + rtprio + rttime + + + + + subset + + + + + safe + unsafe + + + + + rw + r + w + + + + none + unconfined + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +