diff --git a/autotests/folding/usr.bin.apparmor-profile-test.fold b/autotests/folding/usr.bin.apparmor-profile-test.fold index e8d48f5..af46025 100644 --- a/autotests/folding/usr.bin.apparmor-profile-test.fold +++ b/autotests/folding/usr.bin.apparmor-profile-test.fold @@ -1,275 +1,275 @@ # Sample AppArmor Profile. # License: Public Domain # NOTE: This profile is not fully functional, since # it is designed to test the syntax highlighting. include # Variable assignment @{FOO_LIB}=/usr/lib{,32,64}/foo @{USER_DIR} = @{HOME}/Public @{HOME}/Desktop #No-Comment @{USER_DIR} += @{HOME}/Hello \ deny owner #No-comment aa#aa ${BOOL} = true # Alias alias /usr/ -> /mnt/usr/, # Profile for /usr/bin/foo profile foo /usr/bin/foo flags=(attach_disconnected enforce) { #include #include #include"/etc/apparmor.d/abstractions/ubuntu-konsole" include "/etc/apparmor.d/abstractions/openssl" include if exists include #include /some/file mr, #include /bin/true Px, # File rules /{,**/} r, owner /{home,media,mnt,srv,net}/** r, owner @{USER_DIR}/** rw, audit deny owner /**/* mx, /**.[tT][xX][tT] r, # txt owner file @{HOME}/.local/share/foo/{,**} rwkl, owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk, "/usr/share/**" r, "/var/lib/flatpak/exports/share/**" r, "/var/lib/{spaces in string,hello}/a[^ a]a/**" r, allow file /etc/nsswitch.conf r, allow /etc/fstab r, deny /etc/xdg/{autostart,systemd}/** r, deny /boot/** rwlkmx, owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r, /sys/devices/**/uevent r, @{FOO_LIB}/{@{multiarch},64}/** mr, /usr/bin/foo ixr, /usr/bin/dolphin pUx, /usr/bin/* Pixr, /usr/bin/khelpcenter Cx -> sanitized_helper, /usr/bin/helloworld cxr -> - hello_world, + hello_world, # Dbus rules dbus (send) #No-Comment bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Introspectable peer=(name=org.freedesktop.NetworkManager label=unconfined), dbus (send receive) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member={Introspect,state} peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)), dbus (send) bus=session path=/org/gnome/GConf/Database/* member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}, dbus (bind) bus=system name=org.bluez, # Signal rules signal (send) set=(term) peer="/usr/lib/hello/world// foo helper", signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper, # Child profile profile hello_world { # File rules (three different ways) file /usr/lib{,32,64}/helloworld/**.so mr, /usr/lib{,32,64}/helloworld/** r, rk /usr/lib{,32,64}/helloworld/hello,file, # Link rules (two ways) l /foo1 -> /bar, link /foo2 -> bar, - link /foo3 to bar, link subset /link* -> /**, # Network rules network inet6 tcp, network netlink dgram, network bluetooth, network unspec dgram, # Capability rules capability dac_override, capability sys_admin, capability sys_chroot, # Mount rules mount options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/, mount options in (rw, bind) / -> /run/hellowordd/*.mnt, mount option=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*, umount /home/*/helloworld/, # Pivot Root rules pivot_root oldroot=/mnt/root/old/ /mnt/root/, pivot_root /mnt/root/, # Ptrace rules ptrace (trace) peer=unconfined, ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword, # Unix rules unix (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined), unix (send,receive) type=(stream) protocol=0 peer=(addr=none), unix peer=(label=@{profile_name},addr=@helloworld), # Rlimit rule set rlimit data <= 100M, set rlimit nproc <= 10, set rlimit memlock <= 2GB, set rlimit rss <= infinity, + set rlimit nice <= -12, # Change Profile rules change_profile unsafe /** -> [^u/]**, change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, change_profile /bin/bash -> new_profile//hat, } # Hat ^foo-helper\/ { network unix stream, unix stream, /usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions # Text after a variable is highlighted as path file /my/path r, @{FOO_LIB}file r, @{FOO_LIB}#my/path r, #Comment @{FOO_LIB}ñ* r, unix (/path\t{aa}*,*a @{var}*path,* @{var},*), } } # Syntax Error /usr/bin/error (complain, audit) { file #include /hello r, # Error: Variable open or with characters not allowed @{var @{sdf&s} # Error: Open brackets /{hello{ab,cd}world kr, /{abc{abc kr, /[abc kr, /(abc kr, # Error: Empty brackets /hello[]hello{}hello()he kr, # Comments not allowed dbus (send) #No comment path=/org/hello #No comment interface=org.hello #No comment peer=(name=org.hello #No comment label=unconfined), #Comment # Don't allow assignment of variables within profiles @{VARIABLE} = val1 val2 val3 # Comment # Alias rules not allowed within profiles alias /run/ -> /mnt/run/, # Error: Open rule /home/*/file rw capability dac_override deny file /etc/fstab w audit network ieee802154, dbus (receive unix stream, unix stream, } profile other_tests { # set rlimit set rlimit nice <= 3, rlimit nice <= 3, # Without "set" set #comment rlimit nice <= 3, # "remount" keyword mount remount remount, remount remount remount, dbus remount remount, unix remount remount, # "unix" keyword network unix unix, ptrace unix unix, unix unix unix, # Transition rules /usr/bin/foo cx -> hello*, # profile name /usr/bin/foo Cx -> path/, # path /usr/bin/foo cx -> ab[ad/]hello, # profile name /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, # path /usr/bin/foo Cx -> ab[hello/path, # profile name /usr/bin/foo cx -> "hello*", # profile name /usr/bin/foo Cx -> "path/", # path /usr/bin/foo cx -> "ab[ad/]hello", # profile name /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", # path /usr/bin/foo Cx -> "ab[hello/path", # profile name /usr/bin/foo cx -> holas//hello/sa, # path /usr/bin/foo cx -> df///dd//hat, # path + hat /usr/bin/foo cx -> holas,#sd\323fsdf, # profile name # Access modes /hello/lib/foo rwklms, # s invalid /hello/lib/foo rwmaix, # w & a incompatible /hello/lib/foo kalmw, /hello/lib/foo wa, # OK /hello/lib/foo rrwrwwrwrw, /hello/lib/foo ixixix, # Incompatible exec permissions ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx, pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx, Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx, # Test valid permissions r w a k l m l x ix ux Ux px Px cx Cx , pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx, rwklmx raklmx, r rw rwk rwkl rwklm, rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx, rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk, rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl, # Profile name profile holas { ... } profile { ... } profile /path { ... } profile holas/abc { ... } profile holas\/abc { ... } profile #holas { ... } profile flags=(complain)#asd { ... } profile flags flags=(complain) { ... } profile flags(complain) { ... } } diff --git a/autotests/html/usr.bin.apparmor-profile-test.html b/autotests/html/usr.bin.apparmor-profile-test.html index f13ce64..51dbef0 100644 --- a/autotests/html/usr.bin.apparmor-profile-test.html +++ b/autotests/html/usr.bin.apparmor-profile-test.html @@ -1,282 +1,282 @@ usr.bin.apparmor-profile-test 
 # Sample AppArmor Profile.
 # License: Public Domain
 
 # NOTE: This profile is not fully functional, since
 # it is designed to test the syntax highlighting.
 
 include <tunables/global>
 
 # Variable assignment
 @{FOO_LIB}=/usr/lib{,32,64}/foo
 @{USER_DIR}
   = @{HOME}/Public @{HOME}/Desktop #No-Comment
 @{USER_DIR} += @{HOME}/Hello \
 deny owner #No-comment aa#aa
 ${BOOL} = true
 
 # Alias
 alias /usr/ -> /mnt/usr/,
 
 # Profile for /usr/bin/foo
 profile foo /usr/bin/foo flags=(attach_disconnected enforce) {
 	#include <abstractions/ubuntu-helpers>
 	#include<abstractions/wayland>
 	#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
 	include "/etc/apparmor.d/abstractions/openssl"
 
 	include if exists <path with spaces>
 	include <include_tests/includes_okay_helper.include> #include <includes/base>
 	/some/file mr, #include <includes/base> /bin/true Px,
 
 	# File rules
 	/{,**/} r,
 	owner /{home,media,mnt,srv,net}/** r,
 	owner @{USER_DIR}/** rw,
 	audit deny owner /**/* mx,
 	/**.[tT][xX][tT] r,  # txt
 
 	owner file @{HOME}/.local/share/foo/{,**} rwkl,
 	owner @{HOME}/.config/*.[a-zA-Z0-9]*      rwk,
 
 	"/usr/share/**" r,
 	"/var/lib/flatpak/exports/share/**" r,
 	"/var/lib/{spaces in
 		string,hello}/a[^ a]a/**" r,
 
 	allow file /etc/nsswitch.conf           r,
 	allow /etc/fstab                        r,
 	deny /etc/xdg/{autostart,systemd}/**    r,
 	deny /boot/**                           rwlkmx,
 
 	owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
 	/sys/devices/**/uevent r,
 	@{FOO_LIB}/{@{multiarch},64}/** mr,
 
 	/usr/bin/foo         ixr,
 	/usr/bin/dolphin     pUx,
 	/usr/bin/*           Pixr,
 	/usr/bin/khelpcenter Cx  -> sanitized_helper,
 	/usr/bin/helloworld  cxr ->
-			hello_world,
+		hello_world,
 
 	# Dbus rules
 	dbus (send)  #No-Comment
 		bus=system
 		path=/org/freedesktop/NetworkManager
 		interface=org.freedesktop.DBus.Introspectable
 		peer=(name=org.freedesktop.NetworkManager label=unconfined),
 	dbus (send receive)
 		bus=system
 		path=/org/freedesktop/NetworkManager
 		interface=org.freedesktop.NetworkManager
 		member={Introspect,state}
 		peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
 	dbus (send)
 		bus=session
 		path=/org/gnome/GConf/Database/*
 		member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
 	dbus (bind)
 		bus=system
 		name=org.bluez,
 
 	# Signal rules
 	signal (send) set=(term) peer="/usr/lib/hello/world// foo helper",
 	signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper,
 
 	# Child profile
 	profile hello_world {
 		# File rules (three different ways)
 		file /usr/lib{,32,64}/helloworld/**.so mr,
 		/usr/lib{,32,64}/helloworld/** r,
 		rk /usr/lib{,32,64}/helloworld/hello,file,
 
 		# Link rules (two ways)
 		l /foo1 -> /bar,
 		link /foo2 -> bar,
-		link /foo3 to bar,
 		link subset /link* -> /**,
 
 		# Network rules
 		network inet6 tcp,
 		network netlink dgram,
 		network bluetooth,
 		network unspec dgram,
 
 		# Capability rules
 		capability dac_override,
 		capability sys_admin,
 		capability sys_chroot,
 
 		# Mount rules
 		mount options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
 		mount options in (rw, bind) / -> /run/hellowordd/*.mnt,
 		mount option=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
 		umount /home/*/helloworld/,
 
 		# Pivot Root rules
 		pivot_root oldroot=/mnt/root/old/ /mnt/root/,
 		pivot_root /mnt/root/,
 
 		# Ptrace rules
 		ptrace (trace) peer=unconfined,
 		ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword,
 
 		# Unix rules
 		unix (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined),
 		unix (send,receive) type=(stream) protocol=0 peer=(addr=none),
 		unix peer=(label=@{profile_name},addr=@helloworld),
 
 		# Rlimit rule
 		set rlimit data  <= 100M,
 		set rlimit nproc <= 10,
 		set rlimit memlock <= 2GB,
 		set rlimit rss <= infinity,
+		set rlimit nice <= -12,
 
 		# Change Profile rules
 		change_profile unsafe /** -> [^u/]**,
 		change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
 		change_profile /bin/bash  ->
 			new_profile//hat,
 	}
 
 	# Hat
 	^foo-helper\/ {
 		network unix stream,
 		unix stream,
 
 		/usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions
 
 		# Text after a variable is highlighted as path
 		file /my/path r,
 		@{FOO_LIB}file r,
 		@{FOO_LIB}#my/path r, #Comment
 		@{FOO_LIB}ñ* r,
 		unix (/path\t{aa}*,*a @{var}*path,* @{var},*),
 	}
 }
 
 # Syntax Error
 /usr/bin/error (complain, audit) {
 	file #include /hello r,
 
 	# Error: Variable open or with characters not allowed
 	@{var
 	@{sdf&s}
 
 	# Error: Open brackets
 	/{hello{ab,cd}world  kr,
 	/{abc{abc kr,
 	/[abc  kr,
 	/(abc kr,
 
 	# Error: Empty brackets
 	/hello[]hello{}hello()he  kr,
 
 	# Comments not allowed
 	dbus (send)  #No comment
 		path=/org/hello
 		#No comment
 		interface=org.hello #No comment
 		peer=(name=org.hello  #No comment
 		      label=unconfined), #Comment
 
 	# Don't allow assignment of variables within profiles
 	@{VARIABLE} = val1 val2 val3 # Comment
 
 	# Alias rules not allowed within profiles
 	alias /run/ -> /mnt/run/,
 
 	# Error: Open rule
 	/home/*/file rw
 	capability dac_override
 	deny file /etc/fstab w
 	audit network ieee802154,
 
 	dbus (receive
 	unix stream,
 	unix stream,
 }
 
 profile other_tests {
 	# set rlimit
 	set rlimit nice  <= 3,
 	rlimit nice  <= 3, # Without "set"
 	set #comment
 		rlimit
 			nice  <= 3,
 
 	# "remount" keyword
 	mount remount
 		remount,
 	remount remount
 		remount,
 	dbus remount
 		remount,
 	unix remount
 		remount,
 	# "unix" keyword
 	network unix
 		unix,
 	ptrace unix
 		unix,
 	unix unix
 		unix,
 
 	# Transition rules
 	/usr/bin/foo cx -> hello*,                  # profile name
 	/usr/bin/foo Cx -> path/,                   # path
 	/usr/bin/foo cx -> ab[ad/]hello,            # profile name
 	/usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, # path
 	/usr/bin/foo Cx -> ab[hello/path,           # profile name
 
 	/usr/bin/foo cx -> "hello*",                  # profile name
 	/usr/bin/foo Cx -> "path/",                   # path
 	/usr/bin/foo cx -> "ab[ad/]hello",            # profile name
 	/usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", # path
 	/usr/bin/foo Cx -> "ab[hello/path",           # profile name
 
 	/usr/bin/foo cx -> holas//hello/sa,    # path
 	/usr/bin/foo cx -> df///dd//hat,       # path + hat
 	/usr/bin/foo cx -> holas,#sd\323fsdf,  # profile name
 
 	# Access modes
 	/hello/lib/foo rwklms, # s invalid
 	/hello/lib/foo rwmaix, # w & a incompatible
 	/hello/lib/foo kalmw,
 	/hello/lib/foo wa,
 	# OK
 	/hello/lib/foo rrwrwwrwrw,
 	/hello/lib/foo ixixix,
 	# Incompatible exec permissions
 	ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx,
 	pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx,
 	Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx,
 	# Test valid permissions
 	r w a k l m l x ix ux Ux px Px cx Cx ,
 	pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx,
 	rwklmx raklmx,
 	r rw rwk rwkl rwklm,
 	rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx,
 	rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk,
 	rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl,
 
 	# Profile name
 	profile holas { ... }
 	profile { ... }
 	profile /path { ... }
 	profile holas/abc { ... }
 	profile holas\/abc { ... }
 	profile
 		#holas { ... }
 
 	profile flags=(complain)#asd { ... }
 	profile flags flags=(complain) { ... }
 	profile flags(complain) { ... }
 }
diff --git a/autotests/input/usr.bin.apparmor-profile-test b/autotests/input/usr.bin.apparmor-profile-test index d009570..e5e4a25 100644 --- a/autotests/input/usr.bin.apparmor-profile-test +++ b/autotests/input/usr.bin.apparmor-profile-test @@ -1,275 +1,275 @@ # Sample AppArmor Profile. # License: Public Domain # NOTE: This profile is not fully functional, since # it is designed to test the syntax highlighting. include # Variable assignment @{FOO_LIB}=/usr/lib{,32,64}/foo @{USER_DIR} = @{HOME}/Public @{HOME}/Desktop #No-Comment @{USER_DIR} += @{HOME}/Hello \ deny owner #No-comment aa#aa ${BOOL} = true # Alias alias /usr/ -> /mnt/usr/, # Profile for /usr/bin/foo profile foo /usr/bin/foo flags=(attach_disconnected enforce) { #include #include #include"/etc/apparmor.d/abstractions/ubuntu-konsole" include "/etc/apparmor.d/abstractions/openssl" include if exists include #include /some/file mr, #include /bin/true Px, # File rules /{,**/} r, owner /{home,media,mnt,srv,net}/** r, owner @{USER_DIR}/** rw, audit deny owner /**/* mx, /**.[tT][xX][tT] r, # txt owner file @{HOME}/.local/share/foo/{,**} rwkl, owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk, "/usr/share/**" r, "/var/lib/flatpak/exports/share/**" r, "/var/lib/{spaces in string,hello}/a[^ a]a/**" r, allow file /etc/nsswitch.conf r, allow /etc/fstab r, deny /etc/xdg/{autostart,systemd}/** r, deny /boot/** rwlkmx, owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r, /sys/devices/**/uevent r, @{FOO_LIB}/{@{multiarch},64}/** mr, /usr/bin/foo ixr, /usr/bin/dolphin pUx, /usr/bin/* Pixr, /usr/bin/khelpcenter Cx -> sanitized_helper, /usr/bin/helloworld cxr -> - hello_world, + hello_world, # Dbus rules dbus (send) #No-Comment bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Introspectable peer=(name=org.freedesktop.NetworkManager label=unconfined), dbus (send receive) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member={Introspect,state} peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)), dbus (send) bus=session path=/org/gnome/GConf/Database/* member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}, dbus (bind) bus=system name=org.bluez, # Signal rules signal (send) set=(term) peer="/usr/lib/hello/world// foo helper", signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper, # Child profile profile hello_world { # File rules (three different ways) file /usr/lib{,32,64}/helloworld/**.so mr, /usr/lib{,32,64}/helloworld/** r, rk /usr/lib{,32,64}/helloworld/hello,file, # Link rules (two ways) l /foo1 -> /bar, link /foo2 -> bar, - link /foo3 to bar, link subset /link* -> /**, # Network rules network inet6 tcp, network netlink dgram, network bluetooth, network unspec dgram, # Capability rules capability dac_override, capability sys_admin, capability sys_chroot, # Mount rules mount options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/, mount options in (rw, bind) / -> /run/hellowordd/*.mnt, mount option=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*, umount /home/*/helloworld/, # Pivot Root rules pivot_root oldroot=/mnt/root/old/ /mnt/root/, pivot_root /mnt/root/, # Ptrace rules ptrace (trace) peer=unconfined, ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword, # Unix rules unix (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined), unix (send,receive) type=(stream) protocol=0 peer=(addr=none), unix peer=(label=@{profile_name},addr=@helloworld), # Rlimit rule set rlimit data <= 100M, set rlimit nproc <= 10, set rlimit memlock <= 2GB, set rlimit rss <= infinity, + set rlimit nice <= -12, # Change Profile rules change_profile unsafe /** -> [^u/]**, change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, change_profile /bin/bash -> new_profile//hat, } # Hat ^foo-helper\/ { network unix stream, unix stream, /usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions # Text after a variable is highlighted as path file /my/path r, @{FOO_LIB}file r, @{FOO_LIB}#my/path r, #Comment @{FOO_LIB}ñ* r, unix (/path\t{aa}*,*a @{var}*path,* @{var},*), } } # Syntax Error /usr/bin/error (complain, audit) { file #include /hello r, # Error: Variable open or with characters not allowed @{var @{sdf&s} # Error: Open brackets /{hello{ab,cd}world kr, /{abc{abc kr, /[abc kr, /(abc kr, # Error: Empty brackets /hello[]hello{}hello()he kr, # Comments not allowed dbus (send) #No comment path=/org/hello #No comment interface=org.hello #No comment peer=(name=org.hello #No comment label=unconfined), #Comment # Don't allow assignment of variables within profiles @{VARIABLE} = val1 val2 val3 # Comment # Alias rules not allowed within profiles alias /run/ -> /mnt/run/, # Error: Open rule /home/*/file rw capability dac_override deny file /etc/fstab w audit network ieee802154, dbus (receive unix stream, unix stream, } profile other_tests { # set rlimit set rlimit nice <= 3, rlimit nice <= 3, # Without "set" set #comment rlimit nice <= 3, # "remount" keyword mount remount remount, remount remount remount, dbus remount remount, unix remount remount, # "unix" keyword network unix unix, ptrace unix unix, unix unix unix, # Transition rules /usr/bin/foo cx -> hello*, # profile name /usr/bin/foo Cx -> path/, # path /usr/bin/foo cx -> ab[ad/]hello, # profile name /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, # path /usr/bin/foo Cx -> ab[hello/path, # profile name /usr/bin/foo cx -> "hello*", # profile name /usr/bin/foo Cx -> "path/", # path /usr/bin/foo cx -> "ab[ad/]hello", # profile name /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", # path /usr/bin/foo Cx -> "ab[hello/path", # profile name /usr/bin/foo cx -> holas//hello/sa, # path /usr/bin/foo cx -> df///dd//hat, # path + hat /usr/bin/foo cx -> holas,#sd\323fsdf, # profile name # Access modes /hello/lib/foo rwklms, # s invalid /hello/lib/foo rwmaix, # w & a incompatible /hello/lib/foo kalmw, /hello/lib/foo wa, # OK /hello/lib/foo rrwrwwrwrw, /hello/lib/foo ixixix, # Incompatible exec permissions ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx, pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx, Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx, # Test valid permissions r w a k l m l x ix ux Ux px Px cx Cx , pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx, rwklmx raklmx, r rw rwk rwkl rwklm, rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx, rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk, rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl, # Profile name profile holas { ... } profile { ... } profile /path { ... } profile holas/abc { ... } profile holas\/abc { ... } profile #holas { ... } profile flags=(complain)#asd { ... } profile flags flags=(complain) { ... } profile flags(complain) { ... } } diff --git a/autotests/reference/usr.bin.apparmor-profile-test.ref b/autotests/reference/usr.bin.apparmor-profile-test.ref index 6d5968b..5155ce7 100644 --- a/autotests/reference/usr.bin.apparmor-profile-test.ref +++ b/autotests/reference/usr.bin.apparmor-profile-test.ref @@ -1,275 +1,275 @@ # Sample AppArmor Profile.
# License: Public Domain

# NOTE: This profile is not fully functional, since
# it is designed to test the syntax highlighting.

include

# Variable assignment
@{FOO_LIB}=/usr/lib{,32,64}/foo
@{USER_DIR}
= @{HOME}/Public @{HOME}/Desktop #No-Comment
@{USER_DIR} += @{HOME}/Hello \
deny owner #No-comment aa#aa
${BOOL} = true

# Alias
alias /usr/ -> /mnt/usr/,

# Profile for /usr/bin/foo
profile foo /usr/bin/foo =(attach_disconnected enforce) {
#include
#include
#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
include "/etc/apparmor.d/abstractions/openssl"

include if exists
include #include
/some/file mr, #include /bin/true Px,

# File rules
/{,**/} r,
owner /{home,media,mnt,srv,net}/** r,
owner @{USER_DIR}/** rw,
audit deny owner /**/* mx,
/**.[tT][xX][tT] r, # txt

owner file @{HOME}/.local/share/foo/{,**} rwkl,
owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,

"/usr/share/**" r,
"/var/lib/flatpak/exports/share/**" r,
"/var/lib/{spaces in
string,hello}/a[^ a]a/**" r,

allow file /etc/nsswitch.conf r,
allow /etc/fstab r,
deny /etc/xdg/{autostart,systemd}/** r,
deny /boot/** rwlkmx,

owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
/sys/devices/**/uevent r,
@{FOO_LIB}/{@{multiarch},64}/** mr,

/usr/bin/foo ixr,
/usr/bin/dolphin pUx,
/usr/bin/* Pixr,
/usr/bin/khelpcenter Cx -> sanitized_helper,
/usr/bin/helloworld cxr ->
- hello_world,
+ hello_world,

# Dbus rules
dbus (send) #No-Comment
=system
=/org/freedesktop/NetworkManager
=org.freedesktop.DBus.Introspectable
=(name=org.freedesktop.NetworkManager label=unconfined),
dbus (send receive)
=system
=/org/freedesktop/NetworkManager
=org.freedesktop.NetworkManager
={Introspect,state}
=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
dbus (send)
=session
=/org/gnome/GConf/Database/*
={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
dbus (bind)
=system
=org.bluez,

# Signal rules
signal (send) =(term) ="/usr/lib/hello/world// foo helper",
signal (send, receive) =(int exists rtmin+8) =/usr/lib/hello/world//foo-helper,

# Child profile
profile hello_world {
# File rules (three different ways)
file /usr/lib{,32,64}/helloworld/**.so mr,
/usr/lib{,32,64}/helloworld/** r,
rk /usr/lib{,32,64}/helloworld/hello,file,

# Link rules (two ways)
l /foo1 -> /bar,
link /foo2 -> bar,
- link /foo3 to bar,
link subset /link* -> /**,

# Network rules
network inet6 tcp,
network netlink dgram,
network bluetooth,
network unspec dgram,

# Capability rules
capability dac_override,
capability sys_admin,
capability sys_chroot,

# Mount rules
mount =(rw bind remount nodev noexec) =ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
mount in (rw, bind) / -> /run/hellowordd/*.mnt,
mount =read-only =btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
umount /home/*/helloworld/,

# Pivot Root rules
pivot_root =/mnt/root/old/ /mnt/root/,
pivot_root /mnt/root/,

# Ptrace rules
ptrace (trace) =unconfined,
ptrace (read, trace, tracedby) =/usr/lib/hello/helloword,

# Unix rules
unix (connect receive send) =(stream) =(addr=@/tmp/ibus/dbus-*,label=unconfined),
unix (send,receive) =(stream) =0 =(addr=none),
unix =(label=@{profile_name},addr=@helloworld),

# Rlimit rule
set rlimit data <= 100M,
set rlimit nproc <= 10,
set rlimit memlock <= 2GB,
set rlimit rss <= infinity,
+ set rlimit nice <= -12,

# Change Profile rules
change_profile unsafe /** -> [^u/]**,
change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
change_profile /bin/bash ->
new_profile//hat,
}

# Hat
^foo-helper\/ {
network unix stream,
unix stream,

/usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions

# Text after a variable is highlighted as path
file /my/path r,
@{FOO_LIB}file r,
@{FOO_LIB}#my/path r, #Comment
@{FOO_LIB}ñ* r,
unix (/path\t{aa}*,*a @{var}*path,* @{var},*),
}
}

# Syntax Error
/usr/bin/error (complain, audit) {
file #include /hello r,

# Error: Variable open or with characters not allowed
@{var
@{sdf&s}

# Error: Open brackets
/{hello{ab,cd}world kr,
/{abc{abc kr,
/[abc kr,
/(abc kr,

# Error: Empty brackets
/hello[]hello{}hello()he kr,

# Comments not allowed
dbus (send) #No comment
=/org/hello
#No comment
=org.hello #No comment
=(name=org.hello #No comment
label=unconfined), #Comment

# Don't allow assignment of variables within profiles
@{VARIABLE} = val1 val2 val3 # Comment

# Alias rules not allowed within profiles
alias /run/ -> /mnt/run/,

# Error: Open rule
/home/*/file rw
capability dac_override
deny file /etc/fstab w
audit network ieee802154,

dbus (receive
unix stream,
unix stream,
}

profile other_tests {
# set rlimit
set rlimit nice <= 3,
rlimit nice <= 3, # Without "set"
set #comment
rlimit
nice <= 3,

# "remount" keyword
mount remount
remount,
remount remount
remount,
dbus remount
remount,
unix remount
remount,
# "unix" keyword
network unix
unix,
ptrace unix
unix,
unix unix
unix,

# Transition rules
/usr/bin/foo cx -> hello*, # profile name
/usr/bin/foo Cx -> path/, # path
/usr/bin/foo cx -> ab[ad/]hello, # profile name
/usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, # path
/usr/bin/foo Cx -> ab[hello/path, # profile name

/usr/bin/foo cx -> "hello*", # profile name
/usr/bin/foo Cx -> "path/", # path
/usr/bin/foo cx -> "ab[ad/]hello", # profile name
/usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", # path
/usr/bin/foo Cx -> "ab[hello/path", # profile name

/usr/bin/foo cx -> holas//hello/sa, # path
/usr/bin/foo cx -> df///dd//hat, # path + hat
/usr/bin/foo cx -> holas,#sd\323fsdf, # profile name

# Access modes
/hello/lib/foo rwklms, # s invalid
/hello/lib/foo rwmaix, # w & a incompatible
/hello/lib/foo kalmw,
/hello/lib/foo wa,
# OK
/hello/lib/foo rrwrwwrwrw,
/hello/lib/foo ixixix,
# Incompatible exec permissions
ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx,
pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx,
Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx,
# Test valid permissions
r w a k l m l x ix ux Ux px Px cx Cx ,
pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx,
rwklmx raklmx,
r rw rwk rwkl rwklm,
rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx,
rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk,
rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl,

# Profile name
profile holas { ... }
profile { ... }
profile /path { ... }
profile holas/abc { ... }
profile holas\/abc { ... }
profile
#holas { ... }

profile flags=(complain)#asd { ... }
profile flags =(complain) { ... }
profile flags(complain) { ... }
}
diff --git a/data/syntax/apparmor.xml b/data/syntax/apparmor.xml index bd87164..2ec78c6 100644 --- a/data/syntax/apparmor.xml +++ b/data/syntax/apparmor.xml @@ -1,1596 +1,1602 @@ ]> profile hat flags xattrs audit complain enforce mediate_deleted attach_disconnected chroot_relative chroot_attach chroot_no_attach delegate_deleted no_attach_disconnected namespace_relative allow deny owner - + other audit audit_control audit_read audit_write block_suspend chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mac_admin mac_override mknod net_admin net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog wake_alarm inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key packet ash econet atmsvc sna irda pppox wanpipe bluetooth netlink rds llc can tipc iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock mpls ib kcm smc + qipcrtr + xdp stream dgram seqpacket rdm raw tcp udp icmp unix fstype vfstype options option r w rw ro read-only suid nosuid dev nodev exec noexec sync async remount mand nomand dirsync atime noatime diratime nodiratime bind B move M rbind R verbose silent loud acl noacl unbindable make-unbindable runbindable make-runbindable private make-private rprivate make-rprivate slave make-slave rslave make-rslave shared make-shared rshared make-rshared relatime norelatime iversion noiversion strictatime user nouser ecryptfs overlayfs unionfs shm cryfs encfs apparmorfs autofs bdev bpf cachefs cgroup cgroup2 cifs coherent configfs cpuset cramfs debugfs devfs devpts devtmpfs efs fuse fuseblk fusectl futexfs hugetlbfs kernfs mqueue pipefs proc procfs pstorefs pstore ramfs romfs rootfs sdcardfs securityfs selinuxfs sockfs specfs squashfs swapfs sysfs sysv tmpfs usbfs vfat functionfs inotifyfs labeledfs oemfs adfs affs afs apfs bfs btrfs ceph coda exfat ext2 ext3 ext4 f2fs fatx gfs hfs hfsplus hpfs ifs iso9660 jffs2 jffs jfs lvm2 minix msdos ncpfs nilfs nilfs2 nfs nfs4 ntfs-3g ntfs ocfs qnx4 qnx6 reiser4 reiserfs smbfs swap tracefs ubifs udf ufs umsdos urefs xenix yaffs2 yaffs xfs zfs oldroot peer readby trace tracedby set peer bus hup int quit ill trap abrt fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt exists send receive peer bus path interface member name name label send receive bind eavesdrop system session peer set label type protocol addr attr opt send receive bind create listen accept connect shutdown getattr setattr getopt setopt cpu fsize data stack core rss nofile ofile as nproc memlock locks sigpending msgqueue nice rtprio rttime subset safe unsafe if exists rw r w read write profile_name HOME HOMEDIRS multiarch pid pids PROC securityfs apparmorfs sys tid XDG_DESKTOP_DIR XDG_DOWNLOAD_DIR XDG_TEMPLATES_DIR XDG_PUBLICSHARE_DIR XDG_DOCUMENTS_DIR XDG_MUSIC_DIR XDG_PICTURES_DIR XDG_VIDEOS_DIR flatpak_exports_root system_share_dirs user_share_dirs abstractions/ apache2-common aspell audio authentication base bash consoles cups-client dbus dbus-accessibility dbus-accessibility-strict dbus-session dbus-session-strict dbus-strict dconf dovecot-common dri-common dri-enumerate enchant fcitx fcitx-strict fonts freedesktop.org gnome gnupg ibus kde-icon-cache-write kde-globals-write kde-language-write kde kerberosclient launchpad-integration ldapclient libpam-systemd likewise mdns mesa mir mozc mysql nameservice nis nvidia opencl opencl-common opencl-intel opencl-mesa opencl-nvidia opencl-pocl openssl orbit2 p11-kit perl php php5 postfix-common private-files private-files-strict python qt5-compose-cache-write qt5-settings-write qt5 recent-documents-write ruby samba smbpass ssl_certs ssl_keys svn-repositories ubuntu-bittorrent-clients ubuntu-browsers ubuntu-console-browsers ubuntu-console-email ubuntu-email ubuntu-feed-readers ubuntu-gnome-terminal ubuntu-helpers ubuntu-konsole ubuntu-media-players ubuntu-unity7-base ubuntu-unity7-launcher ubuntu-unity7-messaging ubuntu-xterm user-download user-mail user-manpages user-tmp user-write video vulkan wayland web-data winbind wutmp X xad xdg-desktop ubuntu-browsers.d/ java mailto multimedia plugins-common productivity text-editors ubuntu-integration ubuntu-integration-xul user-files apparmor_api/ change_profile examine find_mountpoint introspect is_enabled tunables/ alias apparmorfs dovecot global home kernelvars multiarch ntpd proc securityfs sys xdg-user-dirs home.d/ multiarch.d/ xdg-user-dirs.d/ site.local local/ true false unspec none unconfined mount remount umount alias file capability network pivot_root ptrace signal dbus unix link change_profile rlimit set - - + + + + - + - - - - - + + + + -