diff --git a/autotests/folding/usr.bin.apparmor-profile-test.fold b/autotests/folding/usr.bin.apparmor-profile-test.fold index ca5db79..64deede 100644 --- a/autotests/folding/usr.bin.apparmor-profile-test.fold +++ b/autotests/folding/usr.bin.apparmor-profile-test.fold @@ -1,156 +1,270 @@ # Sample AppArmor Profile. # License: Public Domain # NOTE: This profile is not fully functional, since # it is designed to test the syntax highlighting. include # Variable assignment @{FOO_LIB}=/usr/lib{,32,64}/foo @{USER_DIR} = @{HOME}/Public @{HOME}/Desktop #No-Comment @{USER_DIR} += @{HOME}/Hello \ -deny owner #No-comment +deny owner #No-comment aa#aa ${BOOL} = true +# Alias +alias /usr/ -> /mnt/usr/, + # Profile for /usr/bin/foo -/usr/bin/foo (attach_disconnected enforce) { - include #include +profile foo /usr/bin/foo flags=(attach_disconnected enforce) { #include #include #include"/etc/apparmor.d/abstractions/ubuntu-konsole" include "/etc/apparmor.d/abstractions/openssl" + include if exists + include #include + /some/file mr, #include /bin/true Px, + # File rules /{,**/} r, owner /{home,media,mnt,srv,net}/** r, owner @{USER_DIR}/** rw, audit deny owner /**/* mx, /**.[tT][xX][tT] r, # txt owner file @{HOME}/.local/share/foo/{,**} rwkl, - owner @{HOME}/.config/* rw, owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk, "/usr/share/**" r, "/var/lib/flatpak/exports/share/**" r, "/var/lib/{spaces in string,hello}/a[^ a]a/**" r, allow file /etc/nsswitch.conf r, allow /etc/fstab r, - deny /etc/udev/udev.conf a, deny /etc/xdg/{autostart,systemd}/** r, deny /boot/** rwlkmx, - + owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r, /sys/devices/**/uevent r, + @{FOO_LIB}/{@{multiarch},64}/** mr, /usr/bin/foo ixr, /usr/bin/dolphin pUx, /usr/bin/* Pixr, /usr/bin/khelpcenter Cx -> sanitized_helper, /usr/bin/helloworld cxr -> hello_world, - - @{FOO_LIB}/{@{multiarch},64}/** mr, - + # Dbus rules dbus (send) #No-Comment bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Introspectable peer=(name=org.freedesktop.NetworkManager label=unconfined), dbus (send receive) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member={Introspect,state} peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)), dbus (send) bus=session path=/org/gnome/GConf/Database/* member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}, dbus (bind) bus=system name=org.bluez, # Signal rules signal (send) set=(term) peer="/usr/lib/hello/world// foo helper", signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper, # Child profile profile hello_world { # File rules (three different ways) file /usr/lib{,32,64}/helloworld/**.so mr, /usr/lib{,32,64}/helloworld/** r, rk /usr/lib{,32,64}/helloworld/hello,file, # Link rules (two ways) l /foo1 -> /bar, link /foo2 -> bar, link /foo3 to bar, link subset /link* -> /**, # Network rules network inet6 tcp, network netlink dgram, network bluetooth, network unspec dgram, # Capability rules capability dac_override, capability sys_admin, capability sys_chroot, # Mount rules mount options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/, mount options in (rw, bind) / -> /run/hellowordd/*.mnt, mount option=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*, umount /home/*/helloworld/, # Pivot Root rules pivot_root oldroot=/mnt/root/old/ /mnt/root/, pivot_root /mnt/root/, # Ptrace rules ptrace (trace) peer=unconfined, ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword, # Unix rules unix (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined), unix (send,receive) type=(stream) protocol=0 peer=(addr=none), unix peer=(label=@{profile_name},addr=@helloworld), # Rlimit rule set rlimit data <= 100M, set rlimit nproc <= 10, set rlimit memlock <= 2GB, set rlimit rss <= infinity, # Change Profile rules change_profile unsafe /** -> [^u/]**, change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, change_profile /bin/bash -> new_profile//hat, - - # Alias - alias /usr/ -> /mnt/usr/, } # Hat - ^foo-\/helper { + ^foo-helper\/ { network unix stream, unix stream, /usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions # Text after a variable is highlighted as path file /my/path r, @{FOO_LIB}file r, @{FOO_LIB}#my/path r, #Comment @{FOO_LIB}ñ* r, unix (/path\t{aa}*,*a @{var}*path,* @{var},*), } } + +# Syntax Error +/usr/bin/error (complain, audit) { + file #include /hello r, + + # Error: Variable open or with characters not allowed + @{var + @{sdf&s} + + # Error: Open brackets + /{hello{ab,cd}world kr, + /{abc{abc kr, + /[abc kr, + /(abc kr, + + # Error: Empty brackets + /hello[]hello{}hello()he kr, + + # Comments not allowed + dbus (send) #No comment + path=/org/hello + #No comment + interface=org.hello #No comment + peer=(name=org.hello #No comment + label=unconfined), #Comment + @{VARIABLE} = val1 val2 val3 #No comment + + # Error: Open rule + /home/*/file rw + capability dac_overridecapability dac_override + deny file /etc/fstab w + audit network ieee802154, + + dbus (receive + unix stream,unix stream, + unix stream, +} + +profile other_tests { + # set rlimit + set rlimit nice <= 3, + rlimit nice <= 3, # Without "set" + set #comment + rlimit + nice <= 3, + + # "remount" keyword + mount remount + remount, + remount remount + remount, + dbus remount + remount,remount, + unix remount + remount,remount, + # "unix" keyword + network unix + unix, + ptrace unix + unix,unix, + unix unix + unix,unix, + + # Transition rules + /usr/bin/foo cx -> hello*, + /usr/bin/foo Cx -> path/, + /usr/bin/foo cx -> ab[ad/]hello, + /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, + /usr/bin/foo Cx -> ab[hello/path, + + /usr/bin/foo cx -> "hello*", + /usr/bin/foo Cx -> "path/", + /usr/bin/foo cx -> "ab[ad/]hello", + /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", + /usr/bin/foo Cx -> "ab[hello/path", + + /usr/bin/foo cx -> holas//hello/sa, + /usr/bin/foo cx -> df///dd//hat, + /usr/bin/foo cx -> holas,#sd\323fsdf, + + # Access modes + /hello/lib/foo rwklms, # s invalid + /hello/lib/foo rwmaix, # w & a incompatible + /hello/lib/foo kalmw, + /hello/lib/foo wa, + # OK + /hello/lib/foo rrwrwwrwrw, + /hello/lib/foo ixixix, + # Incompatible exec permissions + ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx, + pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx, + Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx, + # Test valid permissions + r w a k l m l x ix ux Ux px Px cx Cx , + pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx, + rwklmx raklmx, + r rw rwk rwkl rwklm, + rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx, + rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk, + rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl, + + # Profile name + profile holas { ... } + profile { ... } + profile /path { ... } + profile holas/abc { ... } + profile holas\/abc { ... } + profile + #holas { ... } + + profile flags=(complain)#asd { ... } + profile flags flags=(complain) { ... } + profile flags(complain) { ... } +} diff --git a/autotests/html/usr.bin.apparmor-profile-test.html b/autotests/html/usr.bin.apparmor-profile-test.html index 63fc0ca..4e2a486 100644 --- a/autotests/html/usr.bin.apparmor-profile-test.html +++ b/autotests/html/usr.bin.apparmor-profile-test.html @@ -1,163 +1,277 @@ usr.bin.apparmor-profile-test 
 # Sample AppArmor Profile.
 # License: Public Domain
 
 # NOTE: This profile is not fully functional, since
 # it is designed to test the syntax highlighting.
 
 include <tunables/global>
 
 # Variable assignment
-@{FOO_LIB}=/usr/lib{,32,64}/foo
+@{FOO_LIB}=/usr/lib{,32,64}/foo
 @{USER_DIR}
   = @{HOME}/Public @{HOME}/Desktop #No-Comment
 @{USER_DIR} += @{HOME}/Hello \
-deny owner #No-comment
+deny owner #No-comment aa#aa
 ${BOOL} = true
 
+# Alias
+alias /usr/ -> /mnt/usr/,
+
 # Profile for /usr/bin/foo
-/usr/bin/foo (attach_disconnected enforce) {
-	include <include_tests/includes_okay_helper.include> #include <includes/base>
+profile foo /usr/bin/foo flags=(attach_disconnected enforce) {
 	#include <abstractions/ubuntu-helpers>
 	#include<abstractions/wayland>
 	#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
 	include "/etc/apparmor.d/abstractions/openssl"
+
 	include if exists <path with spaces>
+	include <include_tests/includes_okay_helper.include> #include <includes/base>
+	/some/file mr, #include <includes/base> /bin/true Px,
 
-	/{,**/} r,
-	owner /{home,media,mnt,srv,net}/** r,
+	# File rules
+	/{,**/} r,
+	owner /{home,media,mnt,srv,net}/** r,
 	owner @{USER_DIR}/** rw,
 	audit deny owner /**/* mx,
 	/**.[tT][xX][tT] r,  # txt
 	
-	owner file @{HOME}/.local/share/foo/{,**} rwkl,
-	owner @{HOME}/.config/*                   rw,
+	owner file @{HOME}/.local/share/foo/{,**} rwkl,
 	owner @{HOME}/.config/*.[a-zA-Z0-9]*      rwk,
 
 	"/usr/share/**" r,
 	"/var/lib/flatpak/exports/share/**" r,
 	"/var/lib/{spaces in
-		string,hello}/a[^ a]a/**" r,
+		string,hello}/a[^ a]a/**" r,
 
 	allow file /etc/nsswitch.conf           r,
 	allow /etc/fstab                        r,
-	deny /etc/udev/udev.conf                a,
-	deny /etc/xdg/{autostart,systemd}/**    r,
+	deny /etc/xdg/{autostart,systemd}/**    r,
 	deny /boot/**                           rwlkmx,
-	
-	owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
+
+	owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
 	/sys/devices/**/uevent r,
+	@{FOO_LIB}/{@{multiarch},64}/** mr,
 
 	/usr/bin/foo         ixr,
 	/usr/bin/dolphin     pUx,
 	/usr/bin/*           Pixr,
 	/usr/bin/khelpcenter Cx  -> sanitized_helper,
 	/usr/bin/helloworld  cxr ->
 			hello_world,
-	
-	@{FOO_LIB}/{@{multiarch},64}/** mr,
-	
+
 	# Dbus rules
 	dbus (send)  #No-Comment
 		bus=system
 		path=/org/freedesktop/NetworkManager
 		interface=org.freedesktop.DBus.Introspectable
 		peer=(name=org.freedesktop.NetworkManager label=unconfined),
 	dbus (send receive)
 		bus=system
 		path=/org/freedesktop/NetworkManager
 		interface=org.freedesktop.NetworkManager
-		member={Introspect,state}
-		peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
+		member={Introspect,state}
+		peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
 	dbus (send)
 		bus=session
 		path=/org/gnome/GConf/Database/*
-		member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
+		member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
 	dbus (bind)
 		bus=system
 		name=org.bluez,
 
 	# Signal rules
 	signal (send) set=(term) peer="/usr/lib/hello/world// foo helper",
 	signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper,
 
 	# Child profile
 	profile hello_world {
 		# File rules (three different ways)
-		file /usr/lib{,32,64}/helloworld/**.so mr,
-		/usr/lib{,32,64}/helloworld/** r,
-		rk /usr/lib{,32,64}/helloworld/hello,file,
+		file /usr/lib{,32,64}/helloworld/**.so mr,
+		/usr/lib{,32,64}/helloworld/** r,
+		rk /usr/lib{,32,64}/helloworld/hello,file,
 
 		# Link rules (two ways)
 		l /foo1 -> /bar,
 		link /foo2 -> bar,
 		link /foo3 to bar,
 		link subset /link* -> /**,
 
 		# Network rules
 		network inet6 tcp,
 		network netlink dgram,
 		network bluetooth,
 		network unspec dgram,
 
 		# Capability rules
 		capability dac_override,
 		capability sys_admin,
 		capability sys_chroot,
 
 		# Mount rules
 		mount options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
 		mount options in (rw, bind) / -> /run/hellowordd/*.mnt,
 		mount option=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
 		umount /home/*/helloworld/,
 
 		# Pivot Root rules
 		pivot_root oldroot=/mnt/root/old/ /mnt/root/,
 		pivot_root /mnt/root/,
 
 		# Ptrace rules
 		ptrace (trace) peer=unconfined,
 		ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword,
 
 		# Unix rules
 		unix (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined),
 		unix (send,receive) type=(stream) protocol=0 peer=(addr=none),
 		unix peer=(label=@{profile_name},addr=@helloworld),
 
 		# Rlimit rule
-		set rlimit data  <= 100M,
+		set rlimit data  <= 100M,
 		set rlimit nproc <= 10,
-		set rlimit memlock <= 2GB,
+		set rlimit memlock <= 2GB,
 		set rlimit rss <= infinity,
 
 		# Change Profile rules
 		change_profile unsafe /** -> [^u/]**,
 		change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
 		change_profile /bin/bash  -> 
 			new_profile//hat,
-
-		# Alias
-		alias /usr/ -> /mnt/usr/,
 	}
 
 	# Hat
-	^foo-\/helper {
+	^foo-helper\/ {
 		network unix stream,
 		unix stream,
 
 		/usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions
 
 		# Text after a variable is highlighted as path
 		file /my/path r,
 		@{FOO_LIB}file r,
 		@{FOO_LIB}#my/path r, #Comment
 		@{FOO_LIB}ñ* r,
 		unix (/path\t{aa}*,*a @{var}*path,* @{var},*),
 	}
 }
+
+# Syntax Error
+/usr/bin/error (complain, audit) {
+	file #include /hello r,
+
+	# Error: Variable open or with characters not allowed
+	@{var
+	@{sdf&s}
+
+	# Error: Open brackets
+	/{hello{ab,cd}world  kr,
+	/{abc{abc kr,
+	/[abc  kr,
+	/(abc kr,
+
+	# Error: Empty brackets
+	/hello[]hello{}hello()he  kr,
+
+	# Comments not allowed
+	dbus (send)  #No comment
+		path=/org/hello
+		#No comment
+		interface=org.hello #No comment
+		peer=(name=org.hello  #No comment
+		      label=unconfined), #Comment
+	@{VARIABLE} = val1 val2 val3  #No comment
+
+	# Error: Open rule
+	/home/*/file rw
+	capability dac_override
+	deny file /etc/fstab w
+	audit network ieee802154,
+
+	dbus (receive
+	unix stream,
+	unix stream,
+}
+
+profile other_tests {
+	# set rlimit
+	set rlimit nice  <= 3,
+	rlimit nice  <= 3, # Without "set"
+	set #comment
+		rlimit
+			nice  <= 3,
+
+	# "remount" keyword
+	mount remount
+		remount,
+	remount remount
+		remount,
+	dbus remount
+		remount,
+	unix remount
+		remount,
+	# "unix" keyword
+	network unix
+		unix,
+	ptrace unix
+		unix,
+	unix unix
+		unix,
+
+	# Transition rules
+	/usr/bin/foo cx -> hello*,
+	/usr/bin/foo Cx -> path/,
+	/usr/bin/foo cx -> ab[ad/]hello,
+	/usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path,
+	/usr/bin/foo Cx -> ab[hello/path,
+
+	/usr/bin/foo cx -> "hello*",
+	/usr/bin/foo Cx -> "path/",
+	/usr/bin/foo cx -> "ab[ad/]hello",
+	/usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path",
+	/usr/bin/foo Cx -> "ab[hello/path",
+
+	/usr/bin/foo cx -> holas//hello/sa,
+	/usr/bin/foo cx -> df///dd//hat,
+	/usr/bin/foo cx -> holas,#sd\323fsdf,
+
+	# Access modes
+	/hello/lib/foo rwklms, # s invalid
+	/hello/lib/foo rwmaix,  # w & a incompatible
+	/hello/lib/foo kalmw,
+	/hello/lib/foo wa,
+	# OK
+	/hello/lib/foo rrwrwwrwrw,
+	/hello/lib/foo ixixix,
+	# Incompatible exec permissions
+	ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx,
+	pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx,
+	Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx,
+	# Test valid permissions
+	r w a k l m l x ix ux Ux px Px cx Cx ,
+	pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx,
+	rwklmx raklmx,
+	r rw rwk rwkl rwklm,
+	rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx,
+	rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk,
+	rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl,
+
+	# Profile name
+	profile holas { ... }
+	profile { ... }
+	profile /path { ... }
+	profile holas/abc { ... }
+	profile holas\/abc { ... }
+	profile
+		#holas { ... }
+
+	profile flags=(complain)#asd { ... }
+	profile flags flags=(complain) { ... }
+	profile flags(complain) { ... }
+}
diff --git a/autotests/input/usr.bin.apparmor-profile-test b/autotests/input/usr.bin.apparmor-profile-test index 8a51800..d112068 100644 --- a/autotests/input/usr.bin.apparmor-profile-test +++ b/autotests/input/usr.bin.apparmor-profile-test @@ -1,156 +1,270 @@ # Sample AppArmor Profile. # License: Public Domain # NOTE: This profile is not fully functional, since # it is designed to test the syntax highlighting. include # Variable assignment @{FOO_LIB}=/usr/lib{,32,64}/foo @{USER_DIR} = @{HOME}/Public @{HOME}/Desktop #No-Comment @{USER_DIR} += @{HOME}/Hello \ -deny owner #No-comment +deny owner #No-comment aa#aa ${BOOL} = true +# Alias +alias /usr/ -> /mnt/usr/, + # Profile for /usr/bin/foo -/usr/bin/foo (attach_disconnected enforce) { - include #include +profile foo /usr/bin/foo flags=(attach_disconnected enforce) { #include #include #include"/etc/apparmor.d/abstractions/ubuntu-konsole" include "/etc/apparmor.d/abstractions/openssl" + include if exists + include #include + /some/file mr, #include /bin/true Px, + # File rules /{,**/} r, owner /{home,media,mnt,srv,net}/** r, owner @{USER_DIR}/** rw, audit deny owner /**/* mx, /**.[tT][xX][tT] r, # txt owner file @{HOME}/.local/share/foo/{,**} rwkl, - owner @{HOME}/.config/* rw, owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk, "/usr/share/**" r, "/var/lib/flatpak/exports/share/**" r, "/var/lib/{spaces in string,hello}/a[^ a]a/**" r, allow file /etc/nsswitch.conf r, allow /etc/fstab r, - deny /etc/udev/udev.conf a, deny /etc/xdg/{autostart,systemd}/** r, deny /boot/** rwlkmx, - + owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r, /sys/devices/**/uevent r, + @{FOO_LIB}/{@{multiarch},64}/** mr, /usr/bin/foo ixr, /usr/bin/dolphin pUx, /usr/bin/* Pixr, /usr/bin/khelpcenter Cx -> sanitized_helper, /usr/bin/helloworld cxr -> hello_world, - - @{FOO_LIB}/{@{multiarch},64}/** mr, - + # Dbus rules dbus (send) #No-Comment bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Introspectable peer=(name=org.freedesktop.NetworkManager label=unconfined), dbus (send receive) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member={Introspect,state} peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)), dbus (send) bus=session path=/org/gnome/GConf/Database/* member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}, dbus (bind) bus=system name=org.bluez, # Signal rules signal (send) set=(term) peer="/usr/lib/hello/world// foo helper", signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper, # Child profile profile hello_world { # File rules (three different ways) file /usr/lib{,32,64}/helloworld/**.so mr, /usr/lib{,32,64}/helloworld/** r, rk /usr/lib{,32,64}/helloworld/hello,file, # Link rules (two ways) l /foo1 -> /bar, link /foo2 -> bar, link /foo3 to bar, link subset /link* -> /**, # Network rules network inet6 tcp, network netlink dgram, network bluetooth, network unspec dgram, # Capability rules capability dac_override, capability sys_admin, capability sys_chroot, # Mount rules mount options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/, mount options in (rw, bind) / -> /run/hellowordd/*.mnt, mount option=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*, umount /home/*/helloworld/, # Pivot Root rules pivot_root oldroot=/mnt/root/old/ /mnt/root/, pivot_root /mnt/root/, # Ptrace rules ptrace (trace) peer=unconfined, ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword, # Unix rules unix (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined), unix (send,receive) type=(stream) protocol=0 peer=(addr=none), unix peer=(label=@{profile_name},addr=@helloworld), # Rlimit rule set rlimit data <= 100M, set rlimit nproc <= 10, set rlimit memlock <= 2GB, set rlimit rss <= infinity, # Change Profile rules change_profile unsafe /** -> [^u/]**, change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}, change_profile /bin/bash -> new_profile//hat, - - # Alias - alias /usr/ -> /mnt/usr/, } # Hat - ^foo-\/helper { + ^foo-helper\/ { network unix stream, unix stream, /usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions # Text after a variable is highlighted as path file /my/path r, @{FOO_LIB}file r, @{FOO_LIB}#my/path r, #Comment @{FOO_LIB}ñ* r, unix (/path\t{aa}*,*a @{var}*path,* @{var},*), } } + +# Syntax Error +/usr/bin/error (complain, audit) { + file #include /hello r, + + # Error: Variable open or with characters not allowed + @{var + @{sdf&s} + + # Error: Open brackets + /{hello{ab,cd}world kr, + /{abc{abc kr, + /[abc kr, + /(abc kr, + + # Error: Empty brackets + /hello[]hello{}hello()he kr, + + # Comments not allowed + dbus (send) #No comment + path=/org/hello + #No comment + interface=org.hello #No comment + peer=(name=org.hello #No comment + label=unconfined), #Comment + @{VARIABLE} = val1 val2 val3 #No comment + + # Error: Open rule + /home/*/file rw + capability dac_override + deny file /etc/fstab w + audit network ieee802154, + + dbus (receive + unix stream, + unix stream, +} + +profile other_tests { + # set rlimit + set rlimit nice <= 3, + rlimit nice <= 3, # Without "set" + set #comment + rlimit + nice <= 3, + + # "remount" keyword + mount remount + remount, + remount remount + remount, + dbus remount + remount, + unix remount + remount, + # "unix" keyword + network unix + unix, + ptrace unix + unix, + unix unix + unix, + + # Transition rules + /usr/bin/foo cx -> hello*, + /usr/bin/foo Cx -> path/, + /usr/bin/foo cx -> ab[ad/]hello, + /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, + /usr/bin/foo Cx -> ab[hello/path, + + /usr/bin/foo cx -> "hello*", + /usr/bin/foo Cx -> "path/", + /usr/bin/foo cx -> "ab[ad/]hello", + /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", + /usr/bin/foo Cx -> "ab[hello/path", + + /usr/bin/foo cx -> holas//hello/sa, + /usr/bin/foo cx -> df///dd//hat, + /usr/bin/foo cx -> holas,#sd\323fsdf, + + # Access modes + /hello/lib/foo rwklms, # s invalid + /hello/lib/foo rwmaix, # w & a incompatible + /hello/lib/foo kalmw, + /hello/lib/foo wa, + # OK + /hello/lib/foo rrwrwwrwrw, + /hello/lib/foo ixixix, + # Incompatible exec permissions + ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx, + pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx, + Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx, + # Test valid permissions + r w a k l m l x ix ux Ux px Px cx Cx , + pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx, + rwklmx raklmx, + r rw rwk rwkl rwklm, + rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx, + rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk, + rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl, + + # Profile name + profile holas { ... } + profile { ... } + profile /path { ... } + profile holas/abc { ... } + profile holas\/abc { ... } + profile + #holas { ... } + + profile flags=(complain)#asd { ... } + profile flags flags=(complain) { ... } + profile flags(complain) { ... } +} diff --git a/autotests/reference/usr.bin.apparmor-profile-test.ref b/autotests/reference/usr.bin.apparmor-profile-test.ref index cfc9dea..c55bd5c 100644 --- a/autotests/reference/usr.bin.apparmor-profile-test.ref +++ b/autotests/reference/usr.bin.apparmor-profile-test.ref @@ -1,156 +1,270 @@ # Sample AppArmor Profile.
# License: Public Domain

# NOTE: This profile is not fully functional, since
# it is designed to test the syntax highlighting.

include

# Variable assignment
@{FOO_LIB}=/usr/lib{,32,64}/foo
@{USER_DIR}
= @{HOME}/Public @{HOME}/Desktop #No-Comment
@{USER_DIR} += @{HOME}/Hello \
-deny owner #No-comment
+deny owner #No-comment aa#aa
${BOOL} = true

+# Alias
+alias /usr/ -> /mnt/usr/,
+
# Profile for /usr/bin/foo
-/usr/bin/foo (attach_disconnected enforce) {
- include #include
+profile foo /usr/bin/foo =(attach_disconnected enforce) {
#include
#include
#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
include "/etc/apparmor.d/abstractions/openssl"
+
include if exists
+ include #include
+ /some/file mr, #include /bin/true Px,

+ # File rules
/{,**/} r,
owner /{home,media,mnt,srv,net}/** r,
owner @{USER_DIR}/** rw,
audit deny owner /**/* mx,
/**.[tT][xX][tT] r, # txt

owner file @{HOME}/.local/share/foo/{,**} rwkl,
- owner @{HOME}/.config/* rw,
owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,

"/usr/share/**" r,
"/var/lib/flatpak/exports/share/**" r,
"/var/lib/{spaces in
string,hello}/a[^ a]a/**" r,

allow file /etc/nsswitch.conf r,
allow /etc/fstab r,
- deny /etc/udev/udev.conf a,
deny /etc/xdg/{autostart,systemd}/** r,
deny /boot/** rwlkmx,
-
+
owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
/sys/devices/**/uevent r,
+ @{FOO_LIB}/{@{multiarch},64}/** mr,

/usr/bin/foo ixr,
/usr/bin/dolphin pUx,
/usr/bin/* Pixr,
/usr/bin/khelpcenter Cx -> sanitized_helper,
/usr/bin/helloworld cxr ->
hello_world,
-
- @{FOO_LIB}/{@{multiarch},64}/** mr,
-
+
# Dbus rules
dbus (send) #No-Comment
=system
=/org/freedesktop/NetworkManager
=org.freedesktop.DBus.Introspectable
=(name=org.freedesktop.NetworkManager label=unconfined),
dbus (send receive)
=system
=/org/freedesktop/NetworkManager
=org.freedesktop.NetworkManager
={Introspect,state}
=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
dbus (send)
=session
=/org/gnome/GConf/Database/*
={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
dbus (bind)
=system
=org.bluez,

# Signal rules
signal (send) =(term) ="/usr/lib/hello/world// foo helper",
signal (send, receive) =(int exists rtmin+8) =/usr/lib/hello/world//foo-helper,

# Child profile
profile hello_world {
# File rules (three different ways)
file /usr/lib{,32,64}/helloworld/**.so mr,
/usr/lib{,32,64}/helloworld/** r,
rk /usr/lib{,32,64}/helloworld/hello,file,

# Link rules (two ways)
l /foo1 -> /bar,
link /foo2 -> bar,
link /foo3 to bar,
link subset /link* -> /**,

# Network rules
network inet6 tcp,
network netlink dgram,
network bluetooth,
network unspec dgram,

# Capability rules
capability dac_override,
capability sys_admin,
capability sys_chroot,

# Mount rules
mount =(rw bind remount nodev noexec) =ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
mount in (rw, bind) / -> /run/hellowordd/*.mnt,
mount =read-only =btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
umount /home/*/helloworld/,

# Pivot Root rules
pivot_root =/mnt/root/old/ /mnt/root/,
pivot_root /mnt/root/,

# Ptrace rules
ptrace (trace) =unconfined,
ptrace (read, trace, tracedby) =/usr/lib/hello/helloword,

# Unix rules
unix (connect receive send) =(stream) =(addr=@/tmp/ibus/dbus-*,label=unconfined),
unix (send,receive) =(stream) =0 =(addr=none),
unix =(label=@{profile_name},addr=@helloworld),

# Rlimit rule
set rlimit data <= 100M,
set rlimit nproc <= 10,
set rlimit memlock <= 2GB,
set rlimit rss <= infinity,

# Change Profile rules
change_profile unsafe /** -> [^u/]**,
change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
change_profile /bin/bash ->
new_profile//hat,
-
- # Alias
- alias /usr/ -> /mnt/usr/,
}

# Hat
- ^foo-\/helper {
+ ^foo-helper\/ {
network unix stream,
unix stream,

/usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions

# Text after a variable is highlighted as path
file /my/path r,
@{FOO_LIB}file r,
@{FOO_LIB}#my/path r, #Comment
@{FOO_LIB}ñ* r,
unix (/path\t{aa}*,*a @{var}*path,* @{var},*),
}
}
+
+# Syntax Error
+/usr/bin/error (complain, audit) {
+ file #include /hello r,
+
+ # Error: Variable open or with characters not allowed
+ @{var
+ @{sdf&s}
+
+ # Error: Open brackets
+ /{hello{ab,cd}world kr,
+ /{abc{abc kr,
+ /[abc kr,
+ /(abc kr,
+
+ # Error: Empty brackets
+ /hello[]hello{}hello()he kr,
+
+ # Comments not allowed
+ dbus (send) #No comment
+ =/org/hello
+ #No comment
+ =org.hello #No comment
+ =(name=org.hello #No comment
+ label=unconfined), #Comment
+ @{VARIABLE} = val1 val2 val3 #No comment
+
+ # Error: Open rule
+ /home/*/file rw
+ capability dac_override
+ deny file /etc/fstab w
+ audit network ieee802154,
+
+ dbus (receive
+ unix stream,
+ unix stream,
+}
+
+profile other_tests {
+ # set rlimit
+ set rlimit nice <= 3,
+ rlimit nice <= 3, # Without "set"
+ set #comment
+ rlimit
+ nice <= 3,
+
+ # "remount" keyword
+ mount remount
+ remount,
+ remount remount
+ remount,
+ dbus remount
+ remount,
+ unix remount
+ remount,
+ # "unix" keyword
+ network unix
+ unix,
+ ptrace unix
+ unix,
+ unix unix
+ unix,
+
+ # Transition rules
+ /usr/bin/foo cx -> hello*,
+ /usr/bin/foo Cx -> path/,
+ /usr/bin/foo cx -> ab[ad/]hello,
+ /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path,
+ /usr/bin/foo Cx -> ab[hello/path,
+
+ /usr/bin/foo cx -> "hello*",
+ /usr/bin/foo Cx -> "path/",
+ /usr/bin/foo cx -> "ab[ad/]hello",
+ /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path",
+ /usr/bin/foo Cx -> "ab[hello/path",
+
+ /usr/bin/foo cx -> holas//hello/sa,
+ /usr/bin/foo cx -> df///dd//hat,
+ /usr/bin/foo cx -> holas,#sd\323fsdf,
+
+ # Access modes
+ /hello/lib/foo rwklms, # s invalid
+ /hello/lib/foo rwmaix, # w & a incompatible
+ /hello/lib/foo kalmw,
+ /hello/lib/foo wa,
+ # OK
+ /hello/lib/foo rrwrwwrwrw,
+ /hello/lib/foo ixixix,
+ # Incompatible exec permissions
+ ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx,
+ pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx,
+ Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx,
+ # Test valid permissions
+ r w a k l m l x ix ux Ux px Px cx Cx ,
+ pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx,
+ rwklmx raklmx,
+ r rw rwk rwkl rwklm,
+ rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx,
+ rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk,
+ rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl,
+
+ # Profile name
+ profile holas { ... }
+ profile { ... }
+ profile /path { ... }
+ profile holas/abc { ... }
+ profile holas\/abc { ... }
+ profile
+ #holas { ... }
+
+ profile flags=(complain)#asd { ... }
+ profile flags =(complain) { ... }
+ profile flags(complain) { ... }
+}
diff --git a/data/syntax/apparmor.xml b/data/syntax/apparmor.xml index 6d3374c..0b81467 100644 --- a/data/syntax/apparmor.xml +++ b/data/syntax/apparmor.xml @@ -1,1522 +1,1555 @@ ]> - + version="7" + kateversion="5.0" + section="Markup" + extensions="usr.bin.*;usr.sbin.*;bin.*;sbin.*;usr.lib.*;usr.lib64.*;usr.lib32.*;usr.libx32.*;usr.libexec.*;usr.local.bin.*;usr.local.sbin.*;usr.local.lib*;opt.*;etc.cron.*;snap.*;snap-update-ns.*;snap-confine.*" + priority="0" + mimetype="" + author="Nibaldo González (nibgonz@gmail.com)" + license="MIT"> + - + profile hat flags xattrs audit complain enforce mediate_deleted attach_disconnected chroot_relative chroot_attach chroot_no_attach delegate_deleted no_attach_disconnected namespace_relative allow deny owner audit - + audit_control audit_read audit_write block_suspend chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mac_admin mac_override mknod net_admin net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog wake_alarm inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key packet ash econet atmsvc sna irda pppox wanpipe bluetooth netlink rds llc can tipc iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock mpls ib kcm smc stream dgram seqpacket rdm raw tcp udp icmp - unix - + fstype vfstype options option r w rw ro read-only suid nosuid dev nodev exec noexec sync async remount mand nomand dirsync atime noatime diratime nodiratime bind B move M rbind R verbose silent loud acl noacl unbindable make-unbindable runbindable make-runbindable private make-private rprivate make-rprivate slave make-slave rslave make-rslave shared make-shared rshared make-rshared relatime norelatime iversion noiversion strictatime user nouser ecryptfs overlayfs unionfs shm + cryfs + encfs apparmorfs autofs bdev bpf cachefs cgroup cgroup2 cifs coherent configfs cpuset cramfs debugfs devfs devpts devtmpfs efs fuse fuseblk fusectl futexfs hugetlbfs kernfs mqueue pipefs proc procfs pstorefs pstore ramfs romfs rootfs sdcardfs securityfs selinuxfs sockfs specfs squashfs swapfs sysfs sysv tmpfs usbfs vfat functionfs inotifyfs labeledfs oemfs adfs affs afs apfs bfs btrfs ceph coda exfat ext2 ext3 ext4 f2fs fatx gfs hfs hfsplus hpfs ifs iso9660 jffs2 jffs jfs lvm2 minix msdos ncpfs nilfs nilfs2 nfs nfs4 ntfs-3g ntfs ocfs qnx4 qnx6 reiser4 reiserfs smbfs swap tracefs ubifs udf ufs umsdos urefs xenix yaffs2 yaffs xfs zfs oldroot peer readby trace tracedby set peer bus hup int quit ill trap abrt fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt exists send receive peer bus path interface member name name label send receive bind eavesdrop system session - + peer set label type protocol addr attr opt send receive bind create listen accept connect shutdown getattr setattr getopt setopt cpu fsize data stack core rss nofile ofile as nproc memlock locks sigpending msgqueue nice rtprio rttime subset safe unsafe if exists - + rw r w read write - + profile_name - + HOME HOMEDIRS multiarch pid pids PROC securityfs apparmorfs sys tid XDG_DESKTOP_DIR XDG_DOWNLOAD_DIR XDG_TEMPLATES_DIR XDG_PUBLICSHARE_DIR XDG_DOCUMENTS_DIR XDG_MUSIC_DIR XDG_PICTURES_DIR XDG_VIDEOS_DIR abstractions/ apache2-common aspell audio authentication base bash consoles cups-client dbus dbus-accessibility dbus-accessibility-strict dbus-session dbus-session-strict dbus-strict dconf dovecot-common dri-common dri-enumerate enchant fcitx fcitx-strict fonts freedesktop.org gnome gnupg ibus + kde-icon-cache-write + kde-globals-write + kde-language-write kde kerberosclient launchpad-integration ldapclient libpam-systemd likewise mdns mesa mir mozc mysql nameservice nis nvidia opencl opencl-common opencl-intel opencl-mesa opencl-nvidia opencl-pocl openssl orbit2 p11-kit perl php php5 postfix-common private-files private-files-strict python + qt5-compose-cache-write + qt5-settings-write qt5 + recent-documents-write ruby samba smbpass ssl_certs ssl_keys svn-repositories ubuntu-bittorrent-clients ubuntu-browsers ubuntu-console-browsers ubuntu-console-email ubuntu-email ubuntu-feed-readers ubuntu-gnome-terminal ubuntu-helpers ubuntu-konsole ubuntu-media-players ubuntu-unity7-base ubuntu-unity7-launcher ubuntu-unity7-messaging ubuntu-xterm user-download user-mail user-manpages user-tmp user-write video vulkan wayland web-data winbind wutmp X xad xdg-desktop ubuntu-browsers.d/ java mailto multimedia plugins-common productivity text-editors ubuntu-integration ubuntu-integration-xul user-files apparmor_api/ change_profile examine find_mountpoint introspect is_enabled tunables/ alias apparmorfs dovecot global home kernelvars multiarch ntpd proc securityfs sys xdg-user-dirs home.d/ multiarch.d/ xdg-user-dirs.d/ site.local local/ true false unspec none unconfined mount remount umount alias file capability network pivot_root ptrace signal dbus unix link change_profile rlimit set - - + - + - + - + - + - + - + - + - - - - + + - + - + - + - + - + - + - - - + - + - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + - + - + - + - + - + - - + + - + - + - + - +