Differential D20221 Diff 56092 autotests/folding/usr.bin.apparmor-profile-test.fold

Changeset View

Standalone View

autotests/folding/usr.bin.apparmor-profile-test.fold

Show All 9 Lines
10	@{FOO_LIB}=/usr/lib{,32,64}/foo	10	@{FOO_LIB}=/usr/lib{,32,64}/foo
11	@{USER_DIR}	11	@{USER_DIR}
12	= @{HOME}/Public @{HOME}/Desktop #No-Comment	12	= @{HOME}/Public @{HOME}/Desktop #No-Comment
13	@{USER_DIR} += @{HOME}/Hello \	13	@{USER_DIR} += @{HOME}/Hello \
14	deny owner #No-comment aa#aa	14	deny owner #No-comment aa#aa
15	${BOOL} = true	15	${BOOL} = true
16		16
17	# Alias	17	# Alias
18	<beginfold id='2'>alias</beginfold id='2'> /usr/ -> /mnt/usr/<endfold id='2'>,</endfold id='2'>	18	<beginfold id='1'>alias</beginfold id='1'> /usr/ -> /mnt/usr/<endfold id='1'>,</endfold id='1'>
19		19
20	# Profile for /usr/bin/foo	20	# Profile for /usr/bin/foo
21	profile foo /usr/bin/foo flags=(attach_disconnected enforce) <beginfold id='1'>{</beginfold id='1'>	21	profile foo /usr/bin/foo flags=(attach_disconnected enforce) <beginfold id='2'>{</beginfold id='2'>
22	#include <abstractions/ubuntu-helpers>	22	#include <abstractions/ubuntu-helpers>
23	#include<abstractions/wayland>	23	#include<abstractions/wayland>
24	#include"/etc/apparmor.d/abstractions/ubuntu-konsole"	24	#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
25	include "/etc/apparmor.d/abstractions/openssl"	25	include "/etc/apparmor.d/abstractions/openssl"
26		26
27	include if exists <path with spaces>	27	include if exists <path with spaces>
28	include <include_tests/includes_okay_helper.include> #include <includes/base>	28	include <include_tests/includes_okay_helper.include> #include <includes/base>
29	/some/file mr<endfold id='2'>,</endfold id='2'> #include <includes/base> /bin/true Px<endfold id='2'>,</endfold id='2'>	29	/some/file mr<endfold id='1'>,</endfold id='1'> #include <includes/base> /bin/true Px<endfold id='1'>,</endfold id='1'>
30		30
31	# File rules	31	# File rules
32	/{,**/} r<endfold id='2'>,</endfold id='2'>	32	/{,**/} r<endfold id='1'>,</endfold id='1'>
33	owner /{home,media,mnt,srv,net}/** r<endfold id='2'>,</endfold id='2'>	33	owner /{home,media,mnt,srv,net}/** r<endfold id='1'>,</endfold id='1'>
34	owner @{USER_DIR}/** rw<endfold id='2'>,</endfold id='2'>	34	owner @{USER_DIR}/** rw<endfold id='1'>,</endfold id='1'>
35	audit deny owner /*/ mx<endfold id='2'>,</endfold id='2'>	35	audit deny owner /*/ mx<endfold id='1'>,</endfold id='1'>
36	/**.[tT][xX][tT] r<endfold id='2'>,</endfold id='2'> # txt	36	/**.[tT][xX][tT] r<endfold id='1'>,</endfold id='1'> # txt
37		37
38	owner <beginfold id='2'>file</beginfold id='2'> @{HOME}/.local/share/foo/{,**} rwkl<endfold id='2'>,</endfold id='2'>	38	owner <beginfold id='1'>file</beginfold id='1'> @{HOME}/.local/share/foo/{,**} rwkl<endfold id='1'>,</endfold id='1'>
39	owner @{HOME}/.config/.[a-zA-Z0-9] rwk<endfold id='2'>,</endfold id='2'>	39	owner @{HOME}/.config/.[a-zA-Z0-9] rwk<endfold id='1'>,</endfold id='1'>
40		40
41	"/usr/share/**" r<endfold id='2'>,</endfold id='2'>	41	"/usr/share/**" r<endfold id='1'>,</endfold id='1'>
42	"/var/lib/flatpak/exports/share/**" r<endfold id='2'>,</endfold id='2'>	42	"/var/lib/flatpak/exports/share/**" r<endfold id='1'>,</endfold id='1'>
43	"/var/lib/{spaces in	43	"/var/lib/{spaces in
44	string,hello}/a[^ a]a/**" r<endfold id='2'>,</endfold id='2'>	44	string,hello}/a[^ a]a/**" r<endfold id='1'>,</endfold id='1'>
45		45
46	allow <beginfold id='2'>file</beginfold id='2'> /etc/nsswitch.conf r<endfold id='2'>,</endfold id='2'>	46	allow <beginfold id='1'>file</beginfold id='1'> /etc/nsswitch.conf r<endfold id='1'>,</endfold id='1'>
47	allow /etc/fstab r<endfold id='2'>,</endfold id='2'>	47	allow /etc/fstab r<endfold id='1'>,</endfold id='1'>
48	deny /etc/xdg/{autostart,systemd}/** r<endfold id='2'>,</endfold id='2'>	48	deny /etc/xdg/{autostart,systemd}/** r<endfold id='1'>,</endfold id='1'>
49	deny /boot/** rwlkmx<endfold id='2'>,</endfold id='2'>	49	deny /boot/** rwlkmx<endfold id='1'>,</endfold id='1'>
50		50
51	owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r<endfold id='2'>,</endfold id='2'>	51	owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r<endfold id='1'>,</endfold id='1'>
52	/sys/devices/**/uevent r<endfold id='2'>,</endfold id='2'>	52	/sys/devices/**/uevent r<endfold id='1'>,</endfold id='1'>
53	@{FOO_LIB}/{@{multiarch},64}/** mr<endfold id='2'>,</endfold id='2'>	53	@{FOO_LIB}/{@{multiarch},64}/** mr<endfold id='1'>,</endfold id='1'>
54		54
55	/usr/bin/foo ixr<endfold id='2'>,</endfold id='2'>	55	/usr/bin/foo ixr<endfold id='1'>,</endfold id='1'>
56	/usr/bin/dolphin pUx<endfold id='2'>,</endfold id='2'>	56	/usr/bin/dolphin pUx<endfold id='1'>,</endfold id='1'>
57	/usr/bin/* Pixr<endfold id='2'>,</endfold id='2'>	57	/usr/bin/* Pixr<endfold id='1'>,</endfold id='1'>
58	/usr/bin/khelpcenter Cx -> sanitized_helper<endfold id='2'>,</endfold id='2'>	58	/usr/bin/khelpcenter Cx -> sanitized_helper<endfold id='1'>,</endfold id='1'>
59	/usr/bin/helloworld cxr ->	59	/usr/bin/helloworld cxr ->
60	hello_world<endfold id='2'>,</endfold id='2'>	60	hello_world<endfold id='1'>,</endfold id='1'>
61		61
62	# Dbus rules	62	# Dbus rules
63	<beginfold id='2'>dbus</beginfold id='2'> (send) #No-Comment	63	<beginfold id='1'>dbus</beginfold id='1'> (send) #No-Comment
64	bus=system	64	bus=system
65	path=/org/freedesktop/NetworkManager	65	path=/org/freedesktop/NetworkManager
66	interface=org.freedesktop.DBus.Introspectable	66	interface=org.freedesktop.DBus.Introspectable
67	peer=(name=org.freedesktop.NetworkManager label=unconfined)<endfold id='2'>,</endfold id='2'>	67	peer=(name=org.freedesktop.NetworkManager label=unconfined)<endfold id='1'>,</endfold id='1'>
68	<beginfold id='2'>dbus</beginfold id='2'> (send receive)	68	<beginfold id='1'>dbus</beginfold id='1'> (send receive)
69	bus=system	69	bus=system
70	path=/org/freedesktop/NetworkManager	70	path=/org/freedesktop/NetworkManager
71	interface=org.freedesktop.NetworkManager	71	interface=org.freedesktop.NetworkManager
72	member={Introspect,state}	72	member={Introspect,state}
73	peer=(name=(org.freedesktop.NetworkManager\|org.freedesktop.DBus))<endfold id='2'>,</endfold id='2'>	73	peer=(name=(org.freedesktop.NetworkManager\|org.freedesktop.DBus))<endfold id='1'>,</endfold id='1'>
74	<beginfold id='2'>dbus</beginfold id='2'> (send)	74	<beginfold id='1'>dbus</beginfold id='1'> (send)
75	bus=session	75	bus=session
76	path=/org/gnome/GConf/Database/*	76	path=/org/gnome/GConf/Database/*
77	member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}<endfold id='2'>,</endfold id='2'>	77	member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}<endfold id='1'>,</endfold id='1'>
78	<beginfold id='2'>dbus</beginfold id='2'> (bind)	78	<beginfold id='1'>dbus</beginfold id='1'> (bind)
79	bus=system	79	bus=system
80	name=org.bluez<endfold id='2'>,</endfold id='2'>	80	name=org.bluez<endfold id='1'>,</endfold id='1'>
81		81
82	# Signal rules	82	# Signal rules
83	<beginfold id='2'>signal</beginfold id='2'> (send) set=(term) peer="/usr/lib/hello/world// foo helper"<endfold id='2'>,</endfold id='2'>	83	<beginfold id='1'>signal</beginfold id='1'> (send) set=(term) peer="/usr/lib/hello/world// foo helper"<endfold id='1'>,</endfold id='1'>
84	<beginfold id='2'>signal</beginfold id='2'> (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper<endfold id='2'>,</endfold id='2'>	84	<beginfold id='1'>signal</beginfold id='1'> (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper<endfold id='1'>,</endfold id='1'>
85		85
86	# Child profile	86	# Child profile
87	profile hello_world <beginfold id='1'>{</beginfold id='1'>	87	profile hello_world <beginfold id='2'>{</beginfold id='2'>
88	# File rules (three different ways)	88	# File rules (three different ways)
89	<beginfold id='2'>file</beginfold id='2'> /usr/lib{,32,64}/helloworld/**.so mr<endfold id='2'>,</endfold id='2'>	89	<beginfold id='1'>file</beginfold id='1'> /usr/lib{,32,64}/helloworld/**.so mr<endfold id='1'>,</endfold id='1'>
90	/usr/lib{,32,64}/helloworld/** r<endfold id='2'>,</endfold id='2'>	90	/usr/lib{,32,64}/helloworld/** r<endfold id='1'>,</endfold id='1'>
91	rk /usr/lib{,32,64}/helloworld/hello,file<endfold id='2'>,</endfold id='2'>	91	rk /usr/lib{,32,64}/helloworld/hello,file<endfold id='1'>,</endfold id='1'>
92		92
93	# Link rules (two ways)	93	# Link rules (two ways)
94	l /foo1 -> /bar<endfold id='2'>,</endfold id='2'>	94	l /foo1 -> /bar<endfold id='1'>,</endfold id='1'>
95	<beginfold id='2'>link</beginfold id='2'> /foo2 -> bar<endfold id='2'>,</endfold id='2'>	95	<beginfold id='1'>link</beginfold id='1'> /foo2 -> bar<endfold id='1'>,</endfold id='1'>
96	<beginfold id='2'>link</beginfold id='2'> /foo3 to bar<endfold id='2'>,</endfold id='2'>	96	<beginfold id='1'>link</beginfold id='1'> /foo3 to bar<endfold id='1'>,</endfold id='1'>
97	<beginfold id='2'>link</beginfold id='2'> subset /link* -> /**<endfold id='2'>,</endfold id='2'>	97	<beginfold id='1'>link</beginfold id='1'> subset /link* -> /**<endfold id='1'>,</endfold id='1'>
98		98
99	# Network rules	99	# Network rules
100	<beginfold id='2'>network</beginfold id='2'> inet6 tcp<endfold id='2'>,</endfold id='2'>	100	<beginfold id='1'>network</beginfold id='1'> inet6 tcp<endfold id='1'>,</endfold id='1'>
101	<beginfold id='2'>network</beginfold id='2'> netlink dgram<endfold id='2'>,</endfold id='2'>	101	<beginfold id='1'>network</beginfold id='1'> netlink dgram<endfold id='1'>,</endfold id='1'>
102	<beginfold id='2'>network</beginfold id='2'> bluetooth<endfold id='2'>,</endfold id='2'>	102	<beginfold id='1'>network</beginfold id='1'> bluetooth<endfold id='1'>,</endfold id='1'>
103	<beginfold id='2'>network</beginfold id='2'> unspec dgram<endfold id='2'>,</endfold id='2'>	103	<beginfold id='1'>network</beginfold id='1'> unspec dgram<endfold id='1'>,</endfold id='1'>
104		104
105	# Capability rules	105	# Capability rules
106	<beginfold id='2'>capability</beginfold id='2'> dac_override<endfold id='2'>,</endfold id='2'>	106	<beginfold id='1'>capability</beginfold id='1'> dac_override<endfold id='1'>,</endfold id='1'>
107	<beginfold id='2'>capability</beginfold id='2'> sys_admin<endfold id='2'>,</endfold id='2'>	107	<beginfold id='1'>capability</beginfold id='1'> sys_admin<endfold id='1'>,</endfold id='1'>
108	<beginfold id='2'>capability</beginfold id='2'> sys_chroot<endfold id='2'>,</endfold id='2'>	108	<beginfold id='1'>capability</beginfold id='1'> sys_chroot<endfold id='1'>,</endfold id='1'>
109		109
110	# Mount rules	110	# Mount rules
111	<beginfold id='2'>mount</beginfold id='2'> options=(rw bind remount nodev noexec) vfstype=ecryptfs /home//.helloworld/ -> /home//helloworld/<endfold id='2'>,</endfold id='2'>	111	<beginfold id='1'>mount</beginfold id='1'> options=(rw bind remount nodev noexec) vfstype=ecryptfs /home//.helloworld/ -> /home//helloworld/<endfold id='1'>,</endfold id='1'>
112	<beginfold id='2'>mount</beginfold id='2'> options in (rw, bind) / -> /run/hellowordd/*.mnt<endfold id='2'>,</endfold id='2'>	112	<beginfold id='1'>mount</beginfold id='1'> options in (rw, bind) / -> /run/hellowordd/*.mnt<endfold id='1'>,</endfold id='1'>
113	<beginfold id='2'>mount</beginfold id='2'> option=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media//<endfold id='2'>,</endfold id='2'>	113	<beginfold id='1'>mount</beginfold id='1'> option=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media//<endfold id='1'>,</endfold id='1'>
114	<beginfold id='2'>umount</beginfold id='2'> /home/*/helloworld/<endfold id='2'>,</endfold id='2'>	114	<beginfold id='1'>umount</beginfold id='1'> /home/*/helloworld/<endfold id='1'>,</endfold id='1'>
115		115
116	# Pivot Root rules	116	# Pivot Root rules
117	<beginfold id='2'>pivot_root</beginfold id='2'> oldroot=/mnt/root/old/ /mnt/root/<endfold id='2'>,</endfold id='2'>	117	<beginfold id='1'>pivot_root</beginfold id='1'> oldroot=/mnt/root/old/ /mnt/root/<endfold id='1'>,</endfold id='1'>
118	<beginfold id='2'>pivot_root</beginfold id='2'> /mnt/root/<endfold id='2'>,</endfold id='2'>	118	<beginfold id='1'>pivot_root</beginfold id='1'> /mnt/root/<endfold id='1'>,</endfold id='1'>
119		119
120	# Ptrace rules	120	# Ptrace rules
121	<beginfold id='2'>ptrace</beginfold id='2'> (trace) peer=unconfined<endfold id='2'>,</endfold id='2'>	121	<beginfold id='1'>ptrace</beginfold id='1'> (trace) peer=unconfined<endfold id='1'>,</endfold id='1'>
122	<beginfold id='2'>ptrace</beginfold id='2'> (read, trace, tracedby) peer=/usr/lib/hello/helloword<endfold id='2'>,</endfold id='2'>	122	<beginfold id='1'>ptrace</beginfold id='1'> (read, trace, tracedby) peer=/usr/lib/hello/helloword<endfold id='1'>,</endfold id='1'>
123		123
124	# Unix rules	124	# Unix rules
125	<beginfold id='2'>unix</beginfold id='2'> (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined)<endfold id='2'>,</endfold id='2'>	125	<beginfold id='1'>unix</beginfold id='1'> (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined)<endfold id='1'>,</endfold id='1'>
126	<beginfold id='2'>unix</beginfold id='2'> (send,receive) type=(stream) protocol=0 peer=(addr=none)<endfold id='2'>,</endfold id='2'>	126	<beginfold id='1'>unix</beginfold id='1'> (send,receive) type=(stream) protocol=0 peer=(addr=none)<endfold id='1'>,</endfold id='1'>
127	<beginfold id='2'>unix</beginfold id='2'> peer=(label=@{profile_name},addr=@helloworld)<endfold id='2'>,</endfold id='2'>	127	<beginfold id='1'>unix</beginfold id='1'> peer=(label=@{profile_name},addr=@helloworld)<endfold id='1'>,</endfold id='1'>
128		128
129	# Rlimit rule	129	# Rlimit rule
130	set <beginfold id='2'>rlimit</beginfold id='2'> data <= 100M<endfold id='2'>,</endfold id='2'>	130	set <beginfold id='1'>rlimit</beginfold id='1'> data <= 100M<endfold id='1'>,</endfold id='1'>
131	set <beginfold id='2'>rlimit</beginfold id='2'> nproc <= 10<endfold id='2'>,</endfold id='2'>	131	set <beginfold id='1'>rlimit</beginfold id='1'> nproc <= 10<endfold id='1'>,</endfold id='1'>
132	set <beginfold id='2'>rlimit</beginfold id='2'> memlock <= 2GB<endfold id='2'>,</endfold id='2'>	132	set <beginfold id='1'>rlimit</beginfold id='1'> memlock <= 2GB<endfold id='1'>,</endfold id='1'>
133	set <beginfold id='2'>rlimit</beginfold id='2'> rss <= infinity<endfold id='2'>,</endfold id='2'>	133	set <beginfold id='1'>rlimit</beginfold id='1'> rss <= infinity<endfold id='1'>,</endfold id='1'>
134		134
135	# Change Profile rules	135	# Change Profile rules
136	<beginfold id='2'>change_profile</beginfold id='2'> unsafe / -> [^u/]<endfold id='2'>,</endfold id='2'>	136	<beginfold id='1'>change_profile</beginfold id='1'> unsafe / -> [^u/]<endfold id='1'>,</endfold id='1'>
137	<beginfold id='2'>change_profile</beginfold id='2'> unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}<endfold id='2'>,</endfold id='2'>	137	<beginfold id='1'>change_profile</beginfold id='1'> unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}<endfold id='1'>,</endfold id='1'>
138	<beginfold id='2'>change_profile</beginfold id='2'> /bin/bash ->	138	<beginfold id='1'>change_profile</beginfold id='1'> /bin/bash ->
139	new_profile//hat<endfold id='2'>,</endfold id='2'>	139	new_profile//hat<endfold id='1'>,</endfold id='1'>
140	<endfold id='1'>}</endfold id='1'>	140	<endfold id='2'>}</endfold id='2'>
141		141
142	# Hat	142	# Hat
143	^foo-helper\/ <beginfold id='1'>{</beginfold id='1'>	143	^foo-helper\/ <beginfold id='2'>{</beginfold id='2'>
144	<beginfold id='2'>network</beginfold id='2'> unix stream<endfold id='2'>,</endfold id='2'>	144	<beginfold id='1'>network</beginfold id='1'> unix stream<endfold id='1'>,</endfold id='1'>
145	<beginfold id='2'>unix</beginfold id='2'> stream<endfold id='2'>,</endfold id='2'>	145	<beginfold id='1'>unix</beginfold id='1'> stream<endfold id='1'>,</endfold id='1'>
146		146
147	/usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r<endfold id='2'>,</endfold id='2'> # Escape expressions	147	/usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r<endfold id='1'>,</endfold id='1'> # Escape expressions
148		148
149	# Text after a variable is highlighted as path	149	# Text after a variable is highlighted as path
150	<beginfold id='2'>file</beginfold id='2'> /my/path r<endfold id='2'>,</endfold id='2'>	150	<beginfold id='1'>file</beginfold id='1'> /my/path r<endfold id='1'>,</endfold id='1'>
151	@{FOO_LIB}file r<endfold id='2'>,</endfold id='2'>	151	@{FOO_LIB}file r<endfold id='1'>,</endfold id='1'>
152	@{FOO_LIB}#my/path r<endfold id='2'>,</endfold id='2'> #Comment	152	@{FOO_LIB}#my/path r<endfold id='1'>,</endfold id='1'> #Comment
153	@{FOO_LIB}ñ* r<endfold id='2'>,</endfold id='2'>	153	@{FOO_LIB}ñ* r<endfold id='1'>,</endfold id='1'>
154	<beginfold id='2'>unix</beginfold id='2'> (/path\t{aa},a @{var}path, @{var},*)<endfold id='2'>,</endfold id='2'>	154	<beginfold id='1'>unix</beginfold id='1'> (/path\t{aa},a @{var}path, @{var},*)<endfold id='1'>,</endfold id='1'>
155	<endfold id='1'>}</endfold id='1'>	155	<endfold id='2'>}</endfold id='2'>
156	<endfold id='1'>}</endfold id='1'>	156	<endfold id='2'>}</endfold id='2'>
157		157
158	# Syntax Error	158	# Syntax Error
159	/usr/bin/error (complain, audit) <beginfold id='1'>{</beginfold id='1'>	159	/usr/bin/error (complain, audit) <beginfold id='2'>{</beginfold id='2'>
160	<beginfold id='2'>file</beginfold id='2'> #include /hello r<endfold id='2'>,</endfold id='2'>	160	<beginfold id='1'>file</beginfold id='1'> #include /hello r<endfold id='1'>,</endfold id='1'>
161		161
162	# Error: Variable open or with characters not allowed	162	# Error: Variable open or with characters not allowed
163	@<beginfold id='1'>{</beginfold id='1'>var	163	@<beginfold id='2'>{</beginfold id='2'>var
164	@<beginfold id='1'>{</beginfold id='1'>sdf&s<endfold id='1'>}</endfold id='1'>	164	@<beginfold id='2'>{</beginfold id='2'>sdf&s<endfold id='2'>}</endfold id='2'>
165		165
166	# Error: Open brackets	166	# Error: Open brackets
167	/{hello{ab,cd}world kr<endfold id='2'>,</endfold id='2'>	167	/{hello{ab,cd}world kr<endfold id='1'>,</endfold id='1'>
168	/{abc{abc kr<endfold id='2'>,</endfold id='2'>	168	/{abc{abc kr<endfold id='1'>,</endfold id='1'>
169	/[abc kr<endfold id='2'>,</endfold id='2'>	169	/[abc kr<endfold id='1'>,</endfold id='1'>
170	/(abc kr<endfold id='2'>,</endfold id='2'>	170	/(abc kr<endfold id='1'>,</endfold id='1'>
171		171
172	# Error: Empty brackets	172	# Error: Empty brackets
173	/hello[]hello{}hello()he kr<endfold id='2'>,</endfold id='2'>	173	/hello[]hello{}hello()he kr<endfold id='1'>,</endfold id='1'>
174		174
175	# Comments not allowed	175	# Comments not allowed
176	<beginfold id='2'>dbus</beginfold id='2'> (send) #No comment	176	<beginfold id='1'>dbus</beginfold id='1'> (send) #No comment
177	path=/org/hello	177	path=/org/hello
178	#No comment	178	#No comment
179	interface=org.hello #No comment	179	interface=org.hello #No comment
180	peer=(name=org.hello #No comment	180	peer=(name=org.hello #No comment
181	label=unconfined)<endfold id='2'>,</endfold id='2'> #Comment	181	label=unconfined)<endfold id='1'>,</endfold id='1'> #Comment
182	@{VARIABLE} = val1 val2 val3 #No comment	182
		183	# Don't allow assignment of variables within profiles
		184	@{VARIABLE} = val1 val2 val3 # Comment
		185
		186	# Alias rules not allowed within profiles
		187	alias /run/ -> /mnt/run/,
183		188
184	# Error: Open rule	189	# Error: Open rule
185	/home/*/file rw	190	/home/*/file rw
186	<endfold id='2'></endfold id='2'><beginfold id='2'>capability</beginfold id='2'> dac_override	191	<endfold id='1'></endfold id='1'><beginfold id='1'>capability</beginfold id='1'> dac_override
187	<endfold id='2'>deny</endfold id='2'> <beginfold id='2'>file</beginfold id='2'> /etc/fstab w	192	<endfold id='1'>deny</endfold id='1'> <beginfold id='1'>file</beginfold id='1'> /etc/fstab w
188	<endfold id='2'>audit</endfold id='2'> <beginfold id='2'>network</beginfold id='2'> ieee802154<endfold id='2'>,</endfold id='2'>	193	<endfold id='1'>audit</endfold id='1'> <beginfold id='1'>network</beginfold id='1'> ieee802154<endfold id='1'>,</endfold id='1'>
189		194
190	<beginfold id='2'>dbus</beginfold id='2'> (receive	195	<beginfold id='1'>dbus</beginfold id='1'> (receive
191	<endfold id='2'></endfold id='2'><beginfold id='2'>unix</beginfold id='2'> stream<endfold id='2'>,</endfold id='2'>	196	<endfold id='1'></endfold id='1'><beginfold id='1'>unix</beginfold id='1'> stream<endfold id='1'>,</endfold id='1'>
192	<beginfold id='2'>unix</beginfold id='2'> stream<endfold id='2'>,</endfold id='2'>	197	<beginfold id='1'>unix</beginfold id='1'> stream<endfold id='1'>,</endfold id='1'>
193	<endfold id='1'>}</endfold id='1'>	198	<endfold id='2'>}</endfold id='2'>
194		199
195	profile other_tests <beginfold id='1'>{</beginfold id='1'>	200	profile other_tests <beginfold id='2'>{</beginfold id='2'>
196	# set rlimit	201	# set rlimit
197	set <beginfold id='2'>rlimit</beginfold id='2'> nice <= 3<endfold id='2'>,</endfold id='2'>	202	set <beginfold id='1'>rlimit</beginfold id='1'> nice <= 3<endfold id='1'>,</endfold id='1'>
198	<beginfold id='2'>rlimit</beginfold id='2'> nice <= 3<endfold id='2'>,</endfold id='2'> # Without "set"	203	<beginfold id='1'>rlimit</beginfold id='1'> nice <= 3<endfold id='1'>,</endfold id='1'> # Without "set"
199	set #comment	204	set #comment
200	<beginfold id='2'>rlimit</beginfold id='2'>	205	<beginfold id='1'>rlimit</beginfold id='1'>
201	nice <= 3<endfold id='2'>,</endfold id='2'>	206	nice <= 3<endfold id='1'>,</endfold id='1'>
202		207
203	# "remount" keyword	208	# "remount" keyword
204	<beginfold id='2'>mount</beginfold id='2'> remount	209	<beginfold id='1'>mount</beginfold id='1'> remount
205	remount<endfold id='2'>,</endfold id='2'>	210	remount<endfold id='1'>,</endfold id='1'>
206	<beginfold id='2'>remount</beginfold id='2'> remount	211	<beginfold id='1'>remount</beginfold id='1'> remount
207	remount<endfold id='2'>,</endfold id='2'>	212	remount<endfold id='1'>,</endfold id='1'>
208	<beginfold id='2'>dbus</beginfold id='2'> remount	213	<beginfold id='1'>dbus</beginfold id='1'> remount
209	<endfold id='2'></endfold id='2'><beginfold id='2'>remount</beginfold id='2'><endfold id='2'>,</endfold id='2'>	214	<endfold id='1'></endfold id='1'><beginfold id='1'>remount</beginfold id='1'><endfold id='1'>,</endfold id='1'>
210	<beginfold id='2'>unix</beginfold id='2'> remount	215	<beginfold id='1'>unix</beginfold id='1'> remount
211	<endfold id='2'></endfold id='2'><beginfold id='2'>remount</beginfold id='2'><endfold id='2'>,</endfold id='2'>	216	<endfold id='1'></endfold id='1'><beginfold id='1'>remount</beginfold id='1'><endfold id='1'>,</endfold id='1'>
212	# "unix" keyword	217	# "unix" keyword
213	<beginfold id='2'>network</beginfold id='2'> unix	218	<beginfold id='1'>network</beginfold id='1'> unix
214	unix<endfold id='2'>,</endfold id='2'>	219	unix<endfold id='1'>,</endfold id='1'>
215	<beginfold id='2'>ptrace</beginfold id='2'> unix	220	<beginfold id='1'>ptrace</beginfold id='1'> unix
216	<endfold id='2'></endfold id='2'><beginfold id='2'>unix</beginfold id='2'><endfold id='2'>,</endfold id='2'>	221	<endfold id='1'></endfold id='1'><beginfold id='1'>unix</beginfold id='1'><endfold id='1'>,</endfold id='1'>
217	<beginfold id='2'>unix</beginfold id='2'> unix	222	<beginfold id='1'>unix</beginfold id='1'> unix
218	<endfold id='2'></endfold id='2'><beginfold id='2'>unix</beginfold id='2'><endfold id='2'>,</endfold id='2'>	223	<endfold id='1'></endfold id='1'><beginfold id='1'>unix</beginfold id='1'><endfold id='1'>,</endfold id='1'>
219		224
220	# Transition rules	225	# Transition rules
221	/usr/bin/foo cx -> hello*<endfold id='2'>,</endfold id='2'>	226	/usr/bin/foo cx -> hello*<endfold id='1'>,</endfold id='1'> # profile name
222	/usr/bin/foo Cx -> path/<endfold id='2'>,</endfold id='2'>	227	/usr/bin/foo Cx -> path/<endfold id='1'>,</endfold id='1'> # path
223	/usr/bin/foo cx -> ab[ad/]hello<endfold id='2'>,</endfold id='2'>	228	/usr/bin/foo cx -> ab[ad/]hello<endfold id='1'>,</endfold id='1'> # profile name
224	/usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path<endfold id='2'>,</endfold id='2'>	229	/usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path<endfold id='1'>,</endfold id='1'> # path
225	/usr/bin/foo Cx -> ab[hello/path<endfold id='2'>,</endfold id='2'>	230	/usr/bin/foo Cx -> ab[hello/path<endfold id='1'>,</endfold id='1'> # profile name
226		231
227	/usr/bin/foo cx -> "hello*"<endfold id='2'>,</endfold id='2'>	232	/usr/bin/foo cx -> "hello*"<endfold id='1'>,</endfold id='1'> # profile name
228	/usr/bin/foo Cx -> "path/"<endfold id='2'>,</endfold id='2'>	233	/usr/bin/foo Cx -> "path/"<endfold id='1'>,</endfold id='1'> # path
229	/usr/bin/foo cx -> "ab[ad/]hello"<endfold id='2'>,</endfold id='2'>	234	/usr/bin/foo cx -> "ab[ad/]hello"<endfold id='1'>,</endfold id='1'> # profile name
230	/usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path"<endfold id='2'>,</endfold id='2'>	235	/usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path"<endfold id='1'>,</endfold id='1'> # path
231	/usr/bin/foo Cx -> "ab[hello/path"<endfold id='2'>,</endfold id='2'>	236	/usr/bin/foo Cx -> "ab[hello/path"<endfold id='1'>,</endfold id='1'> # profile name
232		237
233	/usr/bin/foo cx -> holas//hello/sa<endfold id='2'>,</endfold id='2'>	238	/usr/bin/foo cx -> holas//hello/sa<endfold id='1'>,</endfold id='1'> # path
234	/usr/bin/foo cx -> df///dd//hat<endfold id='2'>,</endfold id='2'>	239	/usr/bin/foo cx -> df///dd//hat<endfold id='1'>,</endfold id='1'> # path + hat
235	/usr/bin/foo cx -> holas,#sd\323fsdf<endfold id='2'>,</endfold id='2'>	240	/usr/bin/foo cx -> holas,#sd\323fsdf<endfold id='1'>,</endfold id='1'> # profile name
236		241
237	# Access modes	242	# Access modes
238	/hello/lib/foo rwklms, # s invalid	243	/hello/lib/foo rwklms, # s invalid
239	/hello/lib/foo rwmaix, # w & a incompatible	244	/hello/lib/foo rwmaix, # w & a incompatible
240	/hello/lib/foo kalmw,	245	/hello/lib/foo kalmw,
241	/hello/lib/foo wa,	246	/hello/lib/foo wa,
242	# OK	247	# OK
243	/hello/lib/foo rrwrwwrwrw<endfold id='2'>,</endfold id='2'>	248	/hello/lib/foo rrwrwwrwrw<endfold id='1'>,</endfold id='1'>
244	/hello/lib/foo ixixix<endfold id='2'>,</endfold id='2'>	249	/hello/lib/foo ixixix<endfold id='1'>,</endfold id='1'>
245	# Incompatible exec permissions	250	# Incompatible exec permissions
246	ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx,	251	ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx,
247	pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx,	252	pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx,
248	Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx,	253	Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx,
249	# Test valid permissions	254	# Test valid permissions
250	r w a k l m l x ix ux Ux px Px cx Cx <endfold id='2'>,</endfold id='2'>	255	r w a k l m l x ix ux Ux px Px cx Cx <endfold id='1'>,</endfold id='1'>
251	pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx<endfold id='2'>,</endfold id='2'>	256	pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx<endfold id='1'>,</endfold id='1'>
252	rwklmx raklmx<endfold id='2'>,</endfold id='2'>	257	rwklmx raklmx<endfold id='1'>,</endfold id='1'>
253	r rw rwk rwkl rwklm<endfold id='2'>,</endfold id='2'>	258	r rw rwk rwkl rwklm<endfold id='1'>,</endfold id='1'>
254	rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx<endfold id='2'>,</endfold id='2'>	259	rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx<endfold id='1'>,</endfold id='1'>
255	rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk<endfold id='2'>,</endfold id='2'>	260	rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk<endfold id='1'>,</endfold id='1'>
256	rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl<endfold id='2'>,</endfold id='2'>	261	rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl<endfold id='1'>,</endfold id='1'>
257		262
258	# Profile name	263	# Profile name
259	profile holas <beginfold id='1'>{</beginfold id='1'> ... <endfold id='1'>}</endfold id='1'>	264	profile holas <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
260	profile <beginfold id='1'>{</beginfold id='1'> ... <endfold id='1'>}</endfold id='1'>	265	profile <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
261	profile /path <beginfold id='1'>{</beginfold id='1'> ... <endfold id='1'>}</endfold id='1'>	266	profile /path <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
262	profile holas/abc <beginfold id='1'>{</beginfold id='1'> ... <endfold id='1'>}</endfold id='1'>	267	profile holas/abc <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
263	profile holas\/abc <beginfold id='1'>{</beginfold id='1'> ... <endfold id='1'>}</endfold id='1'>	268	profile holas\/abc <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
264	profile	269	profile
265	#holas <beginfold id='1'>{</beginfold id='1'> ... <endfold id='1'>}</endfold id='1'>	270	#holas <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
266		271
267	profile flags=(complain)#asd <beginfold id='1'>{</beginfold id='1'> ... <endfold id='1'>}</endfold id='1'>	272	profile flags=(complain)#asd <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
268	profile flags flags=(complain) <beginfold id='1'>{</beginfold id='1'> ... <endfold id='1'>}</endfold id='1'>	273	profile flags flags=(complain) <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
269	profile flags(complain) <beginfold id='1'>{</beginfold id='1'> ... <endfold id='1'>}</endfold id='1'>	274	profile flags(complain) <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
270	<endfold id='1'>}</endfold id='1'>	275	<endfold id='2'>}</endfold id='2'>