Warning, /frameworks/syntax-highlighting/autotests/folding/test.apparmor.fold is written in an unsupported language. File is not indexed.
0001 # kate: syntax AppArmor Security Profile; replace-tabs off;
0002
0003 #
0004 # Sample AppArmor Profile.
0005 # License: Public Domain
0006 #
0007 # NOTE: This profile is not fully functional, since
0008 # it is designed to test the syntax highlighting
0009 # for the KDE's KSyntaxHighlighting framework.
0010 #
0011
0012 include <tunables/global>
0013
0014 # Variable assignment
0015 @{FOO_LIB}=/usr/lib{,32,64}/foo
0016 @{USER_DIR}
0017 = @{HOME}/Public @{HOME}/Desktop #No-Comment
0018 @{USER_DIR} += @{HOME}/Hello \
0019 deny owner #No-comment aa#aa
0020 ${BOOL} = true
0021
0022 # Alias
0023 <beginfold id='1'>alias</beginfold id='1'> /usr/ -> /mnt/usr/<endfold id='1'>,</endfold id='1'>
0024
0025 # ABI feature
0026 <beginfold id='1'>abi</beginfold id='1'> <abi/3.0><endfold id='1'>,</endfold id='1'>
0027 <beginfold id='1'>abi</beginfold id='1'> <"includes/abi/4.19"><endfold id='1'>,</endfold id='1'>
0028 <beginfold id='1'>abi</beginfold id='1'> "simple_tests/includes/abi/4.19"<endfold id='1'>,</endfold id='1'>
0029 <beginfold id='1'>abi</beginfold id='1'> simple_tests/includes/abi/4.19<endfold id='1'>,</endfold id='1'>
0030
0031 # Profile for /usr/bin/foo
0032 profile foo /usr/bin/foo flags=(attach_disconnected enforce) xattrs=(myvalue=foo user.bar=* user.foo="bar" ) <beginfold id='2'>{</beginfold id='2'>
0033 #include <abstractions/ubuntu-helpers>
0034 #include<abstractions/wayland>
0035 #include"/etc/apparmor.d/abstractions/ubuntu-konsole"
0036 include "/etc/apparmor.d/abstractions/openssl"
0037
0038 include if exists <path with spaces>
0039 include <include_tests/includes_okay_helper.include> #include <includes/base>
0040 /some/file mr<endfold id='1'>,</endfold id='1'> #include <includes/base> /bin/true Px<endfold id='1'>,</endfold id='1'>
0041
0042 # File rules
0043 /{,**/} r<endfold id='1'>,</endfold id='1'>
0044 owner /{home,media,mnt,srv,net}/** r<endfold id='1'>,</endfold id='1'>
0045 owner @{USER_DIR}/** rw<endfold id='1'>,</endfold id='1'>
0046 audit deny owner /**/* mx<endfold id='1'>,</endfold id='1'>
0047 /**.[tT][xX][tT] r<endfold id='1'>,</endfold id='1'> # txt
0048
0049 owner <beginfold id='1'>file</beginfold id='1'> @{HOME}/.local/share/foo/{,**} rwkl<endfold id='1'>,</endfold id='1'>
0050 owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk<endfold id='1'>,</endfold id='1'>
0051
0052 "/usr/share/**" r<endfold id='1'>,</endfold id='1'>
0053 "/var/lib/flatpak/exports/share/**" r<endfold id='1'>,</endfold id='1'>
0054 "/var/lib/{spaces in
0055 string,hello}/a[^ a]a/**" r<endfold id='1'>,</endfold id='1'>
0056
0057 allow <beginfold id='1'>file</beginfold id='1'> /etc/nsswitch.conf r<endfold id='1'>,</endfold id='1'>
0058 allow /etc/fstab r<endfold id='1'>,</endfold id='1'>
0059 deny /etc/xdg/{autostart,systemd}/** r<endfold id='1'>,</endfold id='1'>
0060 deny /boot/** rwlkmx<endfold id='1'>,</endfold id='1'>
0061
0062 owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r<endfold id='1'>,</endfold id='1'>
0063 /sys/devices/**/uevent r<endfold id='1'>,</endfold id='1'>
0064 @{FOO_LIB}/{@{multiarch},64}/** mr<endfold id='1'>,</endfold id='1'>
0065
0066 /usr/bin/foo ixr<endfold id='1'>,</endfold id='1'>
0067 /usr/bin/dolphin pUx<endfold id='1'>,</endfold id='1'>
0068 /usr/bin/* Pixr<endfold id='1'>,</endfold id='1'>
0069 /usr/bin/khelpcenter Cx -> sanitized_helper<endfold id='1'>,</endfold id='1'>
0070 /usr/bin/helloworld cxr ->
0071 hello_world<endfold id='1'>,</endfold id='1'>
0072 /bin/** px -> profile<endfold id='1'>,</endfold id='1'>
0073
0074 # Dbus rules
0075 <beginfold id='1'>dbus</beginfold id='1'> (send) #No-Comment
0076 bus=system
0077 path=/org/freedesktop/NetworkManager
0078 interface=org.freedesktop.DBus.Introspectable
0079 peer=(name=org.freedesktop.NetworkManager label=unconfined)<endfold id='1'>,</endfold id='1'>
0080 <beginfold id='1'>dbus</beginfold id='1'> (send receive)
0081 bus=system
0082 path=/org/freedesktop/NetworkManager
0083 interface=org.freedesktop.NetworkManager
0084 member={Introspect,state}
0085 peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus))<endfold id='1'>,</endfold id='1'>
0086 <beginfold id='1'>dbus</beginfold id='1'> (send)
0087 bus=session
0088 path=/org/gnome/GConf/Database/*
0089 member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}<endfold id='1'>,</endfold id='1'>
0090 <beginfold id='1'>dbus</beginfold id='1'> (bind)
0091 bus=system
0092 name=org.bluez<endfold id='1'>,</endfold id='1'>
0093
0094 # Signal rules
0095 <beginfold id='1'>signal</beginfold id='1'> (send) set=(term) peer="/usr/lib/hello/world// foo helper"<endfold id='1'>,</endfold id='1'>
0096 <beginfold id='1'>signal</beginfold id='1'> (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper<endfold id='1'>,</endfold id='1'>
0097
0098 # Child profile
0099 profile hello_world <beginfold id='2'>{</beginfold id='2'>
0100 # File rules (three different ways)
0101 <beginfold id='1'>file</beginfold id='1'> /usr/lib{,32,64}/helloworld/**.so mr<endfold id='1'>,</endfold id='1'>
0102 /usr/lib{,32,64}/helloworld/** r<endfold id='1'>,</endfold id='1'>
0103 rk /usr/lib{,32,64}/helloworld/hello,file<endfold id='1'>,</endfold id='1'>
0104
0105 # Link rules (two ways)
0106 l /foo1 -> /bar<endfold id='1'>,</endfold id='1'>
0107 <beginfold id='1'>link</beginfold id='1'> /foo2 -> bar<endfold id='1'>,</endfold id='1'>
0108 <beginfold id='1'>link</beginfold id='1'> subset /link* -> /**<endfold id='1'>,</endfold id='1'>
0109
0110 # Network rules
0111 <beginfold id='1'>network</beginfold id='1'> inet6 tcp<endfold id='1'>,</endfold id='1'>
0112 <beginfold id='1'>network</beginfold id='1'> netlink dgram<endfold id='1'>,</endfold id='1'>
0113 <beginfold id='1'>network</beginfold id='1'> bluetooth<endfold id='1'>,</endfold id='1'>
0114 <beginfold id='1'>network</beginfold id='1'> unspec dgram<endfold id='1'>,</endfold id='1'>
0115
0116 # Capability rules
0117 <beginfold id='1'>capability</beginfold id='1'> dac_override<endfold id='1'>,</endfold id='1'>
0118 <beginfold id='1'>capability</beginfold id='1'> sys_admin<endfold id='1'>,</endfold id='1'>
0119 <beginfold id='1'>capability</beginfold id='1'> sys_chroot<endfold id='1'>,</endfold id='1'>
0120
0121 # Mount rules
0122 <beginfold id='1'>mount</beginfold id='1'> options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/<endfold id='1'>,</endfold id='1'>
0123 <beginfold id='1'>mount</beginfold id='1'> options in (rw, bind) / -> /run/hellowordd/*.mnt<endfold id='1'>,</endfold id='1'>
0124 <beginfold id='1'>mount</beginfold id='1'> options=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*<endfold id='1'>,</endfold id='1'>
0125 <beginfold id='1'>umount</beginfold id='1'> /home/*/helloworld/<endfold id='1'>,</endfold id='1'>
0126
0127 # Pivot Root rules
0128 <beginfold id='1'>pivot_root</beginfold id='1'> oldroot=/mnt/root/old/ /mnt/root/<endfold id='1'>,</endfold id='1'>
0129 <beginfold id='1'>pivot_root</beginfold id='1'> /mnt/root/<endfold id='1'>,</endfold id='1'>
0130
0131 # Ptrace rules
0132 <beginfold id='1'>ptrace</beginfold id='1'> (trace) peer=unconfined<endfold id='1'>,</endfold id='1'>
0133 <beginfold id='1'>ptrace</beginfold id='1'> (read, trace, tracedby) peer=/usr/lib/hello/helloword<endfold id='1'>,</endfold id='1'>
0134
0135 # Unix rules
0136 <beginfold id='1'>unix</beginfold id='1'> (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined)<endfold id='1'>,</endfold id='1'>
0137 <beginfold id='1'>unix</beginfold id='1'> (send,receive) type=(stream) protocol=0 peer=(addr=none)<endfold id='1'>,</endfold id='1'>
0138 <beginfold id='1'>unix</beginfold id='1'> peer=(label=@{profile_name},addr=@helloworld)<endfold id='1'>,</endfold id='1'>
0139
0140 # Rlimit rule
0141 set <beginfold id='1'>rlimit</beginfold id='1'> data <= 100M<endfold id='1'>,</endfold id='1'>
0142 set <beginfold id='1'>rlimit</beginfold id='1'> nproc <= 10<endfold id='1'>,</endfold id='1'>
0143 set <beginfold id='1'>rlimit</beginfold id='1'> memlock <= 2GB<endfold id='1'>,</endfold id='1'>
0144 set <beginfold id='1'>rlimit</beginfold id='1'> rss <= infinity<endfold id='1'>,</endfold id='1'>
0145 set <beginfold id='1'>rlimit</beginfold id='1'> nice <= -12<endfold id='1'>,</endfold id='1'>
0146
0147 # Change Profile rules
0148 <beginfold id='1'>change_profile</beginfold id='1'> unsafe /** -> [^u/]**<endfold id='1'>,</endfold id='1'>
0149 <beginfold id='1'>change_profile</beginfold id='1'> unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}<endfold id='1'>,</endfold id='1'>
0150 <beginfold id='1'>change_profile</beginfold id='1'> /bin/bash ->
0151 new_profile//hat<endfold id='1'>,</endfold id='1'>
0152 <endfold id='2'>}</endfold id='2'>
0153
0154 # Hat
0155 ^foo-helper\/ <beginfold id='2'>{</beginfold id='2'>
0156 <beginfold id='1'>network</beginfold id='1'> unix stream<endfold id='1'>,</endfold id='1'>
0157 <beginfold id='1'>unix</beginfold id='1'> stream<endfold id='1'>,</endfold id='1'>
0158
0159 /usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r<endfold id='1'>,</endfold id='1'> # Escape expressions
0160
0161 # Text after a variable is highlighted as path
0162 <beginfold id='1'>file</beginfold id='1'> /my/path r<endfold id='1'>,</endfold id='1'>
0163 @{FOO_LIB}file r<endfold id='1'>,</endfold id='1'>
0164 @{FOO_LIB}#my/path r<endfold id='1'>,</endfold id='1'> #Comment
0165 @{FOO_LIB}ñ* r<endfold id='1'>,</endfold id='1'>
0166 <beginfold id='1'>unix</beginfold id='1'> (/path\t{aa}*,*a @{var}*path,* @{var},*)<endfold id='1'>,</endfold id='1'>
0167 <endfold id='2'>}</endfold id='2'>
0168 <endfold id='2'>}</endfold id='2'>
0169
0170 # Syntax Error
0171 /usr/bin/error (complain, audit) <beginfold id='2'>{</beginfold id='2'>
0172 <beginfold id='1'>file</beginfold id='1'> #include /hello r<endfold id='1'>,</endfold id='1'>
0173
0174 # Error: Variable open or with characters not allowed
0175 @<beginfold id='2'>{</beginfold id='2'>var
0176 @<beginfold id='2'>{</beginfold id='2'>sdf&s<endfold id='2'>}</endfold id='2'>
0177
0178 # Error: Open brackets
0179 /{hello{ab,cd}world kr<endfold id='1'>,</endfold id='1'>
0180 /{abc{abc kr<endfold id='1'>,</endfold id='1'>
0181 /[abc kr<endfold id='1'>,</endfold id='1'>
0182 /(abc kr<endfold id='1'>,</endfold id='1'>
0183
0184 # Error: Empty brackets
0185 /hello[]hello{}hello()he kr<endfold id='1'>,</endfold id='1'>
0186
0187 # Comments not allowed
0188 <beginfold id='1'>dbus</beginfold id='1'> (send) #No comment
0189 path=/org/hello
0190 #No comment
0191 interface=org.hello #No comment
0192 peer=(name=org.hello #No comment
0193 label=unconfined)<endfold id='1'>,</endfold id='1'> #Comment
0194
0195 # Don't allow assignment of variables within profiles
0196 @{VARIABLE} = val1 val2 val3 # Comment
0197
0198 # Alias rules not allowed within profiles
0199 alias /run/ -> /mnt/run/,
0200
0201 # Error: Open rule
0202 /home/*/file rw
0203 <endfold id='1'></endfold id='1'><beginfold id='1'>capability</beginfold id='1'> dac_override
0204 <endfold id='1'>deny</endfold id='1'> <beginfold id='1'>file</beginfold id='1'> /etc/fstab w
0205 <endfold id='1'>audit</endfold id='1'> <beginfold id='1'>network</beginfold id='1'> ieee802154<endfold id='1'>,</endfold id='1'>
0206
0207 <beginfold id='1'>dbus</beginfold id='1'> (receive
0208 <endfold id='1'></endfold id='1'><beginfold id='1'>unix</beginfold id='1'> stream<endfold id='1'>,</endfold id='1'>
0209 <beginfold id='1'>unix</beginfold id='1'> stream<endfold id='1'>,</endfold id='1'>
0210 <endfold id='2'>}</endfold id='2'>
0211
0212 profile other_tests <beginfold id='2'>{</beginfold id='2'>
0213 # set rlimit
0214 set <beginfold id='1'>rlimit</beginfold id='1'> nice <= 3<endfold id='1'>,</endfold id='1'>
0215 <beginfold id='1'>rlimit</beginfold id='1'> nice <= 3<endfold id='1'>,</endfold id='1'> # Without "set"
0216 set #comment
0217 <beginfold id='1'>rlimit</beginfold id='1'>
0218 nice <= 3<endfold id='1'>,</endfold id='1'>
0219
0220 # "remount" keyword
0221 <beginfold id='1'>mount</beginfold id='1'> remount
0222 remount<endfold id='1'>,</endfold id='1'>
0223 <beginfold id='1'>remount</beginfold id='1'> remount
0224 remount<endfold id='1'>,</endfold id='1'>
0225 <beginfold id='1'>dbus</beginfold id='1'> remount
0226 <endfold id='1'></endfold id='1'><beginfold id='1'>remount</beginfold id='1'><endfold id='1'>,</endfold id='1'>
0227 <beginfold id='1'>unix</beginfold id='1'> remount
0228 <endfold id='1'></endfold id='1'><beginfold id='1'>remount</beginfold id='1'><endfold id='1'>,</endfold id='1'>
0229 # "unix" keyword
0230 <beginfold id='1'>network</beginfold id='1'> unix
0231 unix<endfold id='1'>,</endfold id='1'>
0232 <beginfold id='1'>ptrace</beginfold id='1'> unix
0233 <endfold id='1'></endfold id='1'><beginfold id='1'>unix</beginfold id='1'><endfold id='1'>,</endfold id='1'>
0234 <beginfold id='1'>unix</beginfold id='1'> unix
0235 <endfold id='1'></endfold id='1'><beginfold id='1'>unix</beginfold id='1'><endfold id='1'>,</endfold id='1'>
0236
0237 # Transition rules
0238 /usr/bin/foo cx -> hello*<endfold id='1'>,</endfold id='1'> # profile name
0239 /usr/bin/foo Cx -> path/<endfold id='1'>,</endfold id='1'> # path
0240 /usr/bin/foo cx -> ab[ad/]hello<endfold id='1'>,</endfold id='1'> # profile name
0241 /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path<endfold id='1'>,</endfold id='1'> # path
0242 /usr/bin/foo Cx -> ab[hello/path<endfold id='1'>,</endfold id='1'> # profile name
0243
0244 /usr/bin/foo cx -> "hello*"<endfold id='1'>,</endfold id='1'> # profile name
0245 /usr/bin/foo Cx -> "path/"<endfold id='1'>,</endfold id='1'> # path
0246 /usr/bin/foo cx -> "ab[ad/]hello"<endfold id='1'>,</endfold id='1'> # profile name
0247 /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path"<endfold id='1'>,</endfold id='1'> # path
0248 /usr/bin/foo Cx -> "ab[hello/path"<endfold id='1'>,</endfold id='1'> # profile name
0249
0250 /usr/bin/foo cx -> holas//hello/sa<endfold id='1'>,</endfold id='1'> # path
0251 /usr/bin/foo cx -> df///dd//hat<endfold id='1'>,</endfold id='1'> # path + hat
0252 /usr/bin/foo cx -> holas,#sd\323fsdf<endfold id='1'>,</endfold id='1'> # profile name
0253
0254 # Access modes
0255 /hello/lib/foo rwklms, # s invalid
0256 /hello/lib/foo rwmaix, # w & a incompatible
0257 /hello/lib/foo kalmw,
0258 /hello/lib/foo wa,
0259 # OK
0260 /hello/lib/foo rrwrwwrwrw<endfold id='1'>,</endfold id='1'>
0261 /hello/lib/foo ixixix<endfold id='1'>,</endfold id='1'>
0262 # Incompatible exec permissions
0263 ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx,
0264 pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx,
0265 Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx,
0266 # Test valid permissions
0267 r w a k l m l x ix ux Ux px Px cx Cx <endfold id='1'>,</endfold id='1'>
0268 pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx<endfold id='1'>,</endfold id='1'>
0269 rwklmx raklmx<endfold id='1'>,</endfold id='1'>
0270 r rw rwk rwkl rwklm<endfold id='1'>,</endfold id='1'>
0271 rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx<endfold id='1'>,</endfold id='1'>
0272 rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk<endfold id='1'>,</endfold id='1'>
0273 rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl<endfold id='1'>,</endfold id='1'>
0274
0275 # Profile name
0276 profile holas <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
0277 profile <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
0278 profile /path <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
0279 profile holas/abc <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
0280 profile holas\/abc <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
0281 profile
0282 #holas <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
0283
0284 profile flags=(complain)#asd <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
0285 profile flags flags=(complain) <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
0286 profile flags(complain) <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
0287 <endfold id='2'>}</endfold id='2'>