Warning, file /frameworks/syntax-highlighting/autotests/html/test.apparmor.dark.html was not indexed or was modified since last indexation (in which case cross-reference links may be missing, inaccurate or erroneous).
0001 <!DOCTYPE html> 0002 <html><head> 0003 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> 0004 <title>test.apparmor</title> 0005 <meta name="generator" content="KF5::SyntaxHighlighting - Definition (AppArmor Security Profile) - Theme (Breeze Dark)"/> 0006 </head><body style="background-color:#232629;color:#cfcfc2"><pre> 0007 <span style="color:#7a7c7d;"># </span><span style="color:#3f8058;">kate:</span><span style="color:#7a7c7d;"> </span><span style="color:#7f8c8d;">syntax</span><span style="color:#f44f4f;"> AppArmor Security Profile</span><span style="color:#7f8c8d;">;</span><span style="color:#7a7c7d;"> </span><span style="color:#7f8c8d;">replace-tabs</span><span style="color:#7a7c7d;"> </span><span style="color:#27ae60;">off</span><span style="color:#7f8c8d;">;</span> 0008 0009 <span style="color:#7a7c7d;">#</span> 0010 <span style="color:#7a7c7d;"># Sample AppArmor Profile.</span> 0011 <span style="color:#7a7c7d;"># License: Public Domain</span> 0012 <span style="color:#7a7c7d;">#</span> 0013 <span style="color:#7a7c7d;"># </span><span style="color:#81ca2d;background-color:#4d1f24;font-weight:bold;">NOTE</span><span style="color:#7a7c7d;">: This profile is not fully functional, since</span> 0014 <span style="color:#7a7c7d;"># it is designed to test the syntax highlighting</span> 0015 <span style="color:#7a7c7d;"># for the KDE's KSyntaxHighlighting framework.</span> 0016 <span style="color:#7a7c7d;">#</span> 0017 0018 <span style="color:#27ae60;">include </span><span style="color:#27ae60;"><tunables/global></span> 0019 0020 <span style="color:#7a7c7d;"># Variable assignment</span> 0021 <span style="color:#f67400;">@{FOO_LIB}</span><span style="color:#3f8058;">=</span>/usr/lib<span style="color:#da4453;">{</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">32</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">64}</span>/foo 0022 <span style="color:#f67400;">@{USER_DIR}</span> 0023 <span style="color:#3f8058;">=</span> <span style="color:#f67400;">@{HOME}</span>/Public <span style="color:#f67400;">@{HOME}</span>/Desktop <span style="color:#da4453;text-decoration:underline;">#</span>No-Comment 0024 <span style="color:#f67400;">@{USER_DIR}</span><span style="color:#3f8058;"> +=</span> <span style="color:#f67400;">@{HOME}</span>/Hello <span style="color:#3daee9;">\</span> 0025 deny owner <span style="color:#da4453;text-decoration:underline;">#</span>No-comment aa#aa 0026 <span style="color:#f67400;">${BOOL}</span> <span style="color:#3f8058;">=</span> <span style="color:#2980b9;">true</span> 0027 0028 <span style="color:#7a7c7d;"># Alias</span> 0029 <span style="color:#27aeae;font-weight:bold;">alias</span> /usr/ <span style="color:#da4453;font-weight:bold;">-></span> /mnt/usr/, 0030 0031 <span style="color:#7a7c7d;"># ABI feature</span> 0032 <span style="color:#27aeae;font-weight:bold;">abi</span> <span style="color:#27ae60;"><abi/3.0></span>, 0033 <span style="color:#27aeae;font-weight:bold;">abi</span> <span style="color:#27ae60;"><"includes/abi/4.19"></span>, 0034 <span style="color:#27aeae;font-weight:bold;">abi</span> <span style="color:#27ae60;">"simple_tests/includes/abi/4.19"</span>, 0035 <span style="color:#27aeae;font-weight:bold;">abi</span> <span style="color:#27ae60;">simple_tests/includes/abi/4.19</span>, 0036 0037 <span style="color:#7a7c7d;"># Profile for /usr/bin/foo</span> 0038 <span style="color:#8e44ad;font-weight:bold;">profile</span> <span style="color:#8e44ad;">foo</span> /usr/bin/foo <span style="color:#27ae60;">flags</span><span style="color:#3f8058;">=</span>(<span style="color:#da4453;">attach_disconnected</span> <span style="color:#da4453;">enforce</span>) <span style="color:#27ae60;">xattrs</span><span style="color:#3f8058;">=</span>(<span style="color:#2980b9;">myvalue</span><span style="color:#3f8058;">=</span>foo <span style="color:#2980b9;">user.bar</span><span style="color:#3f8058;">=</span><span style="color:#3daee9;">*</span> <span style="color:#2980b9;">user.foo</span><span style="color:#3f8058;">=</span><span style="color:#f44f4f;">"bar"</span> ) <span style="color:#3f8058;">{</span> 0039 <span style="color:#27ae60;">#include </span><span style="color:#27ae60;"><abstractions/ubuntu-helpers></span> 0040 <span style="color:#27ae60;">#include</span><span style="color:#27ae60;"><abstractions/wayland></span> 0041 <span style="color:#27ae60;">#include</span><span style="color:#27ae60;">"/etc/apparmor.d/abstractions/ubuntu-konsole"</span> 0042 <span style="color:#27ae60;"> include </span><span style="color:#27ae60;">"/etc/apparmor.d/abstractions/openssl"</span> 0043 0044 <span style="color:#27ae60;"> include if exists </span><span style="color:#27ae60;"><path with spaces></span> 0045 <span style="color:#27ae60;"> include </span><span style="color:#27ae60;"><include_tests/includes_okay_helper.include></span> <span style="color:#27ae60;">#include </span><span style="color:#27ae60;"><includes/base></span> 0046 /some/file<span style="font-weight:bold;"> mr</span>, <span style="color:#27ae60;">#include </span><span style="color:#27ae60;"><includes/base></span> /bin/true<span style="font-weight:bold;"> Px</span>, 0047 0048 <span style="color:#7a7c7d;"># File rules</span> 0049 /<span style="color:#da4453;">{</span><span style="color:#7f8c8d;">,</span><span style="color:#3daee9;">**</span><span style="color:#da4453;">/}</span><span style="font-weight:bold;"> r</span>, 0050 <span style="color:#27aeae;font-weight:bold;">owner</span> /<span style="color:#da4453;">{home</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">media</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">mnt</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">srv</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">net}</span>/<span style="color:#3daee9;">**</span><span style="font-weight:bold;"> r</span>, 0051 <span style="color:#27aeae;font-weight:bold;">owner</span> <span style="color:#f67400;">@{USER_DIR}</span>/<span style="color:#3daee9;">**</span><span style="font-weight:bold;"> rw</span>, 0052 <span style="font-weight:bold;">audit</span> <span style="color:#da4453;font-weight:bold;">deny</span> <span style="color:#27aeae;font-weight:bold;">owner</span> /<span style="color:#3daee9;">**</span>/<span style="color:#3daee9;">*</span><span style="font-weight:bold;"> mx</span>, 0053 /<span style="color:#3daee9;">**</span>.<span style="color:#da4453;">[tT][xX][tT]</span><span style="font-weight:bold;"> r</span>, <span style="color:#7a7c7d;"># txt</span> 0054 0055 <span style="color:#27aeae;font-weight:bold;">owner</span> <span style="color:#27aeae;font-weight:bold;">file</span> <span style="color:#f67400;">@{HOME}</span>/.local/share/foo/<span style="color:#da4453;">{</span><span style="color:#7f8c8d;">,</span><span style="color:#3daee9;">**</span><span style="color:#da4453;">}</span><span style="font-weight:bold;"> rwkl</span>, 0056 <span style="color:#27aeae;font-weight:bold;">owner</span> <span style="color:#f67400;">@{HOME}</span>/.config/<span style="color:#3daee9;">*</span>.<span style="color:#da4453;">[a-zA-Z0-9]</span><span style="color:#3daee9;">*</span> <span style="font-weight:bold;"> rwk</span>, 0057 0058 <span style="color:#f44f4f;">"/usr/share/</span><span style="color:#3daee9;">**</span><span style="color:#f44f4f;">"</span><span style="font-weight:bold;"> r</span>, 0059 <span style="color:#f44f4f;">"/var/lib/flatpak/exports/share/</span><span style="color:#3daee9;">**</span><span style="color:#f44f4f;">"</span><span style="font-weight:bold;"> r</span>, 0060 <span style="color:#f44f4f;">"/var/lib/</span><span style="color:#da4453;">{spaces in</span> 0061 <span style="color:#da4453;"> string</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">hello}</span><span style="color:#f44f4f;">/a</span><span style="color:#da4453;">[</span><span style="color:#7f8c8d;">^</span><span style="color:#da4453;"> a]</span><span style="color:#f44f4f;">a/</span><span style="color:#3daee9;">**</span><span style="color:#f44f4f;">"</span><span style="font-weight:bold;"> r</span>, 0062 0063 <span style="color:#da4453;font-weight:bold;">allow</span> <span style="color:#27aeae;font-weight:bold;">file</span> /etc/nsswitch.conf <span style="font-weight:bold;"> r</span>, 0064 <span style="color:#da4453;font-weight:bold;">allow</span> /etc/fstab <span style="font-weight:bold;"> r</span>, 0065 <span style="color:#da4453;font-weight:bold;">deny</span> /etc/xdg/<span style="color:#da4453;">{autostart</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">systemd}</span>/<span style="color:#3daee9;">**</span> <span style="font-weight:bold;"> r</span>, 0066 <span style="color:#da4453;font-weight:bold;">deny</span> /boot/<span style="color:#3daee9;">**</span> <span style="font-weight:bold;"> rwlkmx</span>, 0067 0068 <span style="color:#27aeae;font-weight:bold;">owner</span> <span style="color:#f67400;">@{PROC}</span>/<span style="color:#f67400;">@{pid}</span>/<span style="color:#da4453;">{cmdline</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">mountinfo</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">mounts</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">stat</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">status</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">vmstat}</span><span style="font-weight:bold;"> r</span>, 0069 /sys/devices/<span style="color:#3daee9;">**</span>/uevent<span style="font-weight:bold;"> r</span>, 0070 <span style="color:#f67400;">@{FOO_LIB}</span>/<span style="color:#da4453;">{</span><span style="color:#f67400;">@{multiarch}</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">64}</span>/<span style="color:#3daee9;">**</span><span style="font-weight:bold;"> mr</span>, 0071 0072 /usr/bin/foo <span style="font-weight:bold;"> ixr</span>, 0073 /usr/bin/dolphin <span style="font-weight:bold;"> pUx</span>, 0074 /usr/bin/<span style="color:#3daee9;">*</span> <span style="font-weight:bold;"> Pixr</span>, 0075 /usr/bin/khelpcenter<span style="font-weight:bold;"> Cx</span> <span style="color:#da4453;font-weight:bold;">-></span> <span style="color:#8e44ad;font-style:italic;">sanitized_helper</span>, 0076 /usr/bin/helloworld <span style="font-weight:bold;"> cxr</span> <span style="color:#da4453;font-weight:bold;">-></span> 0077 <span style="color:#8e44ad;font-style:italic;">hello_world</span>, 0078 /bin/<span style="color:#3daee9;">**</span><span style="font-weight:bold;"> px</span> <span style="color:#da4453;font-weight:bold;">-></span> <span style="color:#8e44ad;font-style:italic;">profile</span>, 0079 0080 <span style="color:#7a7c7d;"># Dbus rules</span> 0081 <span style="color:#27aeae;font-weight:bold;">dbus</span> (<span style="font-weight:bold;">send</span>) <span style="color:#da4453;text-decoration:underline;">#</span>No-Comment 0082 <span style="color:#27ae60;">bus</span><span style="color:#3f8058;">=</span><span style="font-style:italic;">system</span> 0083 <span style="color:#27ae60;">path</span><span style="color:#3f8058;">=</span>/org/freedesktop/NetworkManager 0084 <span style="color:#27ae60;">interface</span><span style="color:#3f8058;">=</span>org.freedesktop.DBus.Introspectable 0085 <span style="color:#27ae60;">peer</span><span style="color:#3f8058;">=</span>(<span style="color:#2980b9;">name</span><span style="color:#3f8058;">=</span>org.freedesktop.NetworkManager <span style="color:#2980b9;">label</span><span style="color:#3f8058;">=</span><span style="font-style:italic;">unconfined</span>), 0086 <span style="color:#27aeae;font-weight:bold;">dbus</span> (<span style="font-weight:bold;">send</span> <span style="font-weight:bold;">receive</span>) 0087 <span style="color:#27ae60;">bus</span><span style="color:#3f8058;">=</span><span style="font-style:italic;">system</span> 0088 <span style="color:#27ae60;">path</span><span style="color:#3f8058;">=</span>/org/freedesktop/NetworkManager 0089 <span style="color:#27ae60;">interface</span><span style="color:#3f8058;">=</span>org.freedesktop.NetworkManager 0090 <span style="color:#27ae60;">member</span><span style="color:#3f8058;">=</span><span style="color:#da4453;">{Introspect</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">state}</span> 0091 <span style="color:#27ae60;">peer</span><span style="color:#3f8058;">=</span>(<span style="color:#2980b9;">name</span><span style="color:#3f8058;">=</span><span style="color:#da4453;">(org.freedesktop.NetworkManager</span><span style="color:#7f8c8d;">|</span><span style="color:#da4453;">org.freedesktop.DBus)</span>), 0092 <span style="color:#27aeae;font-weight:bold;">dbus</span> (<span style="font-weight:bold;">send</span>) 0093 <span style="color:#27ae60;">bus</span><span style="color:#3f8058;">=</span><span style="font-style:italic;">session</span> 0094 <span style="color:#27ae60;">path</span><span style="color:#3f8058;">=</span>/org/gnome/GConf/Database/<span style="color:#3daee9;">*</span> 0095 <span style="color:#27ae60;">member</span><span style="color:#3f8058;">=</span><span style="color:#da4453;">{AddMatch</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">AddNotify</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">AllEntries</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">LookupExtended</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">RemoveNotify}</span>, 0096 <span style="color:#27aeae;font-weight:bold;">dbus</span> (<span style="font-weight:bold;">bind</span>) 0097 <span style="color:#27ae60;">bus</span><span style="color:#3f8058;">=</span><span style="font-style:italic;">system</span> 0098 <span style="color:#27ae60;">name</span><span style="color:#3f8058;">=</span>org.bluez, 0099 0100 <span style="color:#7a7c7d;"># Signal rules</span> 0101 <span style="color:#27aeae;font-weight:bold;">signal</span> (<span style="font-weight:bold;">send</span>) <span style="color:#27ae60;">set</span><span style="color:#3f8058;">=</span>(<span style="color:#da4453;">term</span>) <span style="color:#27ae60;">peer</span><span style="color:#3f8058;">=</span><span style="color:#f44f4f;">"/usr/lib/hello/world</span><span style="color:#3f8058;font-weight:bold;">//</span><span style="color:#3f8058;"> foo helper</span><span style="color:#f44f4f;">"</span>, 0102 <span style="color:#27aeae;font-weight:bold;">signal</span> (<span style="font-weight:bold;">send</span>, <span style="font-weight:bold;">receive</span>) <span style="color:#27ae60;">set</span><span style="color:#3f8058;">=</span>(<span style="color:#da4453;">int</span> <span style="color:#da4453;">exists</span> <span style="color:#da4453;">rtmin+8</span>) <span style="color:#27ae60;">peer</span><span style="color:#3f8058;">=</span>/usr/lib/hello/world<span style="color:#3f8058;font-weight:bold;">//</span><span style="color:#3f8058;">foo-helper</span>, 0103 0104 <span style="color:#7a7c7d;"># Child profile</span> 0105 <span style="color:#8e44ad;font-weight:bold;">profile</span> <span style="color:#8e44ad;">hello_world</span> <span style="color:#3f8058;">{</span> 0106 <span style="color:#7a7c7d;"># File rules (three different ways)</span> 0107 <span style="color:#27aeae;font-weight:bold;">file</span> /usr/lib<span style="color:#da4453;">{</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">32</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">64}</span>/helloworld/<span style="color:#3daee9;">**</span>.so<span style="font-weight:bold;"> mr</span>, 0108 /usr/lib<span style="color:#da4453;">{</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">32</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">64}</span>/helloworld/<span style="color:#3daee9;">**</span><span style="font-weight:bold;"> r</span>, 0109 <span style="font-weight:bold;"> rk</span> /usr/lib<span style="color:#da4453;">{</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">32</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">64}</span>/helloworld/hello,file, 0110 0111 <span style="color:#7a7c7d;"># Link rules (two ways)</span> 0112 <span style="font-weight:bold;"> l</span> /foo1 <span style="color:#da4453;font-weight:bold;">-></span> /bar, 0113 <span style="color:#27aeae;font-weight:bold;">link</span> /foo2 <span style="color:#da4453;font-weight:bold;">-></span> bar, 0114 <span style="color:#27aeae;font-weight:bold;">link</span> <span style="color:#27aeae;">subset</span> /link<span style="color:#3daee9;">*</span> <span style="color:#da4453;font-weight:bold;">-></span> /<span style="color:#3daee9;">**</span>, 0115 0116 <span style="color:#7a7c7d;"># Network rules</span> 0117 <span style="color:#27aeae;font-weight:bold;">network</span> <span style="color:#27aeae;">inet6</span> <span style="color:#27aeae;">tcp</span>, 0118 <span style="color:#27aeae;font-weight:bold;">network</span> <span style="color:#27aeae;">netlink</span> <span style="color:#27aeae;">dgram</span>, 0119 <span style="color:#27aeae;font-weight:bold;">network</span> <span style="color:#27aeae;">bluetooth</span>, 0120 <span style="color:#27aeae;font-weight:bold;">network</span> <span style="font-style:italic;">unspec</span> <span style="color:#27aeae;">dgram</span>, 0121 0122 <span style="color:#7a7c7d;"># Capability rules</span> 0123 <span style="color:#27aeae;font-weight:bold;">capability</span> <span style="color:#27aeae;">dac_override</span>, 0124 <span style="color:#27aeae;font-weight:bold;">capability</span> <span style="color:#27aeae;">sys_admin</span>, 0125 <span style="color:#27aeae;font-weight:bold;">capability</span> <span style="color:#27aeae;">sys_chroot</span>, 0126 0127 <span style="color:#7a7c7d;"># Mount rules</span> 0128 <span style="color:#27aeae;font-weight:bold;">mount</span> <span style="color:#27ae60;">options</span><span style="color:#3f8058;">=</span>(<span style="font-weight:bold;">rw</span> <span style="font-weight:bold;">bind</span> <span style="font-weight:bold;">remount</span> <span style="font-weight:bold;">nodev</span> <span style="font-weight:bold;">noexec</span>) <span style="color:#27ae60;">vfstype</span><span style="color:#3f8058;">=</span><span style="color:#da4453;">ecryptfs</span> /home/<span style="color:#3daee9;">*</span>/.helloworld/ <span style="color:#da4453;font-weight:bold;">-></span> /home/<span style="color:#3daee9;">*</span>/helloworld/, 0129 <span style="color:#27aeae;font-weight:bold;">mount</span> <span style="color:#27ae60;">options</span> <span style="color:#da4453;font-weight:bold;">in</span> (<span style="font-weight:bold;">rw</span>, <span style="font-weight:bold;">bind</span>) / <span style="color:#da4453;font-weight:bold;">-></span> /run/hellowordd/<span style="color:#3daee9;">*</span>.mnt, 0130 <span style="color:#27aeae;font-weight:bold;">mount</span> <span style="color:#27ae60;">options</span><span style="color:#3f8058;">=</span><span style="font-weight:bold;">read-only</span> <span style="color:#27ae60;">fstype</span><span style="color:#3f8058;">=</span><span style="color:#da4453;">btrfs</span> /dev/sd<span style="color:#da4453;">[a-z][1-9]</span><span style="color:#3daee9;">*</span> <span style="color:#da4453;font-weight:bold;">-></span> /media/<span style="color:#3daee9;">*</span>/<span style="color:#3daee9;">*</span>, 0131 <span style="color:#27aeae;font-weight:bold;">umount</span> /home/<span style="color:#3daee9;">*</span>/helloworld/, 0132 0133 <span style="color:#7a7c7d;"># Pivot Root rules</span> 0134 <span style="color:#27aeae;font-weight:bold;">pivot_root</span> <span style="color:#27ae60;">oldroot</span><span style="color:#3f8058;">=</span>/mnt/root/old/ /mnt/root/, 0135 <span style="color:#27aeae;font-weight:bold;">pivot_root</span> /mnt/root/, 0136 0137 <span style="color:#7a7c7d;"># Ptrace rules</span> 0138 <span style="color:#27aeae;font-weight:bold;">ptrace</span> (<span style="font-weight:bold;">trace</span>) <span style="color:#27ae60;">peer</span><span style="color:#3f8058;">=</span><span style="font-style:italic;">unconfined</span>, 0139 <span style="color:#27aeae;font-weight:bold;">ptrace</span> (<span style="font-weight:bold;">read</span>, <span style="font-weight:bold;">trace</span>, <span style="font-weight:bold;">tracedby</span>) <span style="color:#27ae60;">peer</span><span style="color:#3f8058;">=</span>/usr/lib/hello/helloword, 0140 0141 <span style="color:#7a7c7d;"># Unix rules</span> 0142 <span style="color:#27aeae;font-weight:bold;">unix</span> (<span style="font-weight:bold;">connect</span> <span style="font-weight:bold;">receive</span> <span style="font-weight:bold;">send</span>) <span style="color:#27ae60;">type</span><span style="color:#3f8058;">=</span>(<span style="color:#27aeae;">stream</span>) <span style="color:#27ae60;">peer</span><span style="color:#3f8058;">=</span>(<span style="color:#2980b9;">addr</span><span style="color:#3f8058;">=</span>@/tmp/ibus/dbus-<span style="color:#3daee9;">*</span>,<span style="color:#2980b9;">label</span><span style="color:#3f8058;">=</span><span style="font-style:italic;">unconfined</span>), 0143 <span style="color:#27aeae;font-weight:bold;">unix</span> (<span style="font-weight:bold;">send</span>,<span style="font-weight:bold;">receive</span>) <span style="color:#27ae60;">type</span><span style="color:#3f8058;">=</span>(<span style="color:#27aeae;">stream</span>) <span style="color:#27ae60;">protocol</span><span style="color:#3f8058;">=</span>0 <span style="color:#27ae60;">peer</span><span style="color:#3f8058;">=</span>(<span style="color:#2980b9;">addr</span><span style="color:#3f8058;">=</span><span style="font-style:italic;">none</span>), 0144 <span style="color:#27aeae;font-weight:bold;">unix</span> <span style="color:#27ae60;">peer</span><span style="color:#3f8058;">=</span>(<span style="color:#2980b9;">label</span><span style="color:#3f8058;">=</span><span style="color:#f67400;">@{profile_name}</span>,<span style="color:#2980b9;">addr</span><span style="color:#3f8058;">=</span>@helloworld), 0145 0146 <span style="color:#7a7c7d;"># Rlimit rule</span> 0147 <span style="color:#27aeae;font-weight:bold;">set</span> <span style="color:#27aeae;font-weight:bold;">rlimit</span> <span style="color:#27aeae;">data</span> <span style="color:#da4453;font-weight:bold;"><=</span> <span style="color:#f67400;">100</span><span style="color:#f67400;font-weight:bold;">M</span>, 0148 <span style="color:#27aeae;font-weight:bold;">set</span> <span style="color:#27aeae;font-weight:bold;">rlimit</span> <span style="color:#27aeae;">nproc</span> <span style="color:#da4453;font-weight:bold;"><=</span> <span style="color:#f67400;">10</span>, 0149 <span style="color:#27aeae;font-weight:bold;">set</span> <span style="color:#27aeae;font-weight:bold;">rlimit</span> <span style="color:#27aeae;">memlock</span> <span style="color:#da4453;font-weight:bold;"><=</span> <span style="color:#f67400;">2</span><span style="color:#f67400;font-weight:bold;">GB</span>, 0150 <span style="color:#27aeae;font-weight:bold;">set</span> <span style="color:#27aeae;font-weight:bold;">rlimit</span> <span style="color:#27aeae;">rss</span> <span style="color:#da4453;font-weight:bold;"><=</span> <span style="color:#f67400;">infinity</span>, 0151 <span style="color:#27aeae;font-weight:bold;">set</span> <span style="color:#27aeae;font-weight:bold;">rlimit</span> <span style="color:#27aeae;">nice</span> <span style="color:#da4453;font-weight:bold;"><=</span> <span style="color:#f67400;">-12</span>, 0152 0153 <span style="color:#7a7c7d;"># Change Profile rules</span> 0154 <span style="color:#27aeae;font-weight:bold;">change_profile</span> <span style="color:#27aeae;">unsafe</span> /<span style="color:#3daee9;">**</span> <span style="color:#da4453;font-weight:bold;">-></span> <span style="color:#8e44ad;font-style:italic;">[^u/]</span><span style="color:#3daee9;font-style:italic;">**</span>, 0155 <span style="color:#27aeae;font-weight:bold;">change_profile</span> <span style="color:#27aeae;">unsafe</span> /<span style="color:#3daee9;">**</span> <span style="color:#da4453;font-weight:bold;">-></span> <span style="color:#8e44ad;font-style:italic;">{u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}</span>, 0156 <span style="color:#27aeae;font-weight:bold;">change_profile</span> /bin/bash <span style="color:#da4453;font-weight:bold;">-></span> 0157 <span style="color:#8e44ad;font-style:italic;">new_profile</span><span style="color:#3f8058;font-weight:bold;font-style:italic;">//</span><span style="color:#8e44ad;font-style:italic;">hat</span>, 0158 <span style="color:#3f8058;">}</span> 0159 0160 <span style="color:#7a7c7d;"># Hat</span> 0161 <span style="color:#8e44ad;font-weight:bold;"> ^</span><span style="color:#8e44ad;">foo-helper</span><span style="color:#3daee9;">\/</span> <span style="color:#3f8058;">{</span> 0162 <span style="color:#27aeae;font-weight:bold;">network</span> <span style="color:#27aeae;">unix</span> <span style="color:#27aeae;">stream</span>, 0163 <span style="color:#27aeae;font-weight:bold;">unix</span> <span style="color:#27aeae;">stream</span>, 0164 0165 /usr/hi<span style="color:#3daee9;">\"</span>esc<span style="color:#3daee9;">\x23</span>esc<span style="color:#3daee9;">\032</span>es<span style="color:#3daee9;">\47</span>7esc<span style="color:#3daee9;">\*</span>es<span style="color:#3daee9;">\{</span>esc<span style="color:#3daee9;">\ </span>rw<span style="font-weight:bold;"> r</span>, <span style="color:#7a7c7d;"># Escape expressions</span> 0166 0167 <span style="color:#7a7c7d;"># Text after a variable is highlighted as path</span> 0168 <span style="color:#27aeae;font-weight:bold;">file</span> /my/path<span style="font-weight:bold;"> r</span>, 0169 <span style="color:#f67400;">@{FOO_LIB}</span>file<span style="font-weight:bold;"> r</span>, 0170 <span style="color:#f67400;">@{FOO_LIB}</span>#my/path<span style="font-weight:bold;"> r</span>, <span style="color:#7a7c7d;">#Comment</span> 0171 <span style="color:#f67400;">@{FOO_LIB}</span>ñ<span style="color:#3daee9;">*</span><span style="font-weight:bold;"> r</span>, 0172 <span style="color:#27aeae;font-weight:bold;">unix</span> (/path<span style="color:#3daee9;">\t</span><span style="color:#da4453;">{aa}</span><span style="color:#3daee9;">*</span>,*a <span style="color:#f67400;">@{var}</span><span style="color:#3daee9;">*</span>path,* <span style="color:#f67400;">@{var}</span>,*), 0173 <span style="color:#3f8058;">}</span> 0174 <span style="color:#3f8058;">}</span> 0175 0176 <span style="color:#7a7c7d;"># Syntax Error</span> 0177 /usr/bin/error (<span style="color:#da4453;">complain</span>, <span style="color:#da4453;">audit</span>) <span style="color:#3f8058;">{</span> 0178 <span style="color:#27aeae;font-weight:bold;">file</span> <span style="color:#da4453;text-decoration:underline;">#include</span> /hello<span style="font-weight:bold;"> r</span>, 0179 0180 <span style="color:#7a7c7d;"># Error: Variable open or with characters not allowed</span> 0181 <span style="color:#da4453;text-decoration:underline;">@</span><span style="color:#3f8058;">{</span>var 0182 <span style="color:#da4453;text-decoration:underline;">@</span><span style="color:#3f8058;">{</span>sdf&s<span style="color:#3f8058;">}</span> 0183 0184 <span style="color:#7a7c7d;"># Error: Open brackets</span> 0185 /<span style="color:#da4453;">{hello{ab</span><span style="color:#7f8c8d;">,</span><span style="color:#da4453;">cd}worl</span><span style="color:#da4453;text-decoration:underline;">d</span> <span style="font-weight:bold;"> kr</span>, 0186 /<span style="color:#da4453;">{abc{ab</span><span style="color:#da4453;text-decoration:underline;">c</span><span style="font-weight:bold;"> kr</span>, 0187 /<span style="color:#da4453;">[ab</span><span style="color:#da4453;text-decoration:underline;">c</span> <span style="font-weight:bold;"> kr</span>, 0188 /<span style="color:#da4453;">(ab</span><span style="color:#da4453;text-decoration:underline;">c</span><span style="font-weight:bold;"> kr</span>, 0189 0190 <span style="color:#7a7c7d;"># Error: Empty brackets</span> 0191 /hello<span style="color:#da4453;text-decoration:underline;">[]</span>hello<span style="color:#da4453;text-decoration:underline;">{}</span>hello<span style="color:#da4453;text-decoration:underline;">()</span>he <span style="font-weight:bold;"> kr</span>, 0192 0193 <span style="color:#7a7c7d;"># Comments not allowed</span> 0194 <span style="color:#27aeae;font-weight:bold;">dbus</span> (<span style="font-weight:bold;">send</span>) <span style="color:#da4453;text-decoration:underline;">#</span>No comment 0195 <span style="color:#27ae60;">path</span><span style="color:#3f8058;">=</span>/org/hello 0196 <span style="color:#da4453;text-decoration:underline;">#</span><span style="color:#7a7c7d;">No comment</span> 0197 <span style="color:#27ae60;">interface</span><span style="color:#3f8058;">=</span>org.hello <span style="color:#da4453;text-decoration:underline;">#</span>No comment 0198 <span style="color:#27ae60;">peer</span><span style="color:#3f8058;">=</span>(<span style="color:#2980b9;">name</span><span style="color:#3f8058;">=</span>org.hello <span style="color:#da4453;text-decoration:underline;">#</span>No comment 0199 <span style="color:#2980b9;">label</span><span style="color:#3f8058;">=</span><span style="font-style:italic;">unconfined</span>), <span style="color:#7a7c7d;">#Comment</span> 0200 0201 <span style="color:#7a7c7d;"># Don't allow assignment of variables within profiles</span> 0202 <span style="color:#f67400;">@{VARIABLE}</span> <span style="color:#da4453;text-decoration:underline;">=</span> val1 val2 val3 <span style="color:#7a7c7d;"># Comment</span> 0203 0204 <span style="color:#7a7c7d;"># Alias rules not allowed within profiles</span> 0205 <span style="color:#da4453;text-decoration:underline;">alias</span> /run/ <span style="color:#da4453;font-weight:bold;">-></span> /mnt/run/, 0206 0207 <span style="color:#7a7c7d;"># Error: Open rule</span> 0208 /home/<span style="color:#3daee9;">*</span>/file<span style="font-weight:bold;"> rw</span> 0209 <span style="color:#27aeae;font-weight:bold;text-decoration:underline;">capability</span> <span style="color:#27aeae;">dac_override</span> 0210 <span style="color:#da4453;font-weight:bold;text-decoration:underline;">deny</span> <span style="color:#27aeae;font-weight:bold;">file</span> /etc/fstab<span style="font-weight:bold;"> w</span> 0211 <span style="font-weight:bold;text-decoration:underline;">audit</span> <span style="color:#27aeae;font-weight:bold;">network</span> <span style="color:#27aeae;">ieee802154</span>, 0212 0213 <span style="color:#27aeae;font-weight:bold;">dbus</span> (<span style="font-weight:bold;">receive</span> 0214 <span style="color:#27aeae;font-weight:bold;text-decoration:underline;">unix</span> <span style="color:#27aeae;">stream</span>, 0215 <span style="color:#27aeae;font-weight:bold;">unix</span> <span style="color:#27aeae;">stream</span>, 0216 <span style="color:#3f8058;">}</span> 0217 0218 <span style="color:#8e44ad;font-weight:bold;">profile</span> <span style="color:#8e44ad;">other_tests</span> <span style="color:#3f8058;">{</span> 0219 <span style="color:#7a7c7d;"># set rlimit</span> 0220 <span style="color:#27aeae;font-weight:bold;">set</span> <span style="color:#27aeae;font-weight:bold;">rlimit</span> <span style="color:#27aeae;">nice</span> <span style="color:#da4453;font-weight:bold;"><=</span> <span style="color:#f67400;">3</span>, 0221 <span style="color:#27aeae;font-weight:bold;text-decoration:underline;">rlimit</span> <span style="color:#27aeae;">nice</span> <span style="color:#da4453;font-weight:bold;"><=</span> <span style="color:#f67400;">3</span>, <span style="color:#7a7c7d;"># Without "set"</span> 0222 <span style="color:#27aeae;font-weight:bold;">set</span> <span style="color:#7a7c7d;">#comment</span> 0223 <span style="color:#27aeae;font-weight:bold;">rlimit</span> 0224 <span style="color:#27aeae;">nice</span> <span style="color:#da4453;font-weight:bold;"><=</span> <span style="color:#f67400;">3</span>, 0225 0226 <span style="color:#7a7c7d;"># "remount" keyword</span> 0227 <span style="color:#27aeae;font-weight:bold;">mount</span> <span style="font-weight:bold;">remount</span> 0228 <span style="font-weight:bold;">remount</span>, 0229 <span style="color:#27aeae;font-weight:bold;">remount</span> <span style="font-weight:bold;">remount</span> 0230 <span style="font-weight:bold;">remount</span>, 0231 <span style="color:#27aeae;font-weight:bold;">dbus</span> remount 0232 <span style="color:#27aeae;font-weight:bold;text-decoration:underline;">remount</span>, 0233 <span style="color:#27aeae;font-weight:bold;">unix</span> remount 0234 <span style="color:#27aeae;font-weight:bold;text-decoration:underline;">remount</span>, 0235 <span style="color:#7a7c7d;"># "unix" keyword</span> 0236 <span style="color:#27aeae;font-weight:bold;">network</span> <span style="color:#27aeae;">unix</span> 0237 <span style="color:#27aeae;">unix</span>, 0238 <span style="color:#27aeae;font-weight:bold;">ptrace</span> unix 0239 <span style="color:#27aeae;font-weight:bold;text-decoration:underline;">unix</span>, 0240 <span style="color:#27aeae;font-weight:bold;">unix</span> unix 0241 <span style="color:#27aeae;font-weight:bold;text-decoration:underline;">unix</span>, 0242 0243 <span style="color:#7a7c7d;"># Transition rules</span> 0244 /usr/bin/foo<span style="font-weight:bold;"> cx</span> <span style="color:#da4453;font-weight:bold;">-></span> <span style="color:#8e44ad;font-style:italic;">hello</span><span style="color:#3daee9;font-style:italic;">*</span>, <span style="color:#7a7c7d;"># profile name</span> 0245 /usr/bin/foo<span style="font-weight:bold;"> Cx</span> <span style="color:#da4453;font-weight:bold;">-></span> path/, <span style="color:#7a7c7d;"># path</span> 0246 /usr/bin/foo<span style="font-weight:bold;"> cx</span> <span style="color:#da4453;font-weight:bold;">-></span> <span style="color:#8e44ad;font-style:italic;">ab[ad/]hello</span>, <span style="color:#7a7c7d;"># profile name</span> 0247 /usr/bin/foo<span style="font-weight:bold;"> Cx</span> <span style="color:#da4453;font-weight:bold;">-></span> ab<span style="color:#da4453;">[cd/]</span>a<span style="color:#da4453;">[ad/]</span>hello/path, <span style="color:#7a7c7d;"># path</span> 0248 /usr/bin/foo<span style="font-weight:bold;"> Cx</span> <span style="color:#da4453;font-weight:bold;">-></span> <span style="color:#8e44ad;font-style:italic;">ab[hello/path</span>, <span style="color:#7a7c7d;"># profile name</span> 0249 0250 /usr/bin/foo<span style="font-weight:bold;"> cx</span> <span style="color:#da4453;font-weight:bold;">-></span> <span style="color:#8e44ad;font-style:italic;">"hello</span><span style="color:#3daee9;font-style:italic;">*</span><span style="color:#8e44ad;font-style:italic;">"</span>, <span style="color:#7a7c7d;"># profile name</span> 0251 /usr/bin/foo<span style="font-weight:bold;"> Cx</span> <span style="color:#da4453;font-weight:bold;">-></span> <span style="color:#f44f4f;">"path/"</span>, <span style="color:#7a7c7d;"># path</span> 0252 /usr/bin/foo<span style="font-weight:bold;"> cx</span> <span style="color:#da4453;font-weight:bold;">-></span> <span style="color:#8e44ad;font-style:italic;">"ab[ad/]hello"</span>, <span style="color:#7a7c7d;"># profile name</span> 0253 /usr/bin/foo<span style="font-weight:bold;"> Cx</span> <span style="color:#da4453;font-weight:bold;">-></span> <span style="color:#f44f4f;">"ab</span><span style="color:#da4453;">[cd/]</span><span style="color:#f44f4f;">a</span><span style="color:#da4453;">[ad/]</span><span style="color:#f44f4f;">hello/path"</span>, <span style="color:#7a7c7d;"># path</span> 0254 /usr/bin/foo<span style="font-weight:bold;"> Cx</span> <span style="color:#da4453;font-weight:bold;">-></span> <span style="color:#8e44ad;font-style:italic;">"ab[hello/path"</span>, <span style="color:#7a7c7d;"># profile name</span> 0255 0256 /usr/bin/foo<span style="font-weight:bold;"> cx</span> <span style="color:#da4453;font-weight:bold;">-></span> holas//hello/sa, <span style="color:#7a7c7d;"># path</span> 0257 /usr/bin/foo<span style="font-weight:bold;"> cx</span> <span style="color:#da4453;font-weight:bold;">-></span> df///dd<span style="color:#3f8058;font-weight:bold;">//</span><span style="color:#3f8058;">hat</span>, <span style="color:#7a7c7d;"># path + hat</span> 0258 /usr/bin/foo<span style="font-weight:bold;"> cx</span> <span style="color:#da4453;font-weight:bold;">-></span> <span style="color:#8e44ad;font-style:italic;">holas,#sd</span><span style="color:#3daee9;font-style:italic;">\323</span><span style="color:#8e44ad;font-style:italic;">fsdf</span>, <span style="color:#7a7c7d;"># profile name</span> 0259 0260 <span style="color:#7a7c7d;"># Access modes</span> 0261 /hello/lib/foo rwklms, <span style="color:#7a7c7d;"># s invalid</span> 0262 /hello/lib/foo rwmaix, <span style="color:#7a7c7d;"># w & a incompatible</span> 0263 /hello/lib/foo kalmw, 0264 /hello/lib/foo wa, 0265 <span style="color:#7a7c7d;"># OK</span> 0266 /hello/lib/foo<span style="font-weight:bold;"> rrwrwwrwrw</span>, 0267 /hello/lib/foo<span style="font-weight:bold;"> ixixix</span>, 0268 <span style="color:#7a7c7d;"># Incompatible exec permissions</span> 0269 ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx, 0270 pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx, 0271 Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx, 0272 <span style="color:#7a7c7d;"># Test valid permissions</span> 0273 <span style="font-weight:bold;"> r w a k l m l x ix ux Ux px Px cx Cx</span> , 0274 <span style="font-weight:bold;"> pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx</span>, 0275 <span style="font-weight:bold;"> rwklmx raklmx</span>, 0276 <span style="font-weight:bold;"> r rw rwk rwkl rwklm</span>, 0277 <span style="font-weight:bold;"> rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx</span>, 0278 <span style="font-weight:bold;"> rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk</span>, 0279 <span style="font-weight:bold;"> rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl</span>, 0280 0281 <span style="color:#7a7c7d;"># Profile name</span> 0282 <span style="color:#8e44ad;font-weight:bold;">profile</span> <span style="color:#8e44ad;">holas</span> <span style="color:#3f8058;">{</span> ... <span style="color:#3f8058;">}</span> 0283 <span style="color:#8e44ad;font-weight:bold;">profile</span> <span style="color:#3f8058;">{</span> ... <span style="color:#3f8058;">}</span> 0284 <span style="color:#8e44ad;font-weight:bold;">profile</span> /path <span style="color:#3f8058;">{</span> ... <span style="color:#3f8058;">}</span> 0285 <span style="color:#8e44ad;font-weight:bold;">profile</span> holas/abc <span style="color:#3f8058;">{</span> ... <span style="color:#3f8058;">}</span> 0286 <span style="color:#8e44ad;font-weight:bold;">profile</span> <span style="color:#8e44ad;">holas</span><span style="color:#3daee9;">\/</span><span style="color:#8e44ad;">abc</span> <span style="color:#3f8058;">{</span> ... <span style="color:#3f8058;">}</span> 0287 <span style="color:#8e44ad;font-weight:bold;">profile</span> 0288 <span style="color:#8e44ad;">#holas</span> <span style="color:#3f8058;">{</span> ... <span style="color:#3f8058;">}</span> 0289 0290 <span style="color:#8e44ad;font-weight:bold;">profile</span> <span style="color:#8e44ad;">flags</span><span style="color:#8e44ad;text-decoration:underline;">=</span><span style="color:#da4453;text-decoration:underline;">(complain)#asd</span> <span style="color:#3f8058;">{</span> ... <span style="color:#3f8058;">}</span> 0291 <span style="color:#8e44ad;font-weight:bold;">profile</span> <span style="color:#8e44ad;">flags</span> <span style="color:#27ae60;">flags</span><span style="color:#3f8058;">=</span>(<span style="color:#da4453;">complain</span>) <span style="color:#3f8058;">{</span> ... <span style="color:#3f8058;">}</span> 0292 <span style="color:#8e44ad;font-weight:bold;">profile</span> <span style="color:#8e44ad;">flag</span><span style="color:#8e44ad;text-decoration:underline;">s</span><span style="color:#da4453;text-decoration:underline;">(complain)</span> <span style="color:#3f8058;">{</span> ... <span style="color:#3f8058;">}</span> 0293 <span style="color:#3f8058;">}</span> 0294 </pre></body></html>