Warning, /frameworks/syntax-highlighting/autotests/input/test.apparmor is written in an unsupported language. File is not indexed.
0001 # kate: syntax AppArmor Security Profile; replace-tabs off;
0002
0003 #
0004 # Sample AppArmor Profile.
0005 # License: Public Domain
0006 #
0007 # NOTE: This profile is not fully functional, since
0008 # it is designed to test the syntax highlighting
0009 # for the KDE's KSyntaxHighlighting framework.
0010 #
0011
0012 include <tunables/global>
0013
0014 # Variable assignment
0015 @{FOO_LIB}=/usr/lib{,32,64}/foo
0016 @{USER_DIR}
0017 = @{HOME}/Public @{HOME}/Desktop #No-Comment
0018 @{USER_DIR} += @{HOME}/Hello \
0019 deny owner #No-comment aa#aa
0020 ${BOOL} = true
0021
0022 # Alias
0023 alias /usr/ -> /mnt/usr/,
0024
0025 # ABI feature
0026 abi <abi/3.0>,
0027 abi <"includes/abi/4.19">,
0028 abi "simple_tests/includes/abi/4.19",
0029 abi simple_tests/includes/abi/4.19,
0030
0031 # Profile for /usr/bin/foo
0032 profile foo /usr/bin/foo flags=(attach_disconnected enforce) xattrs=(myvalue=foo user.bar=* user.foo="bar" ) {
0033 #include <abstractions/ubuntu-helpers>
0034 #include<abstractions/wayland>
0035 #include"/etc/apparmor.d/abstractions/ubuntu-konsole"
0036 include "/etc/apparmor.d/abstractions/openssl"
0037
0038 include if exists <path with spaces>
0039 include <include_tests/includes_okay_helper.include> #include <includes/base>
0040 /some/file mr, #include <includes/base> /bin/true Px,
0041
0042 # File rules
0043 /{,**/} r,
0044 owner /{home,media,mnt,srv,net}/** r,
0045 owner @{USER_DIR}/** rw,
0046 audit deny owner /**/* mx,
0047 /**.[tT][xX][tT] r, # txt
0048
0049 owner file @{HOME}/.local/share/foo/{,**} rwkl,
0050 owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,
0051
0052 "/usr/share/**" r,
0053 "/var/lib/flatpak/exports/share/**" r,
0054 "/var/lib/{spaces in
0055 string,hello}/a[^ a]a/**" r,
0056
0057 allow file /etc/nsswitch.conf r,
0058 allow /etc/fstab r,
0059 deny /etc/xdg/{autostart,systemd}/** r,
0060 deny /boot/** rwlkmx,
0061
0062 owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
0063 /sys/devices/**/uevent r,
0064 @{FOO_LIB}/{@{multiarch},64}/** mr,
0065
0066 /usr/bin/foo ixr,
0067 /usr/bin/dolphin pUx,
0068 /usr/bin/* Pixr,
0069 /usr/bin/khelpcenter Cx -> sanitized_helper,
0070 /usr/bin/helloworld cxr ->
0071 hello_world,
0072 /bin/** px -> profile,
0073
0074 # Dbus rules
0075 dbus (send) #No-Comment
0076 bus=system
0077 path=/org/freedesktop/NetworkManager
0078 interface=org.freedesktop.DBus.Introspectable
0079 peer=(name=org.freedesktop.NetworkManager label=unconfined),
0080 dbus (send receive)
0081 bus=system
0082 path=/org/freedesktop/NetworkManager
0083 interface=org.freedesktop.NetworkManager
0084 member={Introspect,state}
0085 peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
0086 dbus (send)
0087 bus=session
0088 path=/org/gnome/GConf/Database/*
0089 member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
0090 dbus (bind)
0091 bus=system
0092 name=org.bluez,
0093
0094 # Signal rules
0095 signal (send) set=(term) peer="/usr/lib/hello/world// foo helper",
0096 signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper,
0097
0098 # Child profile
0099 profile hello_world {
0100 # File rules (three different ways)
0101 file /usr/lib{,32,64}/helloworld/**.so mr,
0102 /usr/lib{,32,64}/helloworld/** r,
0103 rk /usr/lib{,32,64}/helloworld/hello,file,
0104
0105 # Link rules (two ways)
0106 l /foo1 -> /bar,
0107 link /foo2 -> bar,
0108 link subset /link* -> /**,
0109
0110 # Network rules
0111 network inet6 tcp,
0112 network netlink dgram,
0113 network bluetooth,
0114 network unspec dgram,
0115
0116 # Capability rules
0117 capability dac_override,
0118 capability sys_admin,
0119 capability sys_chroot,
0120
0121 # Mount rules
0122 mount options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
0123 mount options in (rw, bind) / -> /run/hellowordd/*.mnt,
0124 mount options=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
0125 umount /home/*/helloworld/,
0126
0127 # Pivot Root rules
0128 pivot_root oldroot=/mnt/root/old/ /mnt/root/,
0129 pivot_root /mnt/root/,
0130
0131 # Ptrace rules
0132 ptrace (trace) peer=unconfined,
0133 ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword,
0134
0135 # Unix rules
0136 unix (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined),
0137 unix (send,receive) type=(stream) protocol=0 peer=(addr=none),
0138 unix peer=(label=@{profile_name},addr=@helloworld),
0139
0140 # Rlimit rule
0141 set rlimit data <= 100M,
0142 set rlimit nproc <= 10,
0143 set rlimit memlock <= 2GB,
0144 set rlimit rss <= infinity,
0145 set rlimit nice <= -12,
0146
0147 # Change Profile rules
0148 change_profile unsafe /** -> [^u/]**,
0149 change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
0150 change_profile /bin/bash ->
0151 new_profile//hat,
0152 }
0153
0154 # Hat
0155 ^foo-helper\/ {
0156 network unix stream,
0157 unix stream,
0158
0159 /usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions
0160
0161 # Text after a variable is highlighted as path
0162 file /my/path r,
0163 @{FOO_LIB}file r,
0164 @{FOO_LIB}#my/path r, #Comment
0165 @{FOO_LIB}ñ* r,
0166 unix (/path\t{aa}*,*a @{var}*path,* @{var},*),
0167 }
0168 }
0169
0170 # Syntax Error
0171 /usr/bin/error (complain, audit) {
0172 file #include /hello r,
0173
0174 # Error: Variable open or with characters not allowed
0175 @{var
0176 @{sdf&s}
0177
0178 # Error: Open brackets
0179 /{hello{ab,cd}world kr,
0180 /{abc{abc kr,
0181 /[abc kr,
0182 /(abc kr,
0183
0184 # Error: Empty brackets
0185 /hello[]hello{}hello()he kr,
0186
0187 # Comments not allowed
0188 dbus (send) #No comment
0189 path=/org/hello
0190 #No comment
0191 interface=org.hello #No comment
0192 peer=(name=org.hello #No comment
0193 label=unconfined), #Comment
0194
0195 # Don't allow assignment of variables within profiles
0196 @{VARIABLE} = val1 val2 val3 # Comment
0197
0198 # Alias rules not allowed within profiles
0199 alias /run/ -> /mnt/run/,
0200
0201 # Error: Open rule
0202 /home/*/file rw
0203 capability dac_override
0204 deny file /etc/fstab w
0205 audit network ieee802154,
0206
0207 dbus (receive
0208 unix stream,
0209 unix stream,
0210 }
0211
0212 profile other_tests {
0213 # set rlimit
0214 set rlimit nice <= 3,
0215 rlimit nice <= 3, # Without "set"
0216 set #comment
0217 rlimit
0218 nice <= 3,
0219
0220 # "remount" keyword
0221 mount remount
0222 remount,
0223 remount remount
0224 remount,
0225 dbus remount
0226 remount,
0227 unix remount
0228 remount,
0229 # "unix" keyword
0230 network unix
0231 unix,
0232 ptrace unix
0233 unix,
0234 unix unix
0235 unix,
0236
0237 # Transition rules
0238 /usr/bin/foo cx -> hello*, # profile name
0239 /usr/bin/foo Cx -> path/, # path
0240 /usr/bin/foo cx -> ab[ad/]hello, # profile name
0241 /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, # path
0242 /usr/bin/foo Cx -> ab[hello/path, # profile name
0243
0244 /usr/bin/foo cx -> "hello*", # profile name
0245 /usr/bin/foo Cx -> "path/", # path
0246 /usr/bin/foo cx -> "ab[ad/]hello", # profile name
0247 /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", # path
0248 /usr/bin/foo Cx -> "ab[hello/path", # profile name
0249
0250 /usr/bin/foo cx -> holas//hello/sa, # path
0251 /usr/bin/foo cx -> df///dd//hat, # path + hat
0252 /usr/bin/foo cx -> holas,#sd\323fsdf, # profile name
0253
0254 # Access modes
0255 /hello/lib/foo rwklms, # s invalid
0256 /hello/lib/foo rwmaix, # w & a incompatible
0257 /hello/lib/foo kalmw,
0258 /hello/lib/foo wa,
0259 # OK
0260 /hello/lib/foo rrwrwwrwrw,
0261 /hello/lib/foo ixixix,
0262 # Incompatible exec permissions
0263 ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx,
0264 pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx,
0265 Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx,
0266 # Test valid permissions
0267 r w a k l m l x ix ux Ux px Px cx Cx ,
0268 pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx,
0269 rwklmx raklmx,
0270 r rw rwk rwkl rwklm,
0271 rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx,
0272 rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk,
0273 rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl,
0274
0275 # Profile name
0276 profile holas { ... }
0277 profile { ... }
0278 profile /path { ... }
0279 profile holas/abc { ... }
0280 profile holas\/abc { ... }
0281 profile
0282 #holas { ... }
0283
0284 profile flags=(complain)#asd { ... }
0285 profile flags flags=(complain) { ... }
0286 profile flags(complain) { ... }
0287 }