1# kate: syntax AppArmor Security Profile; replace-tabs off; 2 3# 4# Sample AppArmor Profile. 5# License: Public Domain 6# 7# NOTE: This profile is not fully functional, since 8# it is designed to test the syntax highlighting 9# for the KDE's KSyntaxHighlighting framework. 10# 11 12include <tunables/global> 13 14# Variable assignment 15@{FOO_LIB}=/usr/lib{,32,64}/foo 16@{USER_DIR} 17 = @{HOME}/Public @{HOME}/Desktop #No-Comment 18@{USER_DIR} += @{HOME}/Hello \ 19deny owner #No-comment aa#aa 20${BOOL} = true 21 22# Alias 23<beginfold id='1'>alias</beginfold id='1'> /usr/ -> /mnt/usr/<endfold id='1'>,</endfold id='1'> 24 25# ABI feature 26<beginfold id='1'>abi</beginfold id='1'> <abi/3.0><endfold id='1'>,</endfold id='1'> 27<beginfold id='1'>abi</beginfold id='1'> <"includes/abi/4.19"><endfold id='1'>,</endfold id='1'> 28<beginfold id='1'>abi</beginfold id='1'> "simple_tests/includes/abi/4.19"<endfold id='1'>,</endfold id='1'> 29<beginfold id='1'>abi</beginfold id='1'> simple_tests/includes/abi/4.19<endfold id='1'>,</endfold id='1'> 30 31# Profile for /usr/bin/foo 32profile foo /usr/bin/foo flags=(attach_disconnected enforce) xattrs=(myvalue=foo user.bar=* user.foo="bar" ) <beginfold id='2'>{</beginfold id='2'> 33 #include <abstractions/ubuntu-helpers> 34 #include<abstractions/wayland> 35 #include"/etc/apparmor.d/abstractions/ubuntu-konsole" 36 include "/etc/apparmor.d/abstractions/openssl" 37 38 include if exists <path with spaces> 39 include <include_tests/includes_okay_helper.include> #include <includes/base> 40 /some/file mr<endfold id='1'>,</endfold id='1'> #include <includes/base> /bin/true Px<endfold id='1'>,</endfold id='1'> 41 42 # File rules 43 /{,**/} r<endfold id='1'>,</endfold id='1'> 44 owner /{home,media,mnt,srv,net}/** r<endfold id='1'>,</endfold id='1'> 45 owner @{USER_DIR}/** rw<endfold id='1'>,</endfold id='1'> 46 audit deny owner /**/* mx<endfold id='1'>,</endfold id='1'> 47 /**.[tT][xX][tT] r<endfold id='1'>,</endfold id='1'> # txt 48 49 owner <beginfold id='1'>file</beginfold id='1'> @{HOME}/.local/share/foo/{,**} rwkl<endfold id='1'>,</endfold id='1'> 50 owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk<endfold id='1'>,</endfold id='1'> 51 52 "/usr/share/**" r<endfold id='1'>,</endfold id='1'> 53 "/var/lib/flatpak/exports/share/**" r<endfold id='1'>,</endfold id='1'> 54 "/var/lib/{spaces in 55 string,hello}/a[^ a]a/**" r<endfold id='1'>,</endfold id='1'> 56 57 allow <beginfold id='1'>file</beginfold id='1'> /etc/nsswitch.conf r<endfold id='1'>,</endfold id='1'> 58 allow /etc/fstab r<endfold id='1'>,</endfold id='1'> 59 deny /etc/xdg/{autostart,systemd}/** r<endfold id='1'>,</endfold id='1'> 60 deny /boot/** rwlkmx<endfold id='1'>,</endfold id='1'> 61 62 owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r<endfold id='1'>,</endfold id='1'> 63 /sys/devices/**/uevent r<endfold id='1'>,</endfold id='1'> 64 @{FOO_LIB}/{@{multiarch},64}/** mr<endfold id='1'>,</endfold id='1'> 65 66 /usr/bin/foo ixr<endfold id='1'>,</endfold id='1'> 67 /usr/bin/dolphin pUx<endfold id='1'>,</endfold id='1'> 68 /usr/bin/* Pixr<endfold id='1'>,</endfold id='1'> 69 /usr/bin/khelpcenter Cx -> sanitized_helper<endfold id='1'>,</endfold id='1'> 70 /usr/bin/helloworld cxr -> 71 hello_world<endfold id='1'>,</endfold id='1'> 72 /bin/** px -> profile<endfold id='1'>,</endfold id='1'> 73 74 # Dbus rules 75 <beginfold id='1'>dbus</beginfold id='1'> (send) #No-Comment 76 bus=system 77 path=/org/freedesktop/NetworkManager 78 interface=org.freedesktop.DBus.Introspectable 79 peer=(name=org.freedesktop.NetworkManager label=unconfined)<endfold id='1'>,</endfold id='1'> 80 <beginfold id='1'>dbus</beginfold id='1'> (send receive) 81 bus=system 82 path=/org/freedesktop/NetworkManager 83 interface=org.freedesktop.NetworkManager 84 member={Introspect,state} 85 peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus))<endfold id='1'>,</endfold id='1'> 86 <beginfold id='1'>dbus</beginfold id='1'> (send) 87 bus=session 88 path=/org/gnome/GConf/Database/* 89 member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}<endfold id='1'>,</endfold id='1'> 90 <beginfold id='1'>dbus</beginfold id='1'> (bind) 91 bus=system 92 name=org.bluez<endfold id='1'>,</endfold id='1'> 93 94 # Signal rules 95 <beginfold id='1'>signal</beginfold id='1'> (send) set=(term) peer="/usr/lib/hello/world// foo helper"<endfold id='1'>,</endfold id='1'> 96 <beginfold id='1'>signal</beginfold id='1'> (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper<endfold id='1'>,</endfold id='1'> 97 98 # Child profile 99 profile hello_world <beginfold id='2'>{</beginfold id='2'> 100 # File rules (three different ways) 101 <beginfold id='1'>file</beginfold id='1'> /usr/lib{,32,64}/helloworld/**.so mr<endfold id='1'>,</endfold id='1'> 102 /usr/lib{,32,64}/helloworld/** r<endfold id='1'>,</endfold id='1'> 103 rk /usr/lib{,32,64}/helloworld/hello,file<endfold id='1'>,</endfold id='1'> 104 105 # Link rules (two ways) 106 l /foo1 -> /bar<endfold id='1'>,</endfold id='1'> 107 <beginfold id='1'>link</beginfold id='1'> /foo2 -> bar<endfold id='1'>,</endfold id='1'> 108 <beginfold id='1'>link</beginfold id='1'> subset /link* -> /**<endfold id='1'>,</endfold id='1'> 109 110 # Network rules 111 <beginfold id='1'>network</beginfold id='1'> inet6 tcp<endfold id='1'>,</endfold id='1'> 112 <beginfold id='1'>network</beginfold id='1'> netlink dgram<endfold id='1'>,</endfold id='1'> 113 <beginfold id='1'>network</beginfold id='1'> bluetooth<endfold id='1'>,</endfold id='1'> 114 <beginfold id='1'>network</beginfold id='1'> unspec dgram<endfold id='1'>,</endfold id='1'> 115 116 # Capability rules 117 <beginfold id='1'>capability</beginfold id='1'> dac_override<endfold id='1'>,</endfold id='1'> 118 <beginfold id='1'>capability</beginfold id='1'> sys_admin<endfold id='1'>,</endfold id='1'> 119 <beginfold id='1'>capability</beginfold id='1'> sys_chroot<endfold id='1'>,</endfold id='1'> 120 121 # Mount rules 122 <beginfold id='1'>mount</beginfold id='1'> options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/<endfold id='1'>,</endfold id='1'> 123 <beginfold id='1'>mount</beginfold id='1'> options in (rw, bind) / -> /run/hellowordd/*.mnt<endfold id='1'>,</endfold id='1'> 124 <beginfold id='1'>mount</beginfold id='1'> options=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*<endfold id='1'>,</endfold id='1'> 125 <beginfold id='1'>umount</beginfold id='1'> /home/*/helloworld/<endfold id='1'>,</endfold id='1'> 126 127 # Pivot Root rules 128 <beginfold id='1'>pivot_root</beginfold id='1'> oldroot=/mnt/root/old/ /mnt/root/<endfold id='1'>,</endfold id='1'> 129 <beginfold id='1'>pivot_root</beginfold id='1'> /mnt/root/<endfold id='1'>,</endfold id='1'> 130 131 # Ptrace rules 132 <beginfold id='1'>ptrace</beginfold id='1'> (trace) peer=unconfined<endfold id='1'>,</endfold id='1'> 133 <beginfold id='1'>ptrace</beginfold id='1'> (read, trace, tracedby) peer=/usr/lib/hello/helloword<endfold id='1'>,</endfold id='1'> 134 135 # Unix rules 136 <beginfold id='1'>unix</beginfold id='1'> (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined)<endfold id='1'>,</endfold id='1'> 137 <beginfold id='1'>unix</beginfold id='1'> (send,receive) type=(stream) protocol=0 peer=(addr=none)<endfold id='1'>,</endfold id='1'> 138 <beginfold id='1'>unix</beginfold id='1'> peer=(label=@{profile_name},addr=@helloworld)<endfold id='1'>,</endfold id='1'> 139 140 # Rlimit rule 141 set <beginfold id='1'>rlimit</beginfold id='1'> data <= 100M<endfold id='1'>,</endfold id='1'> 142 set <beginfold id='1'>rlimit</beginfold id='1'> nproc <= 10<endfold id='1'>,</endfold id='1'> 143 set <beginfold id='1'>rlimit</beginfold id='1'> memlock <= 2GB<endfold id='1'>,</endfold id='1'> 144 set <beginfold id='1'>rlimit</beginfold id='1'> rss <= infinity<endfold id='1'>,</endfold id='1'> 145 set <beginfold id='1'>rlimit</beginfold id='1'> nice <= -12<endfold id='1'>,</endfold id='1'> 146 147 # Change Profile rules 148 <beginfold id='1'>change_profile</beginfold id='1'> unsafe /** -> [^u/]**<endfold id='1'>,</endfold id='1'> 149 <beginfold id='1'>change_profile</beginfold id='1'> unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}<endfold id='1'>,</endfold id='1'> 150 <beginfold id='1'>change_profile</beginfold id='1'> /bin/bash -> 151 new_profile//hat<endfold id='1'>,</endfold id='1'> 152 <endfold id='2'>}</endfold id='2'> 153 154 # Hat 155 ^foo-helper\/ <beginfold id='2'>{</beginfold id='2'> 156 <beginfold id='1'>network</beginfold id='1'> unix stream<endfold id='1'>,</endfold id='1'> 157 <beginfold id='1'>unix</beginfold id='1'> stream<endfold id='1'>,</endfold id='1'> 158 159 /usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r<endfold id='1'>,</endfold id='1'> # Escape expressions 160 161 # Text after a variable is highlighted as path 162 <beginfold id='1'>file</beginfold id='1'> /my/path r<endfold id='1'>,</endfold id='1'> 163 @{FOO_LIB}file r<endfold id='1'>,</endfold id='1'> 164 @{FOO_LIB}#my/path r<endfold id='1'>,</endfold id='1'> #Comment 165 @{FOO_LIB}ñ* r<endfold id='1'>,</endfold id='1'> 166 <beginfold id='1'>unix</beginfold id='1'> (/path\t{aa}*,*a @{var}*path,* @{var},*)<endfold id='1'>,</endfold id='1'> 167 <endfold id='2'>}</endfold id='2'> 168<endfold id='2'>}</endfold id='2'> 169 170# Syntax Error 171/usr/bin/error (complain, audit) <beginfold id='2'>{</beginfold id='2'> 172 <beginfold id='1'>file</beginfold id='1'> #include /hello r<endfold id='1'>,</endfold id='1'> 173 174 # Error: Variable open or with characters not allowed 175 @<beginfold id='2'>{</beginfold id='2'>var 176 @<beginfold id='2'>{</beginfold id='2'>sdf&s<endfold id='2'>}</endfold id='2'> 177 178 # Error: Open brackets 179 /{hello{ab,cd}world kr<endfold id='1'>,</endfold id='1'> 180 /{abc{abc kr<endfold id='1'>,</endfold id='1'> 181 /[abc kr<endfold id='1'>,</endfold id='1'> 182 /(abc kr<endfold id='1'>,</endfold id='1'> 183 184 # Error: Empty brackets 185 /hello[]hello{}hello()he kr<endfold id='1'>,</endfold id='1'> 186 187 # Comments not allowed 188 <beginfold id='1'>dbus</beginfold id='1'> (send) #No comment 189 path=/org/hello 190 #No comment 191 interface=org.hello #No comment 192 peer=(name=org.hello #No comment 193 label=unconfined)<endfold id='1'>,</endfold id='1'> #Comment 194 195 # Don't allow assignment of variables within profiles 196 @{VARIABLE} = val1 val2 val3 # Comment 197 198 # Alias rules not allowed within profiles 199 alias /run/ -> /mnt/run/, 200 201 # Error: Open rule 202 /home/*/file rw 203 <endfold id='1'></endfold id='1'><beginfold id='1'>capability</beginfold id='1'> dac_override 204 <endfold id='1'>deny</endfold id='1'> <beginfold id='1'>file</beginfold id='1'> /etc/fstab w 205 <endfold id='1'>audit</endfold id='1'> <beginfold id='1'>network</beginfold id='1'> ieee802154<endfold id='1'>,</endfold id='1'> 206 207 <beginfold id='1'>dbus</beginfold id='1'> (receive 208 <endfold id='1'></endfold id='1'><beginfold id='1'>unix</beginfold id='1'> stream<endfold id='1'>,</endfold id='1'> 209 <beginfold id='1'>unix</beginfold id='1'> stream<endfold id='1'>,</endfold id='1'> 210<endfold id='2'>}</endfold id='2'> 211 212profile other_tests <beginfold id='2'>{</beginfold id='2'> 213 # set rlimit 214 set <beginfold id='1'>rlimit</beginfold id='1'> nice <= 3<endfold id='1'>,</endfold id='1'> 215 <beginfold id='1'>rlimit</beginfold id='1'> nice <= 3<endfold id='1'>,</endfold id='1'> # Without "set" 216 set #comment 217 <beginfold id='1'>rlimit</beginfold id='1'> 218 nice <= 3<endfold id='1'>,</endfold id='1'> 219 220 # "remount" keyword 221 <beginfold id='1'>mount</beginfold id='1'> remount 222 remount<endfold id='1'>,</endfold id='1'> 223 <beginfold id='1'>remount</beginfold id='1'> remount 224 remount<endfold id='1'>,</endfold id='1'> 225 <beginfold id='1'>dbus</beginfold id='1'> remount 226 <endfold id='1'></endfold id='1'><beginfold id='1'>remount</beginfold id='1'><endfold id='1'>,</endfold id='1'> 227 <beginfold id='1'>unix</beginfold id='1'> remount 228 <endfold id='1'></endfold id='1'><beginfold id='1'>remount</beginfold id='1'><endfold id='1'>,</endfold id='1'> 229 # "unix" keyword 230 <beginfold id='1'>network</beginfold id='1'> unix 231 unix<endfold id='1'>,</endfold id='1'> 232 <beginfold id='1'>ptrace</beginfold id='1'> unix 233 <endfold id='1'></endfold id='1'><beginfold id='1'>unix</beginfold id='1'><endfold id='1'>,</endfold id='1'> 234 <beginfold id='1'>unix</beginfold id='1'> unix 235 <endfold id='1'></endfold id='1'><beginfold id='1'>unix</beginfold id='1'><endfold id='1'>,</endfold id='1'> 236 237 # Transition rules 238 /usr/bin/foo cx -> hello*<endfold id='1'>,</endfold id='1'> # profile name 239 /usr/bin/foo Cx -> path/<endfold id='1'>,</endfold id='1'> # path 240 /usr/bin/foo cx -> ab[ad/]hello<endfold id='1'>,</endfold id='1'> # profile name 241 /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path<endfold id='1'>,</endfold id='1'> # path 242 /usr/bin/foo Cx -> ab[hello/path<endfold id='1'>,</endfold id='1'> # profile name 243 244 /usr/bin/foo cx -> "hello*"<endfold id='1'>,</endfold id='1'> # profile name 245 /usr/bin/foo Cx -> "path/"<endfold id='1'>,</endfold id='1'> # path 246 /usr/bin/foo cx -> "ab[ad/]hello"<endfold id='1'>,</endfold id='1'> # profile name 247 /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path"<endfold id='1'>,</endfold id='1'> # path 248 /usr/bin/foo Cx -> "ab[hello/path"<endfold id='1'>,</endfold id='1'> # profile name 249 250 /usr/bin/foo cx -> holas//hello/sa<endfold id='1'>,</endfold id='1'> # path 251 /usr/bin/foo cx -> df///dd//hat<endfold id='1'>,</endfold id='1'> # path + hat 252 /usr/bin/foo cx -> holas,#sd\323fsdf<endfold id='1'>,</endfold id='1'> # profile name 253 254 # Access modes 255 /hello/lib/foo rwklms, # s invalid 256 /hello/lib/foo rwmaix, # w & a incompatible 257 /hello/lib/foo kalmw, 258 /hello/lib/foo wa, 259 # OK 260 /hello/lib/foo rrwrwwrwrw<endfold id='1'>,</endfold id='1'> 261 /hello/lib/foo ixixix<endfold id='1'>,</endfold id='1'> 262 # Incompatible exec permissions 263 ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx, 264 pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx, 265 Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx, 266 # Test valid permissions 267 r w a k l m l x ix ux Ux px Px cx Cx <endfold id='1'>,</endfold id='1'> 268 pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx<endfold id='1'>,</endfold id='1'> 269 rwklmx raklmx<endfold id='1'>,</endfold id='1'> 270 r rw rwk rwkl rwklm<endfold id='1'>,</endfold id='1'> 271 rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx<endfold id='1'>,</endfold id='1'> 272 rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk<endfold id='1'>,</endfold id='1'> 273 rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl<endfold id='1'>,</endfold id='1'> 274 275 # Profile name 276 profile holas <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'> 277 profile <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'> 278 profile /path <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'> 279 profile holas/abc <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'> 280 profile holas\/abc <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'> 281 profile 282 #holas <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'> 283 284 profile flags=(complain)#asd <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'> 285 profile flags flags=(complain) <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'> 286 profile flags(complain) <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'> 287<endfold id='2'>}</endfold id='2'> 288