1# kate: syntax AppArmor Security Profile; replace-tabs off;
2
3#
4#   Sample AppArmor Profile.
5#   License: Public Domain
6#
7#   NOTE: This profile is not fully functional, since
8#   it is designed to test the syntax highlighting
9#   for the KDE's KSyntaxHighlighting framework.
10#
11
12include <tunables/global>
13
14# Variable assignment
15@{FOO_LIB}=/usr/lib{,32,64}/foo
16@{USER_DIR}
17  = @{HOME}/Public @{HOME}/Desktop #No-Comment
18@{USER_DIR} += @{HOME}/Hello \
19deny owner #No-comment aa#aa
20${BOOL} = true
21
22# Alias
23<beginfold id='1'>alias</beginfold id='1'> /usr/ -> /mnt/usr/<endfold id='1'>,</endfold id='1'>
24
25# ABI feature
26<beginfold id='1'>abi</beginfold id='1'> <abi/3.0><endfold id='1'>,</endfold id='1'>
27<beginfold id='1'>abi</beginfold id='1'> <"includes/abi/4.19"><endfold id='1'>,</endfold id='1'>
28<beginfold id='1'>abi</beginfold id='1'> "simple_tests/includes/abi/4.19"<endfold id='1'>,</endfold id='1'>
29<beginfold id='1'>abi</beginfold id='1'> simple_tests/includes/abi/4.19<endfold id='1'>,</endfold id='1'>
30
31# Profile for /usr/bin/foo
32profile foo /usr/bin/foo flags=(attach_disconnected enforce) xattrs=(myvalue=foo user.bar=* user.foo="bar" ) <beginfold id='2'>{</beginfold id='2'>
33	#include <abstractions/ubuntu-helpers>
34	#include<abstractions/wayland>
35	#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
36	include "/etc/apparmor.d/abstractions/openssl"
37
38	include if exists <path with spaces>
39	include <include_tests/includes_okay_helper.include> #include <includes/base>
40	/some/file mr<endfold id='1'>,</endfold id='1'> #include <includes/base> /bin/true Px<endfold id='1'>,</endfold id='1'>
41
42	# File rules
43	/{,**/} r<endfold id='1'>,</endfold id='1'>
44	owner /{home,media,mnt,srv,net}/** r<endfold id='1'>,</endfold id='1'>
45	owner @{USER_DIR}/** rw<endfold id='1'>,</endfold id='1'>
46	audit deny owner /**/* mx<endfold id='1'>,</endfold id='1'>
47	/**.[tT][xX][tT] r<endfold id='1'>,</endfold id='1'>  # txt
48
49	owner <beginfold id='1'>file</beginfold id='1'> @{HOME}/.local/share/foo/{,**} rwkl<endfold id='1'>,</endfold id='1'>
50	owner @{HOME}/.config/*.[a-zA-Z0-9]*      rwk<endfold id='1'>,</endfold id='1'>
51
52	"/usr/share/**" r<endfold id='1'>,</endfold id='1'>
53	"/var/lib/flatpak/exports/share/**" r<endfold id='1'>,</endfold id='1'>
54	"/var/lib/{spaces in
55		string,hello}/a[^ a]a/**" r<endfold id='1'>,</endfold id='1'>
56
57	allow <beginfold id='1'>file</beginfold id='1'> /etc/nsswitch.conf           r<endfold id='1'>,</endfold id='1'>
58	allow /etc/fstab                        r<endfold id='1'>,</endfold id='1'>
59	deny /etc/xdg/{autostart,systemd}/**    r<endfold id='1'>,</endfold id='1'>
60	deny /boot/**                           rwlkmx<endfold id='1'>,</endfold id='1'>
61
62	owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r<endfold id='1'>,</endfold id='1'>
63	/sys/devices/**/uevent r<endfold id='1'>,</endfold id='1'>
64	@{FOO_LIB}/{@{multiarch},64}/** mr<endfold id='1'>,</endfold id='1'>
65
66	/usr/bin/foo         ixr<endfold id='1'>,</endfold id='1'>
67	/usr/bin/dolphin     pUx<endfold id='1'>,</endfold id='1'>
68	/usr/bin/*           Pixr<endfold id='1'>,</endfold id='1'>
69	/usr/bin/khelpcenter Cx  -> sanitized_helper<endfold id='1'>,</endfold id='1'>
70	/usr/bin/helloworld  cxr ->
71		hello_world<endfold id='1'>,</endfold id='1'>
72	/bin/** px -> profile<endfold id='1'>,</endfold id='1'>
73
74	# Dbus rules
75	<beginfold id='1'>dbus</beginfold id='1'> (send)  #No-Comment
76		bus=system
77		path=/org/freedesktop/NetworkManager
78		interface=org.freedesktop.DBus.Introspectable
79		peer=(name=org.freedesktop.NetworkManager label=unconfined)<endfold id='1'>,</endfold id='1'>
80	<beginfold id='1'>dbus</beginfold id='1'> (send receive)
81		bus=system
82		path=/org/freedesktop/NetworkManager
83		interface=org.freedesktop.NetworkManager
84		member={Introspect,state}
85		peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus))<endfold id='1'>,</endfold id='1'>
86	<beginfold id='1'>dbus</beginfold id='1'> (send)
87		bus=session
88		path=/org/gnome/GConf/Database/*
89		member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}<endfold id='1'>,</endfold id='1'>
90	<beginfold id='1'>dbus</beginfold id='1'> (bind)
91		bus=system
92		name=org.bluez<endfold id='1'>,</endfold id='1'>
93
94	# Signal rules
95	<beginfold id='1'>signal</beginfold id='1'> (send) set=(term) peer="/usr/lib/hello/world// foo helper"<endfold id='1'>,</endfold id='1'>
96	<beginfold id='1'>signal</beginfold id='1'> (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper<endfold id='1'>,</endfold id='1'>
97
98	# Child profile
99	profile hello_world <beginfold id='2'>{</beginfold id='2'>
100		# File rules (three different ways)
101		<beginfold id='1'>file</beginfold id='1'> /usr/lib{,32,64}/helloworld/**.so mr<endfold id='1'>,</endfold id='1'>
102		/usr/lib{,32,64}/helloworld/** r<endfold id='1'>,</endfold id='1'>
103		rk /usr/lib{,32,64}/helloworld/hello,file<endfold id='1'>,</endfold id='1'>
104
105		# Link rules (two ways)
106		l /foo1 -> /bar<endfold id='1'>,</endfold id='1'>
107		<beginfold id='1'>link</beginfold id='1'> /foo2 -> bar<endfold id='1'>,</endfold id='1'>
108		<beginfold id='1'>link</beginfold id='1'> subset /link* -> /**<endfold id='1'>,</endfold id='1'>
109
110		# Network rules
111		<beginfold id='1'>network</beginfold id='1'> inet6 tcp<endfold id='1'>,</endfold id='1'>
112		<beginfold id='1'>network</beginfold id='1'> netlink dgram<endfold id='1'>,</endfold id='1'>
113		<beginfold id='1'>network</beginfold id='1'> bluetooth<endfold id='1'>,</endfold id='1'>
114		<beginfold id='1'>network</beginfold id='1'> unspec dgram<endfold id='1'>,</endfold id='1'>
115
116		# Capability rules
117		<beginfold id='1'>capability</beginfold id='1'> dac_override<endfold id='1'>,</endfold id='1'>
118		<beginfold id='1'>capability</beginfold id='1'> sys_admin<endfold id='1'>,</endfold id='1'>
119		<beginfold id='1'>capability</beginfold id='1'> sys_chroot<endfold id='1'>,</endfold id='1'>
120
121		# Mount rules
122		<beginfold id='1'>mount</beginfold id='1'> options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/<endfold id='1'>,</endfold id='1'>
123		<beginfold id='1'>mount</beginfold id='1'> options in (rw, bind) / -> /run/hellowordd/*.mnt<endfold id='1'>,</endfold id='1'>
124		<beginfold id='1'>mount</beginfold id='1'> options=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*<endfold id='1'>,</endfold id='1'>
125		<beginfold id='1'>umount</beginfold id='1'> /home/*/helloworld/<endfold id='1'>,</endfold id='1'>
126
127		# Pivot Root rules
128		<beginfold id='1'>pivot_root</beginfold id='1'> oldroot=/mnt/root/old/ /mnt/root/<endfold id='1'>,</endfold id='1'>
129		<beginfold id='1'>pivot_root</beginfold id='1'> /mnt/root/<endfold id='1'>,</endfold id='1'>
130
131		# Ptrace rules
132		<beginfold id='1'>ptrace</beginfold id='1'> (trace) peer=unconfined<endfold id='1'>,</endfold id='1'>
133		<beginfold id='1'>ptrace</beginfold id='1'> (read, trace, tracedby) peer=/usr/lib/hello/helloword<endfold id='1'>,</endfold id='1'>
134
135		# Unix rules
136		<beginfold id='1'>unix</beginfold id='1'> (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined)<endfold id='1'>,</endfold id='1'>
137		<beginfold id='1'>unix</beginfold id='1'> (send,receive) type=(stream) protocol=0 peer=(addr=none)<endfold id='1'>,</endfold id='1'>
138		<beginfold id='1'>unix</beginfold id='1'> peer=(label=@{profile_name},addr=@helloworld)<endfold id='1'>,</endfold id='1'>
139
140		# Rlimit rule
141		set <beginfold id='1'>rlimit</beginfold id='1'> data  <= 100M<endfold id='1'>,</endfold id='1'>
142		set <beginfold id='1'>rlimit</beginfold id='1'> nproc <= 10<endfold id='1'>,</endfold id='1'>
143		set <beginfold id='1'>rlimit</beginfold id='1'> memlock <= 2GB<endfold id='1'>,</endfold id='1'>
144		set <beginfold id='1'>rlimit</beginfold id='1'> rss <= infinity<endfold id='1'>,</endfold id='1'>
145		set <beginfold id='1'>rlimit</beginfold id='1'> nice <= -12<endfold id='1'>,</endfold id='1'>
146
147		# Change Profile rules
148		<beginfold id='1'>change_profile</beginfold id='1'> unsafe /** -> [^u/]**<endfold id='1'>,</endfold id='1'>
149		<beginfold id='1'>change_profile</beginfold id='1'> unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}<endfold id='1'>,</endfold id='1'>
150		<beginfold id='1'>change_profile</beginfold id='1'> /bin/bash  ->
151			new_profile//hat<endfold id='1'>,</endfold id='1'>
152	<endfold id='2'>}</endfold id='2'>
153
154	# Hat
155	^foo-helper\/ <beginfold id='2'>{</beginfold id='2'>
156		<beginfold id='1'>network</beginfold id='1'> unix stream<endfold id='1'>,</endfold id='1'>
157		<beginfold id='1'>unix</beginfold id='1'> stream<endfold id='1'>,</endfold id='1'>
158
159		/usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r<endfold id='1'>,</endfold id='1'> # Escape expressions
160
161		# Text after a variable is highlighted as path
162		<beginfold id='1'>file</beginfold id='1'> /my/path r<endfold id='1'>,</endfold id='1'>
163		@{FOO_LIB}file r<endfold id='1'>,</endfold id='1'>
164		@{FOO_LIB}#my/path r<endfold id='1'>,</endfold id='1'> #Comment
165		@{FOO_LIB}ñ* r<endfold id='1'>,</endfold id='1'>
166		<beginfold id='1'>unix</beginfold id='1'> (/path\t{aa}*,*a @{var}*path,* @{var},*)<endfold id='1'>,</endfold id='1'>
167	<endfold id='2'>}</endfold id='2'>
168<endfold id='2'>}</endfold id='2'>
169
170# Syntax Error
171/usr/bin/error (complain, audit) <beginfold id='2'>{</beginfold id='2'>
172	<beginfold id='1'>file</beginfold id='1'> #include /hello r<endfold id='1'>,</endfold id='1'>
173
174	# Error: Variable open or with characters not allowed
175	@<beginfold id='2'>{</beginfold id='2'>var
176	@<beginfold id='2'>{</beginfold id='2'>sdf&s<endfold id='2'>}</endfold id='2'>
177
178	# Error: Open brackets
179	/{hello{ab,cd}world  kr<endfold id='1'>,</endfold id='1'>
180	/{abc{abc kr<endfold id='1'>,</endfold id='1'>
181	/[abc  kr<endfold id='1'>,</endfold id='1'>
182	/(abc kr<endfold id='1'>,</endfold id='1'>
183
184	# Error: Empty brackets
185	/hello[]hello{}hello()he  kr<endfold id='1'>,</endfold id='1'>
186
187	# Comments not allowed
188	<beginfold id='1'>dbus</beginfold id='1'> (send)  #No comment
189		path=/org/hello
190		#No comment
191		interface=org.hello #No comment
192		peer=(name=org.hello  #No comment
193		      label=unconfined)<endfold id='1'>,</endfold id='1'> #Comment
194
195	# Don't allow assignment of variables within profiles
196	@{VARIABLE} = val1 val2 val3 # Comment
197
198	# Alias rules not allowed within profiles
199	alias /run/ -> /mnt/run/,
200
201	# Error: Open rule
202	/home/*/file rw
203	<endfold id='1'></endfold id='1'><beginfold id='1'>capability</beginfold id='1'> dac_override
204	<endfold id='1'>deny</endfold id='1'> <beginfold id='1'>file</beginfold id='1'> /etc/fstab w
205	<endfold id='1'>audit</endfold id='1'> <beginfold id='1'>network</beginfold id='1'> ieee802154<endfold id='1'>,</endfold id='1'>
206
207	<beginfold id='1'>dbus</beginfold id='1'> (receive
208	<endfold id='1'></endfold id='1'><beginfold id='1'>unix</beginfold id='1'> stream<endfold id='1'>,</endfold id='1'>
209	<beginfold id='1'>unix</beginfold id='1'> stream<endfold id='1'>,</endfold id='1'>
210<endfold id='2'>}</endfold id='2'>
211
212profile other_tests <beginfold id='2'>{</beginfold id='2'>
213	# set rlimit
214	set <beginfold id='1'>rlimit</beginfold id='1'> nice  <= 3<endfold id='1'>,</endfold id='1'>
215	<beginfold id='1'>rlimit</beginfold id='1'> nice  <= 3<endfold id='1'>,</endfold id='1'> # Without "set"
216	set #comment
217		<beginfold id='1'>rlimit</beginfold id='1'>
218			nice  <= 3<endfold id='1'>,</endfold id='1'>
219
220	# "remount" keyword
221	<beginfold id='1'>mount</beginfold id='1'> remount
222		remount<endfold id='1'>,</endfold id='1'>
223	<beginfold id='1'>remount</beginfold id='1'> remount
224		remount<endfold id='1'>,</endfold id='1'>
225	<beginfold id='1'>dbus</beginfold id='1'> remount
226		<endfold id='1'></endfold id='1'><beginfold id='1'>remount</beginfold id='1'><endfold id='1'>,</endfold id='1'>
227	<beginfold id='1'>unix</beginfold id='1'> remount
228		<endfold id='1'></endfold id='1'><beginfold id='1'>remount</beginfold id='1'><endfold id='1'>,</endfold id='1'>
229	# "unix" keyword
230	<beginfold id='1'>network</beginfold id='1'> unix
231		unix<endfold id='1'>,</endfold id='1'>
232	<beginfold id='1'>ptrace</beginfold id='1'> unix
233		<endfold id='1'></endfold id='1'><beginfold id='1'>unix</beginfold id='1'><endfold id='1'>,</endfold id='1'>
234	<beginfold id='1'>unix</beginfold id='1'> unix
235		<endfold id='1'></endfold id='1'><beginfold id='1'>unix</beginfold id='1'><endfold id='1'>,</endfold id='1'>
236
237	# Transition rules
238	/usr/bin/foo cx -> hello*<endfold id='1'>,</endfold id='1'>                  # profile name
239	/usr/bin/foo Cx -> path/<endfold id='1'>,</endfold id='1'>                   # path
240	/usr/bin/foo cx -> ab[ad/]hello<endfold id='1'>,</endfold id='1'>            # profile name
241	/usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path<endfold id='1'>,</endfold id='1'> # path
242	/usr/bin/foo Cx -> ab[hello/path<endfold id='1'>,</endfold id='1'>           # profile name
243
244	/usr/bin/foo cx -> "hello*"<endfold id='1'>,</endfold id='1'>                  # profile name
245	/usr/bin/foo Cx -> "path/"<endfold id='1'>,</endfold id='1'>                   # path
246	/usr/bin/foo cx -> "ab[ad/]hello"<endfold id='1'>,</endfold id='1'>            # profile name
247	/usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path"<endfold id='1'>,</endfold id='1'> # path
248	/usr/bin/foo Cx -> "ab[hello/path"<endfold id='1'>,</endfold id='1'>           # profile name
249
250	/usr/bin/foo cx -> holas//hello/sa<endfold id='1'>,</endfold id='1'>    # path
251	/usr/bin/foo cx -> df///dd//hat<endfold id='1'>,</endfold id='1'>       # path + hat
252	/usr/bin/foo cx -> holas,#sd\323fsdf<endfold id='1'>,</endfold id='1'>  # profile name
253
254	# Access modes
255	/hello/lib/foo rwklms, # s invalid
256	/hello/lib/foo rwmaix, # w & a incompatible
257	/hello/lib/foo kalmw,
258	/hello/lib/foo wa,
259	# OK
260	/hello/lib/foo rrwrwwrwrw<endfold id='1'>,</endfold id='1'>
261	/hello/lib/foo ixixix<endfold id='1'>,</endfold id='1'>
262	# Incompatible exec permissions
263	ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx,
264	pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx,
265	Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx,
266	# Test valid permissions
267	r w a k l m l x ix ux Ux px Px cx Cx <endfold id='1'>,</endfold id='1'>
268	pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx<endfold id='1'>,</endfold id='1'>
269	rwklmx raklmx<endfold id='1'>,</endfold id='1'>
270	r rw rwk rwkl rwklm<endfold id='1'>,</endfold id='1'>
271	rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx<endfold id='1'>,</endfold id='1'>
272	rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk<endfold id='1'>,</endfold id='1'>
273	rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl<endfold id='1'>,</endfold id='1'>
274
275	# Profile name
276	profile holas <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
277	profile <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
278	profile /path <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
279	profile holas/abc <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
280	profile holas\/abc <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
281	profile
282		#holas <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
283
284	profile flags=(complain)#asd <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
285	profile flags flags=(complain) <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
286	profile flags(complain) <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
287<endfold id='2'>}</endfold id='2'>
288