File: cleanprof_test.in

package info (click to toggle)
apparmor 4.1.0-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 34,800 kB
  • sloc: ansic: 24,940; python: 24,595; sh: 12,524; cpp: 9,024; yacc: 2,061; makefile: 1,921; lex: 1,215; pascal: 1,145; perl: 1,033; ruby: 365; lisp: 282; exp: 250; java: 212; xml: 159
file content (98 lines) | stat: -rw-r--r-- 2,257 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
 
# A simple test comment which will persist
#include <tunables/global>

#include  if  exists <tunables/nothing>

  #include if exists <tunables/global>
  include if exists <tunables/global>

		alias /foo    ->    /bar	,

@{xy}    =   y   x

  abi  <abi/4.19>    ,

  @{asdf}       =   foo           ""

$foo = false

   $bar    =    true

/usr/bin/a/simple/cleanprof/test/profile {
	# Just for the heck of it, this comment won't see the day of light
	#include <abstractions/base>

#include  if  exists <foo>
	#include if exists <abstractions/base>
	include <abstractions/base>

    capability sys_admin,
    audit capability,

    change_profile -> /bin/foo,
    change_profile,

    network inet stream,
               abi  "abi/4.20"    ,
    network stream,

	#Below rule comes from abstractions/base
	allow /usr/share/X11/locale/**  r,
	allow /home/*/** r,

    ptrace tracedby peer=/bin/strace,
    ptrace tracedby,
    unix (receive) type=dgram,

    dbus send bus=session,
    dbus send bus=session peer=(label=foo),

    profile test_child /foobar {
            /etc/child rw,
            }

    set rlimit nofile <= 256,
    set rlimit nofile <= 64,

    signal set=(hup int quit ill trap abrt)
             set=(bus,fpe,,,kill,usr1)
                      set=segv set=usr2 set=pipe set=alrm set=term set=stkflt set=chld,
    signal set=(hup int quit),

    ^foo {
            /etc/fstab r,
        capability dac_override,
        }

    ^foo, # hat declarations are obsolete and will be removed when aa-cleanprof or aa-logprof writes the profile

	mount options=(rw,suid) /c -> /3,

    hat bar {
        /etc/passwd r,
        capability sys_admin,
        }

	pivot_root oldroot=/mnt/root/old/,

	deny    owner       link       /some/thing    ->     /foo/bar    ,
	unix shutdown addr=@HypotheticalServiceDaemon, # covered in abstractions/base, will be removed

	link subset /alpha/beta -> /tmp/**,

	allow /home/foo/bar r,
	allow /home/foo/** w,
}

/usr/bin/other/cleanprof/test/profile {
	# This one shouldn't be affected by the processing
	# However this comment will be wiped, need to change that
	allow /home/*/** rw,
	allow /home/foo/bar r,
}

/what/ever/xattr   xattrs=(   foo=bar      )
       flags=(  complain
	   ) {
 /what/ever r,
 }