1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
abi <abi/4.19>,
alias /foo -> /bar,
include <tunables/global>
include if exists <tunables/nothing>
@{xy} = x y
@{asdf} = "" foo
$foo = false
$bar = true
# A simple test comment which will persist
/usr/bin/a/simple/cleanprof/test/profile {
abi "abi/4.20",
include <abstractions/base>
include if exists <foo>
set rlimit nofile <= 256,
audit capability,
network stream,
dbus send bus=session,
mount options=(rw, suid) /c -> /3,
signal set=(abrt alrm bus chld fpe hup ill int kill pipe quit segv stkflt term trap usr1 usr2),
pivot_root oldroot=/mnt/root/old/,
unix (receive) type=dgram,
deny owner link /some/thing -> /foo/bar,
allow /home/*/** r,
allow /home/foo/** w,
link subset /alpha/beta -> /tmp/**,
change_profile,
hat bar {
capability sys_admin,
/etc/passwd r,
}
^foo {
capability dac_override,
/etc/fstab r,
}
profile test_child /foobar {
/etc/child rw,
}
}
/usr/bin/other/cleanprof/test/profile {
allow /home/*/** rw,
allow /home/foo/bar r,
}
/what/ever/xattr xattrs=( foo=bar ) flags=( complain ) {
/what/ever r,
}
|
