1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
|
# kate: syntax AppArmor Security Profile; replace-tabs off;
#
# Sample AppArmor Profile.
# License: Public Domain
#
# NOTE: This profile is not fully functional, since
# it is designed to test the syntax highlighting
# for the KDE's KSyntaxHighlighting framework.
#
include <tunables/global>
# Variable assignment
@{FOO_LIB}=/usr/lib{,32,64}/foo
@{USER_DIR}
= @{HOME}/Public @{HOME}/Desktop #No-Comment
@{USER_DIR} += @{HOME}/Hello \
deny owner #No-comment aa#aa
${BOOL} = true
# Alias
<beginfold id='1'>alias</beginfold id='1'> /usr/ -> /mnt/usr/<endfold id='1'>,</endfold id='1'>
# ABI feature
<beginfold id='1'>abi</beginfold id='1'> <abi/3.0><endfold id='1'>,</endfold id='1'>
<beginfold id='1'>abi</beginfold id='1'> <"includes/abi/4.19"><endfold id='1'>,</endfold id='1'>
<beginfold id='1'>abi</beginfold id='1'> "simple_tests/includes/abi/4.19"<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>abi</beginfold id='1'> simple_tests/includes/abi/4.19<endfold id='1'>,</endfold id='1'>
# Profile for /usr/bin/foo
profile foo /usr/bin/foo flags=(attach_disconnected enforce) xattrs=(myvalue=foo user.bar=* user.foo="bar" ) <beginfold id='2'>{</beginfold id='2'>
#include <abstractions/ubuntu-helpers>
#include<abstractions/wayland>
#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
include "/etc/apparmor.d/abstractions/openssl"
include if exists <path with spaces>
include <include_tests/includes_okay_helper.include> #include <includes/base>
/some/file mr<endfold id='1'>,</endfold id='1'> #include <includes/base> /bin/true Px<endfold id='1'>,</endfold id='1'>
# File rules
/{,**/} r<endfold id='1'>,</endfold id='1'>
owner /{home,media,mnt,srv,net}/** r<endfold id='1'>,</endfold id='1'>
owner @{USER_DIR}/** rw<endfold id='1'>,</endfold id='1'>
audit deny owner /**/* mx<endfold id='1'>,</endfold id='1'>
/**.[tT][xX][tT] r<endfold id='1'>,</endfold id='1'> # txt
owner <beginfold id='1'>file</beginfold id='1'> @{HOME}/.local/share/foo/{,**} rwkl<endfold id='1'>,</endfold id='1'>
owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk<endfold id='1'>,</endfold id='1'>
"/usr/share/**" r<endfold id='1'>,</endfold id='1'>
"/var/lib/flatpak/exports/share/**" r<endfold id='1'>,</endfold id='1'>
"/var/lib/{spaces in
string,hello}/a[^ a]a/**" r<endfold id='1'>,</endfold id='1'>
allow <beginfold id='1'>file</beginfold id='1'> /etc/nsswitch.conf r<endfold id='1'>,</endfold id='1'>
allow /etc/fstab r<endfold id='1'>,</endfold id='1'>
deny /etc/xdg/{autostart,systemd}/** r<endfold id='1'>,</endfold id='1'>
deny /boot/** rwlkmx<endfold id='1'>,</endfold id='1'>
owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r<endfold id='1'>,</endfold id='1'>
/sys/devices/**/uevent r<endfold id='1'>,</endfold id='1'>
@{FOO_LIB}/{@{multiarch},64}/** mr<endfold id='1'>,</endfold id='1'>
/usr/bin/foo ixr<endfold id='1'>,</endfold id='1'>
/usr/bin/dolphin pUx<endfold id='1'>,</endfold id='1'>
/usr/bin/* Pixr<endfold id='1'>,</endfold id='1'>
/usr/bin/khelpcenter Cx -> sanitized_helper<endfold id='1'>,</endfold id='1'>
/usr/bin/helloworld cxr ->
hello_world<endfold id='1'>,</endfold id='1'>
/bin/** px -> profile<endfold id='1'>,</endfold id='1'>
# Dbus rules
<beginfold id='1'>dbus</beginfold id='1'> (send) #No-Comment
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Introspectable
peer=(name=org.freedesktop.NetworkManager label=unconfined)<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>dbus</beginfold id='1'> (send receive)
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={Introspect,state}
peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus))<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>dbus</beginfold id='1'> (send)
bus=session
path=/org/gnome/GConf/Database/*
member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>dbus</beginfold id='1'> (bind)
bus=system
name=org.bluez<endfold id='1'>,</endfold id='1'>
# Signal rules
<beginfold id='1'>signal</beginfold id='1'> (send) set=(term) peer="/usr/lib/hello/world// foo helper"<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>signal</beginfold id='1'> (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper<endfold id='1'>,</endfold id='1'>
# Child profile
profile hello_world <beginfold id='2'>{</beginfold id='2'>
# File rules (three different ways)
<beginfold id='1'>file</beginfold id='1'> /usr/lib{,32,64}/helloworld/**.so mr<endfold id='1'>,</endfold id='1'>
/usr/lib{,32,64}/helloworld/** r<endfold id='1'>,</endfold id='1'>
rk /usr/lib{,32,64}/helloworld/hello,file<endfold id='1'>,</endfold id='1'>
# Link rules (two ways)
l /foo1 -> /bar<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>link</beginfold id='1'> /foo2 -> bar<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>link</beginfold id='1'> subset /link* -> /**<endfold id='1'>,</endfold id='1'>
# Network rules
<beginfold id='1'>network</beginfold id='1'> inet6 tcp<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>network</beginfold id='1'> netlink dgram<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>network</beginfold id='1'> bluetooth<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>network</beginfold id='1'> unspec dgram<endfold id='1'>,</endfold id='1'>
# Capability rules
<beginfold id='1'>capability</beginfold id='1'> dac_override<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>capability</beginfold id='1'> sys_admin<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>capability</beginfold id='1'> sys_chroot<endfold id='1'>,</endfold id='1'>
# Mount rules
<beginfold id='1'>mount</beginfold id='1'> options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>mount</beginfold id='1'> options in (rw, bind) / -> /run/hellowordd/*.mnt<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>mount</beginfold id='1'> options=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>umount</beginfold id='1'> /home/*/helloworld/<endfold id='1'>,</endfold id='1'>
# Pivot Root rules
<beginfold id='1'>pivot_root</beginfold id='1'> oldroot=/mnt/root/old/ /mnt/root/<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>pivot_root</beginfold id='1'> /mnt/root/<endfold id='1'>,</endfold id='1'>
# Ptrace rules
<beginfold id='1'>ptrace</beginfold id='1'> (trace) peer=unconfined<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>ptrace</beginfold id='1'> (read, trace, tracedby) peer=/usr/lib/hello/helloword<endfold id='1'>,</endfold id='1'>
# Unix rules
<beginfold id='1'>unix</beginfold id='1'> (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined)<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>unix</beginfold id='1'> (send,receive) type=(stream) protocol=0 peer=(addr=none)<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>unix</beginfold id='1'> peer=(label=@{profile_name},addr=@helloworld)<endfold id='1'>,</endfold id='1'>
# Rlimit rule
set <beginfold id='1'>rlimit</beginfold id='1'> data <= 100M<endfold id='1'>,</endfold id='1'>
set <beginfold id='1'>rlimit</beginfold id='1'> nproc <= 10<endfold id='1'>,</endfold id='1'>
set <beginfold id='1'>rlimit</beginfold id='1'> memlock <= 2GB<endfold id='1'>,</endfold id='1'>
set <beginfold id='1'>rlimit</beginfold id='1'> rss <= infinity<endfold id='1'>,</endfold id='1'>
set <beginfold id='1'>rlimit</beginfold id='1'> nice <= -12<endfold id='1'>,</endfold id='1'>
set <beginfold id='1'>rlimit</beginfold id='1'> nice <= -12K<endfold id='1'>,</endfold id='1'>
# Change Profile rules
<beginfold id='1'>change_profile</beginfold id='1'> unsafe /** -> [^u/]**<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>change_profile</beginfold id='1'> unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>change_profile</beginfold id='1'> /bin/bash ->
new_profile//hat<endfold id='1'>,</endfold id='1'>
<endfold id='2'>}</endfold id='2'>
# Hat
^foo-helper\/ <beginfold id='2'>{</beginfold id='2'>
<beginfold id='1'>network</beginfold id='1'> unix stream<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>unix</beginfold id='1'> stream<endfold id='1'>,</endfold id='1'>
/usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r<endfold id='1'>,</endfold id='1'> # Escape expressions
# Text after a variable is highlighted as path
<beginfold id='1'>file</beginfold id='1'> /my/path r<endfold id='1'>,</endfold id='1'>
@{FOO_LIB}file r<endfold id='1'>,</endfold id='1'>
@{FOO_LIB}#my/path r<endfold id='1'>,</endfold id='1'> #Comment
@{FOO_LIB}ñ* r<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>unix</beginfold id='1'> (/path\t{aa}*,*a @{var}*path,* @{var},*)<endfold id='1'>,</endfold id='1'>
<endfold id='2'>}</endfold id='2'>
<endfold id='2'>}</endfold id='2'>
# Syntax Error
/usr/bin/error (complain, audit) <beginfold id='2'>{</beginfold id='2'>
<beginfold id='1'>file</beginfold id='1'> #include /hello r<endfold id='1'>,</endfold id='1'>
# Error: Variable open or with characters not allowed
@<beginfold id='2'>{</beginfold id='2'>var
@<beginfold id='2'>{</beginfold id='2'>sdf&s<endfold id='2'>}</endfold id='2'>
# Error: Open brackets
/{hello{ab,cd}world kr<endfold id='1'>,</endfold id='1'>
/{abc{abc kr<endfold id='1'>,</endfold id='1'>
/[abc kr<endfold id='1'>,</endfold id='1'>
/(abc kr<endfold id='1'>,</endfold id='1'>
# Error: Empty brackets
/hello[]hello{}hello()he kr<endfold id='1'>,</endfold id='1'>
# Comments not allowed
<beginfold id='1'>dbus</beginfold id='1'> (send) #No comment
path=/org/hello
#No comment
interface=org.hello #No comment
peer=(name=org.hello #No comment
label=unconfined)<endfold id='1'>,</endfold id='1'> #Comment
# Don't allow assignment of variables within profiles
@{VARIABLE} = val1 val2 val3 # Comment
# Alias rules not allowed within profiles
alias /run/ -> /mnt/run/,
# Error: Open rule
/home/*/file rw
<endfold id='1'></endfold id='1'><beginfold id='1'>capability</beginfold id='1'> dac_override
<endfold id='1'>deny</endfold id='1'> <beginfold id='1'>file</beginfold id='1'> /etc/fstab w
<endfold id='1'>audit</endfold id='1'> <beginfold id='1'>network</beginfold id='1'> ieee802154<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>dbus</beginfold id='1'> (receive
<endfold id='1'></endfold id='1'><beginfold id='1'>unix</beginfold id='1'> stream<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>unix</beginfold id='1'> stream<endfold id='1'>,</endfold id='1'>
<endfold id='2'>}</endfold id='2'>
profile other_tests <beginfold id='2'>{</beginfold id='2'>
# set rlimit
set <beginfold id='1'>rlimit</beginfold id='1'> nice <= 3<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>rlimit</beginfold id='1'> nice <= 3<endfold id='1'>,</endfold id='1'> # Without "set"
set #comment
<beginfold id='1'>rlimit</beginfold id='1'>
nice <= 3<endfold id='1'>,</endfold id='1'>
# "remount" keyword
<beginfold id='1'>mount</beginfold id='1'> remount
remount<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>remount</beginfold id='1'> remount
remount<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>dbus</beginfold id='1'> remount
<endfold id='1'></endfold id='1'><beginfold id='1'>remount</beginfold id='1'><endfold id='1'>,</endfold id='1'>
<beginfold id='1'>unix</beginfold id='1'> remount
<endfold id='1'></endfold id='1'><beginfold id='1'>remount</beginfold id='1'><endfold id='1'>,</endfold id='1'>
# "unix" keyword
<beginfold id='1'>network</beginfold id='1'> unix
unix<endfold id='1'>,</endfold id='1'>
<beginfold id='1'>ptrace</beginfold id='1'> unix
<endfold id='1'></endfold id='1'><beginfold id='1'>unix</beginfold id='1'><endfold id='1'>,</endfold id='1'>
<beginfold id='1'>unix</beginfold id='1'> unix
<endfold id='1'></endfold id='1'><beginfold id='1'>unix</beginfold id='1'><endfold id='1'>,</endfold id='1'>
# Transition rules
/usr/bin/foo cx -> hello*<endfold id='1'>,</endfold id='1'> # profile name
/usr/bin/foo Cx -> path/<endfold id='1'>,</endfold id='1'> # path
/usr/bin/foo cx -> ab[ad/]hello<endfold id='1'>,</endfold id='1'> # profile name
/usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path<endfold id='1'>,</endfold id='1'> # path
/usr/bin/foo Cx -> ab[hello/path<endfold id='1'>,</endfold id='1'> # profile name
/usr/bin/foo cx -> "hello*"<endfold id='1'>,</endfold id='1'> # profile name
/usr/bin/foo Cx -> "path/"<endfold id='1'>,</endfold id='1'> # path
/usr/bin/foo cx -> "ab[ad/]hello"<endfold id='1'>,</endfold id='1'> # profile name
/usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path"<endfold id='1'>,</endfold id='1'> # path
/usr/bin/foo Cx -> "ab[hello/path"<endfold id='1'>,</endfold id='1'> # profile name
/usr/bin/foo cx -> holas//hello/sa<endfold id='1'>,</endfold id='1'> # path
/usr/bin/foo cx -> df///dd//hat<endfold id='1'>,</endfold id='1'> # path + hat
/usr/bin/foo cx -> holas,#sd\323fsdf<endfold id='1'>,</endfold id='1'> # profile name
# Access modes
/hello/lib/foo rwklms, # s invalid
/hello/lib/foo rwmaix, # w & a incompatible
/hello/lib/foo kalmw,
/hello/lib/foo wa,
# OK
/hello/lib/foo rrwrwwrwrw<endfold id='1'>,</endfold id='1'>
/hello/lib/foo ixixix<endfold id='1'>,</endfold id='1'>
# Incompatible exec permissions
ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx,
pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx,
Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx,
# Test valid permissions
r w a k l m l x ix ux Ux px Px cx Cx <endfold id='1'>,</endfold id='1'>
pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx<endfold id='1'>,</endfold id='1'>
rwklmx raklmx<endfold id='1'>,</endfold id='1'>
r rw rwk rwkl rwklm<endfold id='1'>,</endfold id='1'>
rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx<endfold id='1'>,</endfold id='1'>
rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk<endfold id='1'>,</endfold id='1'>
rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl<endfold id='1'>,</endfold id='1'>
# Profile name
profile holas <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
profile <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
profile /path <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
profile holas/abc <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
profile holas\/abc <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
profile
#holas <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
profile flags=(complain)#asd <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
profile flags flags=(complain) <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
profile flags(complain) <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
<endfold id='2'>}</endfold id='2'>
|
