289 lines
15 KiB
Plaintext
289 lines
15 KiB
Plaintext
# kate: syntax AppArmor Security Profile; replace-tabs off;
|
|
|
|
#
|
|
# Sample AppArmor Profile.
|
|
# License: Public Domain
|
|
#
|
|
# NOTE: This profile is not fully functional, since
|
|
# it is designed to test the syntax highlighting
|
|
# for the KDE's KSyntaxHighlighting framework.
|
|
#
|
|
|
|
include <tunables/global>
|
|
|
|
# Variable assignment
|
|
@{FOO_LIB}=/usr/lib{,32,64}/foo
|
|
@{USER_DIR}
|
|
= @{HOME}/Public @{HOME}/Desktop #No-Comment
|
|
@{USER_DIR} += @{HOME}/Hello \
|
|
deny owner #No-comment aa#aa
|
|
${BOOL} = true
|
|
|
|
# Alias
|
|
<beginfold id='1'>alias</beginfold id='1'> /usr/ -> /mnt/usr/<endfold id='1'>,</endfold id='1'>
|
|
|
|
# ABI feature
|
|
<beginfold id='1'>abi</beginfold id='1'> <abi/3.0><endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>abi</beginfold id='1'> <"includes/abi/4.19"><endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>abi</beginfold id='1'> "simple_tests/includes/abi/4.19"<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>abi</beginfold id='1'> simple_tests/includes/abi/4.19<endfold id='1'>,</endfold id='1'>
|
|
|
|
# Profile for /usr/bin/foo
|
|
profile foo /usr/bin/foo flags=(attach_disconnected enforce) xattrs=(myvalue=foo user.bar=* user.foo="bar" ) <beginfold id='2'>{</beginfold id='2'>
|
|
#include <abstractions/ubuntu-helpers>
|
|
#include<abstractions/wayland>
|
|
#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
|
|
include "/etc/apparmor.d/abstractions/openssl"
|
|
|
|
include if exists <path with spaces>
|
|
include <include_tests/includes_okay_helper.include> #include <includes/base>
|
|
/some/file mr<endfold id='1'>,</endfold id='1'> #include <includes/base> /bin/true Px<endfold id='1'>,</endfold id='1'>
|
|
|
|
# File rules
|
|
/{,**/} r<endfold id='1'>,</endfold id='1'>
|
|
owner /{home,media,mnt,srv,net}/** r<endfold id='1'>,</endfold id='1'>
|
|
owner @{USER_DIR}/** rw<endfold id='1'>,</endfold id='1'>
|
|
audit deny owner /**/* mx<endfold id='1'>,</endfold id='1'>
|
|
/**.[tT][xX][tT] r<endfold id='1'>,</endfold id='1'> # txt
|
|
|
|
owner <beginfold id='1'>file</beginfold id='1'> @{HOME}/.local/share/foo/{,**} rwkl<endfold id='1'>,</endfold id='1'>
|
|
owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk<endfold id='1'>,</endfold id='1'>
|
|
|
|
"/usr/share/**" r<endfold id='1'>,</endfold id='1'>
|
|
"/var/lib/flatpak/exports/share/**" r<endfold id='1'>,</endfold id='1'>
|
|
"/var/lib/{spaces in
|
|
string,hello}/a[^ a]a/**" r<endfold id='1'>,</endfold id='1'>
|
|
|
|
allow <beginfold id='1'>file</beginfold id='1'> /etc/nsswitch.conf r<endfold id='1'>,</endfold id='1'>
|
|
allow /etc/fstab r<endfold id='1'>,</endfold id='1'>
|
|
deny /etc/xdg/{autostart,systemd}/** r<endfold id='1'>,</endfold id='1'>
|
|
deny /boot/** rwlkmx<endfold id='1'>,</endfold id='1'>
|
|
|
|
owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r<endfold id='1'>,</endfold id='1'>
|
|
/sys/devices/**/uevent r<endfold id='1'>,</endfold id='1'>
|
|
@{FOO_LIB}/{@{multiarch},64}/** mr<endfold id='1'>,</endfold id='1'>
|
|
|
|
/usr/bin/foo ixr<endfold id='1'>,</endfold id='1'>
|
|
/usr/bin/dolphin pUx<endfold id='1'>,</endfold id='1'>
|
|
/usr/bin/* Pixr<endfold id='1'>,</endfold id='1'>
|
|
/usr/bin/khelpcenter Cx -> sanitized_helper<endfold id='1'>,</endfold id='1'>
|
|
/usr/bin/helloworld cxr ->
|
|
hello_world<endfold id='1'>,</endfold id='1'>
|
|
/bin/** px -> profile<endfold id='1'>,</endfold id='1'>
|
|
|
|
# Dbus rules
|
|
<beginfold id='1'>dbus</beginfold id='1'> (send) #No-Comment
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager
|
|
interface=org.freedesktop.DBus.Introspectable
|
|
peer=(name=org.freedesktop.NetworkManager label=unconfined)<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>dbus</beginfold id='1'> (send receive)
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager
|
|
interface=org.freedesktop.NetworkManager
|
|
member={Introspect,state}
|
|
peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus))<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>dbus</beginfold id='1'> (send)
|
|
bus=session
|
|
path=/org/gnome/GConf/Database/*
|
|
member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>dbus</beginfold id='1'> (bind)
|
|
bus=system
|
|
name=org.bluez<endfold id='1'>,</endfold id='1'>
|
|
|
|
# Signal rules
|
|
<beginfold id='1'>signal</beginfold id='1'> (send) set=(term) peer="/usr/lib/hello/world// foo helper"<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>signal</beginfold id='1'> (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper<endfold id='1'>,</endfold id='1'>
|
|
|
|
# Child profile
|
|
profile hello_world <beginfold id='2'>{</beginfold id='2'>
|
|
# File rules (three different ways)
|
|
<beginfold id='1'>file</beginfold id='1'> /usr/lib{,32,64}/helloworld/**.so mr<endfold id='1'>,</endfold id='1'>
|
|
/usr/lib{,32,64}/helloworld/** r<endfold id='1'>,</endfold id='1'>
|
|
rk /usr/lib{,32,64}/helloworld/hello,file<endfold id='1'>,</endfold id='1'>
|
|
|
|
# Link rules (two ways)
|
|
l /foo1 -> /bar<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>link</beginfold id='1'> /foo2 -> bar<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>link</beginfold id='1'> subset /link* -> /**<endfold id='1'>,</endfold id='1'>
|
|
|
|
# Network rules
|
|
<beginfold id='1'>network</beginfold id='1'> inet6 tcp<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>network</beginfold id='1'> netlink dgram<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>network</beginfold id='1'> bluetooth<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>network</beginfold id='1'> unspec dgram<endfold id='1'>,</endfold id='1'>
|
|
|
|
# Capability rules
|
|
<beginfold id='1'>capability</beginfold id='1'> dac_override<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>capability</beginfold id='1'> sys_admin<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>capability</beginfold id='1'> sys_chroot<endfold id='1'>,</endfold id='1'>
|
|
|
|
# Mount rules
|
|
<beginfold id='1'>mount</beginfold id='1'> options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>mount</beginfold id='1'> options in (rw, bind) / -> /run/hellowordd/*.mnt<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>mount</beginfold id='1'> options=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>umount</beginfold id='1'> /home/*/helloworld/<endfold id='1'>,</endfold id='1'>
|
|
|
|
# Pivot Root rules
|
|
<beginfold id='1'>pivot_root</beginfold id='1'> oldroot=/mnt/root/old/ /mnt/root/<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>pivot_root</beginfold id='1'> /mnt/root/<endfold id='1'>,</endfold id='1'>
|
|
|
|
# Ptrace rules
|
|
<beginfold id='1'>ptrace</beginfold id='1'> (trace) peer=unconfined<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>ptrace</beginfold id='1'> (read, trace, tracedby) peer=/usr/lib/hello/helloword<endfold id='1'>,</endfold id='1'>
|
|
|
|
# Unix rules
|
|
<beginfold id='1'>unix</beginfold id='1'> (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined)<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>unix</beginfold id='1'> (send,receive) type=(stream) protocol=0 peer=(addr=none)<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>unix</beginfold id='1'> peer=(label=@{profile_name},addr=@helloworld)<endfold id='1'>,</endfold id='1'>
|
|
|
|
# Rlimit rule
|
|
set <beginfold id='1'>rlimit</beginfold id='1'> data <= 100M<endfold id='1'>,</endfold id='1'>
|
|
set <beginfold id='1'>rlimit</beginfold id='1'> nproc <= 10<endfold id='1'>,</endfold id='1'>
|
|
set <beginfold id='1'>rlimit</beginfold id='1'> memlock <= 2GB<endfold id='1'>,</endfold id='1'>
|
|
set <beginfold id='1'>rlimit</beginfold id='1'> rss <= infinity<endfold id='1'>,</endfold id='1'>
|
|
set <beginfold id='1'>rlimit</beginfold id='1'> nice <= -12<endfold id='1'>,</endfold id='1'>
|
|
set <beginfold id='1'>rlimit</beginfold id='1'> nice <= -12K<endfold id='1'>,</endfold id='1'>
|
|
|
|
# Change Profile rules
|
|
<beginfold id='1'>change_profile</beginfold id='1'> unsafe /** -> [^u/]**<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>change_profile</beginfold id='1'> unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine}<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>change_profile</beginfold id='1'> /bin/bash ->
|
|
new_profile//hat<endfold id='1'>,</endfold id='1'>
|
|
<endfold id='2'>}</endfold id='2'>
|
|
|
|
# Hat
|
|
^foo-helper\/ <beginfold id='2'>{</beginfold id='2'>
|
|
<beginfold id='1'>network</beginfold id='1'> unix stream<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>unix</beginfold id='1'> stream<endfold id='1'>,</endfold id='1'>
|
|
|
|
/usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r<endfold id='1'>,</endfold id='1'> # Escape expressions
|
|
|
|
# Text after a variable is highlighted as path
|
|
<beginfold id='1'>file</beginfold id='1'> /my/path r<endfold id='1'>,</endfold id='1'>
|
|
@{FOO_LIB}file r<endfold id='1'>,</endfold id='1'>
|
|
@{FOO_LIB}#my/path r<endfold id='1'>,</endfold id='1'> #Comment
|
|
@{FOO_LIB}ñ* r<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>unix</beginfold id='1'> (/path\t{aa}*,*a @{var}*path,* @{var},*)<endfold id='1'>,</endfold id='1'>
|
|
<endfold id='2'>}</endfold id='2'>
|
|
<endfold id='2'>}</endfold id='2'>
|
|
|
|
# Syntax Error
|
|
/usr/bin/error (complain, audit) <beginfold id='2'>{</beginfold id='2'>
|
|
<beginfold id='1'>file</beginfold id='1'> #include /hello r<endfold id='1'>,</endfold id='1'>
|
|
|
|
# Error: Variable open or with characters not allowed
|
|
@<beginfold id='2'>{</beginfold id='2'>var
|
|
@<beginfold id='2'>{</beginfold id='2'>sdf&s<endfold id='2'>}</endfold id='2'>
|
|
|
|
# Error: Open brackets
|
|
/{hello{ab,cd}world kr<endfold id='1'>,</endfold id='1'>
|
|
/{abc{abc kr<endfold id='1'>,</endfold id='1'>
|
|
/[abc kr<endfold id='1'>,</endfold id='1'>
|
|
/(abc kr<endfold id='1'>,</endfold id='1'>
|
|
|
|
# Error: Empty brackets
|
|
/hello[]hello{}hello()he kr<endfold id='1'>,</endfold id='1'>
|
|
|
|
# Comments not allowed
|
|
<beginfold id='1'>dbus</beginfold id='1'> (send) #No comment
|
|
path=/org/hello
|
|
#No comment
|
|
interface=org.hello #No comment
|
|
peer=(name=org.hello #No comment
|
|
label=unconfined)<endfold id='1'>,</endfold id='1'> #Comment
|
|
|
|
# Don't allow assignment of variables within profiles
|
|
@{VARIABLE} = val1 val2 val3 # Comment
|
|
|
|
# Alias rules not allowed within profiles
|
|
alias /run/ -> /mnt/run/,
|
|
|
|
# Error: Open rule
|
|
/home/*/file rw
|
|
<endfold id='1'></endfold id='1'><beginfold id='1'>capability</beginfold id='1'> dac_override
|
|
<endfold id='1'>deny</endfold id='1'> <beginfold id='1'>file</beginfold id='1'> /etc/fstab w
|
|
<endfold id='1'>audit</endfold id='1'> <beginfold id='1'>network</beginfold id='1'> ieee802154<endfold id='1'>,</endfold id='1'>
|
|
|
|
<beginfold id='1'>dbus</beginfold id='1'> (receive
|
|
<endfold id='1'></endfold id='1'><beginfold id='1'>unix</beginfold id='1'> stream<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>unix</beginfold id='1'> stream<endfold id='1'>,</endfold id='1'>
|
|
<endfold id='2'>}</endfold id='2'>
|
|
|
|
profile other_tests <beginfold id='2'>{</beginfold id='2'>
|
|
# set rlimit
|
|
set <beginfold id='1'>rlimit</beginfold id='1'> nice <= 3<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>rlimit</beginfold id='1'> nice <= 3<endfold id='1'>,</endfold id='1'> # Without "set"
|
|
set #comment
|
|
<beginfold id='1'>rlimit</beginfold id='1'>
|
|
nice <= 3<endfold id='1'>,</endfold id='1'>
|
|
|
|
# "remount" keyword
|
|
<beginfold id='1'>mount</beginfold id='1'> remount
|
|
remount<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>remount</beginfold id='1'> remount
|
|
remount<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>dbus</beginfold id='1'> remount
|
|
<endfold id='1'></endfold id='1'><beginfold id='1'>remount</beginfold id='1'><endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>unix</beginfold id='1'> remount
|
|
<endfold id='1'></endfold id='1'><beginfold id='1'>remount</beginfold id='1'><endfold id='1'>,</endfold id='1'>
|
|
# "unix" keyword
|
|
<beginfold id='1'>network</beginfold id='1'> unix
|
|
unix<endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>ptrace</beginfold id='1'> unix
|
|
<endfold id='1'></endfold id='1'><beginfold id='1'>unix</beginfold id='1'><endfold id='1'>,</endfold id='1'>
|
|
<beginfold id='1'>unix</beginfold id='1'> unix
|
|
<endfold id='1'></endfold id='1'><beginfold id='1'>unix</beginfold id='1'><endfold id='1'>,</endfold id='1'>
|
|
|
|
# Transition rules
|
|
/usr/bin/foo cx -> hello*<endfold id='1'>,</endfold id='1'> # profile name
|
|
/usr/bin/foo Cx -> path/<endfold id='1'>,</endfold id='1'> # path
|
|
/usr/bin/foo cx -> ab[ad/]hello<endfold id='1'>,</endfold id='1'> # profile name
|
|
/usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path<endfold id='1'>,</endfold id='1'> # path
|
|
/usr/bin/foo Cx -> ab[hello/path<endfold id='1'>,</endfold id='1'> # profile name
|
|
|
|
/usr/bin/foo cx -> "hello*"<endfold id='1'>,</endfold id='1'> # profile name
|
|
/usr/bin/foo Cx -> "path/"<endfold id='1'>,</endfold id='1'> # path
|
|
/usr/bin/foo cx -> "ab[ad/]hello"<endfold id='1'>,</endfold id='1'> # profile name
|
|
/usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path"<endfold id='1'>,</endfold id='1'> # path
|
|
/usr/bin/foo Cx -> "ab[hello/path"<endfold id='1'>,</endfold id='1'> # profile name
|
|
|
|
/usr/bin/foo cx -> holas//hello/sa<endfold id='1'>,</endfold id='1'> # path
|
|
/usr/bin/foo cx -> df///dd//hat<endfold id='1'>,</endfold id='1'> # path + hat
|
|
/usr/bin/foo cx -> holas,#sd\323fsdf<endfold id='1'>,</endfold id='1'> # profile name
|
|
|
|
# Access modes
|
|
/hello/lib/foo rwklms, # s invalid
|
|
/hello/lib/foo rwmaix, # w & a incompatible
|
|
/hello/lib/foo kalmw,
|
|
/hello/lib/foo wa,
|
|
# OK
|
|
/hello/lib/foo rrwrwwrwrw<endfold id='1'>,</endfold id='1'>
|
|
/hello/lib/foo ixixix<endfold id='1'>,</endfold id='1'>
|
|
# Incompatible exec permissions
|
|
ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx,
|
|
pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx,
|
|
Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx,
|
|
# Test valid permissions
|
|
r w a k l m l x ix ux Ux px Px cx Cx <endfold id='1'>,</endfold id='1'>
|
|
pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx<endfold id='1'>,</endfold id='1'>
|
|
rwklmx raklmx<endfold id='1'>,</endfold id='1'>
|
|
r rw rwk rwkl rwklm<endfold id='1'>,</endfold id='1'>
|
|
rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx<endfold id='1'>,</endfold id='1'>
|
|
rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk<endfold id='1'>,</endfold id='1'>
|
|
rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl<endfold id='1'>,</endfold id='1'>
|
|
|
|
# Profile name
|
|
profile holas <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
|
|
profile <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
|
|
profile /path <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
|
|
profile holas/abc <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
|
|
profile holas\/abc <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
|
|
profile
|
|
#holas <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
|
|
|
|
profile flags=(complain)#asd <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
|
|
profile flags flags=(complain) <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
|
|
profile flags(complain) <beginfold id='2'>{</beginfold id='2'> ... <endfold id='2'>}</endfold id='2'>
|
|
<endfold id='2'>}</endfold id='2'>
|