# kate: syntax AppArmor Security Profile; replace-tabs off;

#
# Sample AppArmor Profile.
# License: Public Domain
#
# NOTE: This profile is not fully functional, since
# it is designed to test the syntax highlighting
# for the KDE's KSyntaxHighlighting framework.
#

include

# Variable assignment
@{FOO_LIB}=/usr/lib{,32,64}/foo
@{USER_DIR}
= @{HOME}/Public @{HOME}/Desktop #No-Comment
@{USER_DIR} += @{HOME}/Hello \
deny owner #No-comment aa#aa
${BOOL} = true

# Alias
alias /usr/ -> /mnt/usr/,

# ABI feature
abi ,
abi <"includes/abi/4.19">,
abi "simple_tests/includes/abi/4.19",
abi simple_tests/includes/abi/4.19,

# Profile for /usr/bin/foo
profile foo /usr/bin/foo flags=(attach_disconnected enforce) xattrs=(myvalue=foo user.bar=* user.foo="bar" ) {
#include
#include
#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
include "/etc/apparmor.d/abstractions/openssl"

include if exists
include #include
/some/file mr, #include /bin/true Px,

# File rules
/{,**/} r,
owner /{home,media,mnt,srv,net}/** r,
owner @{USER_DIR}/** rw,
audit deny owner /**/* mx,
/**.[tT][xX][tT] r, # txt

owner file @{HOME}/.local/share/foo/{,**} rwkl,
owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,

"/usr/share/**" r,
"/var/lib/flatpak/exports/share/**" r,
"/var/lib/{spaces in
string,hello}/a[^ a]a/**" r,

allow file /etc/nsswitch.conf r,
allow /etc/fstab r,
deny /etc/xdg/{autostart,systemd}/** r,
deny /boot/** rwlkmx,

owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
/sys/devices/**/uevent r,
@{FOO_LIB}/{@{multiarch},64}/** mr,

/usr/bin/foo ixr,
/usr/bin/dolphin pUx,
/usr/bin/* Pixr,
/usr/bin/khelpcenter Cx -> sanitized_helper,
/usr/bin/helloworld cxr ->
hello_world,
/bin/** px -> profile,

# Dbus rules
dbus (send) #No-Comment
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Introspectable
peer=(name=org.freedesktop.NetworkManager label=unconfined),
dbus (send receive)
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={Introspect,state}
peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
dbus (send)
bus=session
path=/org/gnome/GConf/Database/*
member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
dbus (bind)
bus=system
name=org.bluez,

# Signal rules
signal (send) set=(term) peer="/usr/lib/hello/world// foo helper",
signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper,

# Child profile
profile hello_world {
# File rules (three different ways)
file /usr/lib{,32,64}/helloworld/**.so mr,
/usr/lib{,32,64}/helloworld/** r,
rk /usr/lib{,32,64}/helloworld/hello,file,

# Link rules (two ways)
l /foo1 -> /bar,
link /foo2 -> bar,
link subset /link* -> /**,

# Network rules
network inet6 tcp,
network netlink dgram,
network bluetooth,
network unspec dgram,

# Capability rules
capability dac_override,
capability sys_admin,
capability sys_chroot,

# Mount rules
mount options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
mount options in (rw, bind) / -> /run/hellowordd/*.mnt,
mount options=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
umount /home/*/helloworld/,

# Pivot Root rules
pivot_root oldroot=/mnt/root/old/ /mnt/root/,
pivot_root /mnt/root/,

# Ptrace rules
ptrace (trace) peer=unconfined,
ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword,

# Unix rules
unix (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined),
unix (send,receive) type=(stream) protocol=0 peer=(addr=none),
unix peer=(label=@{profile_name},addr=@helloworld),

# Rlimit rule
set rlimit data <= 100M,
set rlimit nproc <= 10,
set rlimit memlock <= 2GB,
set rlimit rss <= infinity,
set rlimit nice <= -12,
set rlimit nice <= -12K,

# Change Profile rules
change_profile unsafe /** -> [^u/]**,
change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
change_profile /bin/bash ->
new_profile//hat,
}

# Hat
^foo-helper\/ {
network unix stream,
unix stream,

/usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions

# Text after a variable is highlighted as path
file /my/path r,
@{FOO_LIB}file r,
@{FOO_LIB}#my/path r, #Comment
@{FOO_LIB}ñ* r,
unix (/path\t{aa}*,*a @{var}*path,* @{var},*),
}
}

# Syntax Error
/usr/bin/error (complain, audit) {
file #include /hello r,

# Error: Variable open or with characters not allowed
@{var
@{sdf&s}

# Error: Open brackets
/{hello{ab,cd}world kr,
/{abc{abc kr,
/[abc kr,
/(abc kr,

# Error: Empty brackets
/hello[]hello{}hello()he kr,

# Comments not allowed
dbus (send) #No comment
path=/org/hello
#No comment
interface=org.hello #No comment
peer=(name=org.hello #No comment
label=unconfined), #Comment

# Don't allow assignment of variables within profiles
@{VARIABLE} = val1 val2 val3 # Comment

# Alias rules not allowed within profiles
alias /run/ -> /mnt/run/,

# Error: Open rule
/home/*/file rw
capability dac_override
deny file /etc/fstab w
audit network ieee802154,

dbus (receive
unix stream,
unix stream,
}

profile other_tests {
# set rlimit
set rlimit nice <= 3,
rlimit nice <= 3, # Without "set"
set #comment
rlimit
nice <= 3,

# "remount" keyword
mount remount
remount,
remount remount
remount,
dbus remount
remount,
unix remount
remount,
# "unix" keyword
network unix
unix,
ptrace unix
unix,
unix unix
unix,

# Transition rules
/usr/bin/foo cx -> hello*, # profile name
/usr/bin/foo Cx -> path/, # path
/usr/bin/foo cx -> ab[ad/]hello, # profile name
/usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, # path
/usr/bin/foo Cx -> ab[hello/path, # profile name

/usr/bin/foo cx -> "hello*", # profile name
/usr/bin/foo Cx -> "path/", # path
/usr/bin/foo cx -> "ab[ad/]hello", # profile name
/usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", # path
/usr/bin/foo Cx -> "ab[hello/path", # profile name

/usr/bin/foo cx -> holas//hello/sa, # path
/usr/bin/foo cx -> df///dd//hat, # path + hat
/usr/bin/foo cx -> holas,#sd\323fsdf, # profile name

# Access modes
/hello/lib/foo rwklms, # s invalid
/hello/lib/foo rwmaix, # w & a incompatible
/hello/lib/foo kalmw,
/hello/lib/foo wa,
# OK
/hello/lib/foo rrwrwwrwrw,
/hello/lib/foo ixixix,
# Incompatible exec permissions
ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx,
pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx,
Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx,
# Test valid permissions
r w a k l m l x ix ux Ux px Px cx Cx ,
pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx,
rwklmx raklmx,
r rw rwk rwkl rwklm,
rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx,
rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk,
rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl,

# Profile name
profile holas { ... }
profile { ... }
profile /path { ... }
profile holas/abc { ... }
profile holas\/abc { ... }
profile
#holas { ... }

profile flags=(complain)#asd { ... }
profile flags flags=(complain) { ... }
profile flags(complain) { ... }
}