test(aa): add testdata full.aa
This commit is contained in:
Alexandre Pujol
parent
7317c05646
commit
018073638b
3 changed files with 130 additions and 1 deletions
110
tests/testdata/full.aa
vendored
Normal file
110
tests/testdata/full.aa
vendored
Normal file
|
|
@ -0,0 +1,110 @@
|
|||
# Simple test profile with all rules used
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
alias /mnt/usr -> /usr,
|
||||
|
||||
include <tunables/global> # optional: a comment
|
||||
include if exists "/etc/apparmor.d/global/dummy space"
|
||||
|
||||
@{name}=torbrowser "tor browser"
|
||||
@{lib_dirs} = @{lib}/@{name} /opt/@{name} # another comment
|
||||
@{config_dirs} = @{HOME}/.mozilla/
|
||||
@{cache_dirs}=@{user_cache_dirs}/mozilla/
|
||||
|
||||
alias /mnt/{,usr.sbin.}mount.cifs -> /sbin/mount.cifs,
|
||||
|
||||
@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name}
|
||||
profile foo @{exec_path} xattrs=(security.tagged=allowed) flags=(complain attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
include "/etc/apparmor.d/abstractions/dummy space"
|
||||
|
||||
all,
|
||||
|
||||
set rlimit nproc <= 200,
|
||||
|
||||
userns,
|
||||
|
||||
capability dac_read_search,
|
||||
capability dac_override,
|
||||
|
||||
network inet stream,
|
||||
network netlink raw,
|
||||
|
||||
mount /{,**},
|
||||
mount options=(rw rbind) /tmp/newroot/ -> /tmp/newroot/,
|
||||
mount options=(rw silent rprivate) -> /oldroot/,
|
||||
mount fstype=devpts options=(rw nosuid noexec) devpts -> /newroot/dev/pts/,
|
||||
|
||||
remount /newroot/{,**},
|
||||
|
||||
umount @{run}/user/@{uid}/,
|
||||
|
||||
pivot_root oldroot=/tmp/oldroot/ /tmp/,
|
||||
|
||||
change_profile -> libvirt-@{uuid},
|
||||
|
||||
mqueue r type=posix /,
|
||||
|
||||
io_uring sqpoll label=foo,
|
||||
|
||||
signal (receive) set=(cont,term,winch) peer=at-spi-bus-launcher,
|
||||
|
||||
ptrace (read) peer=nautilus,
|
||||
|
||||
unix (send receive) type=stream addr="@/tmp/.ICE[0-9]-unix/19 5" peer=(label=gnome-shell, addr=none),
|
||||
|
||||
dbus bind bus=session name=org.gnome.*,
|
||||
dbus receive bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=AddMatch
|
||||
peer=(name=:1.3, label=power-profiles-daemon),
|
||||
|
||||
# A comment! before a paragraph of rules
|
||||
"/opt/Mullvad VPN/resources/*.so*" mr,
|
||||
"/opt/Mullvad VPN/resources/*" r,
|
||||
"/opt/Mullvad VPN/resources/openvpn" rix,
|
||||
/usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx,
|
||||
/opt/intel/oneapi/compiler/*/linux/lib/*.so./* rm,
|
||||
|
||||
owner @{user_config_dirs}/powerdevilrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
link @{user_config_dirs}/kiorc -> @{user_config_dirs}/#@{int},
|
||||
|
||||
@{run}/udev/data/+pci:* r,
|
||||
|
||||
@{sys}/devices/@{pci}/class r,
|
||||
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
^action {
|
||||
include <abstractions/base>
|
||||
include if exists <local/foo_action>
|
||||
}
|
||||
|
||||
profile systemctl {
|
||||
include <abstractions/base>
|
||||
include <abstractions/systemctl>
|
||||
|
||||
capability net_admin,
|
||||
|
||||
include if exists <local/foo_systemctl>
|
||||
}
|
||||
|
||||
profile sudo {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/sudo>
|
||||
|
||||
@{sh_path} rix,
|
||||
|
||||
include if exists <local/foo_sudo>
|
||||
}
|
||||
|
||||
include if exists <local/foo>
|
||||
}
|
||||
|
||||
profile foo2 {
|
||||
include <abstractions/base>
|
||||
|
||||
include if exists <local/foo2>
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue