131 lines
5 KiB
Text
131 lines
5 KiB
Text
# apparmor.d - Full set of apparmor profiles
|
|
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
# To allow extended personalisation without breaking everything.
|
|
# All apparmor profiles should always use the variables defined here.
|
|
|
|
# Single hexadecimal character
|
|
@{h}=[0-9a-fA-F]
|
|
|
|
# Single alphanumeric character
|
|
@{c}=[0-9a-zA-Z]
|
|
|
|
# Word character. Matches any letter, digit or underscore.
|
|
@{w}=[a-zA-Z0-9_]
|
|
|
|
# Any digit
|
|
@{d}=[0-9]
|
|
|
|
# Integer up to 10 digits (0-9999999999)
|
|
@{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}
|
|
|
|
# Unsigned integer over 8 bits (0-255)
|
|
# 0 - 99 100 - 199 200 - 249 250 - 255
|
|
@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5]
|
|
|
|
# Unsigned integer over 16 bits (0-65535, 5 digits)
|
|
@{u16}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}
|
|
|
|
# hexadecimal, alphanumeric and word up to 64 characters
|
|
@{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}
|
|
@{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}
|
|
@{word}=@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}
|
|
|
|
# Any x digits characters
|
|
@{int2}=@{d}@{d}
|
|
@{int4}=@{int2}@{int2}
|
|
@{int6}=@{int4}@{int2}
|
|
@{int8}=@{int4}@{int4}
|
|
@{int10}=@{int8}@{int2}
|
|
@{int16}=@{int8}@{int8}
|
|
@{int32}=@{int16}@{int16}
|
|
@{int64}=@{int32}@{int32}
|
|
|
|
# Any x hexadecimal characters
|
|
@{hex2}=@{h}@{h}
|
|
@{hex4}=@{hex2}@{hex2}
|
|
@{hex6}=@{hex4}@{hex2}
|
|
@{hex8}=@{hex4}@{hex4}
|
|
@{hex9}=@{hex8}@{h}
|
|
@{hex10}=@{hex8}@{hex2}
|
|
@{hex12}=@{hex8}@{hex4}
|
|
@{hex15}=@{hex8}@{hex4}@{hex2}@{h}
|
|
@{hex16}=@{hex8}@{hex8}
|
|
@{hex32}=@{hex16}@{hex16}
|
|
@{hex38}=@{hex32}@{hex6}
|
|
@{hex64}=@{hex32}@{hex32}
|
|
|
|
# Any x alphanumeric characters
|
|
@{rand2}=@{c}@{c}
|
|
@{rand4}=@{rand2}@{rand2}
|
|
@{rand6}=@{rand4}@{rand2}
|
|
@{rand8}=@{rand4}@{rand4}
|
|
@{rand9}=@{rand8}@{c}
|
|
@{rand10}=@{rand8}@{rand2}
|
|
@{rand12}=@{rand8}@{rand4}
|
|
@{rand15}=@{rand8}@{rand4}@{rand2}@{c}
|
|
@{rand16}=@{rand8}@{rand8}
|
|
@{rand32}=@{rand16}@{rand16}
|
|
@{rand64}=@{rand64}@{rand64}
|
|
|
|
# Any x word characters
|
|
@{word2}=@{w}@{w}
|
|
@{word4}=@{word2}@{word2}
|
|
@{word6}=@{word4}@{word2}
|
|
@{word8}=@{word4}@{word4}
|
|
@{word9}=@{word8}@{w}
|
|
@{word10}=@{word8}@{word2}
|
|
@{word12}=@{word8}@{word4}
|
|
@{word15}=@{word8}@{word4}@{word2}@{w}
|
|
@{word16}=@{word8}@{word8}
|
|
@{word32}=@{word16}@{word16}
|
|
@{word64}=@{word32}@{word32}
|
|
|
|
# Universally unique identifier
|
|
@{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}
|
|
|
|
# Username & group valid characters
|
|
@{user}=[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}
|
|
@{group}=@{user}
|
|
|
|
# Semantic version
|
|
@{version}=@{int}{.@{int},}{.@{int},}{-@{rand},}
|
|
|
|
# Shortcut for PCI device
|
|
@{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h}
|
|
@{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h}
|
|
@{pci}=@{pci_bus}/**/
|
|
|
|
# hci devices
|
|
@{hci_id}=dev_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}
|
|
|
|
# @{MOUNTDIRS} is a space-separated list of where user mount directories
|
|
# are stored, for programs that must enumerate all mount directories on a
|
|
# system.
|
|
@{MOUNTDIRS}=/media/ @{run}/media/@{user}/ /mnt/
|
|
|
|
# @{MOUNTS} is a space-separated list of all user mounted directories.
|
|
@{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/
|
|
|
|
# Common places for binaries and libraries across distributions
|
|
@{bin}=/{,usr/}{,s}bin
|
|
@{lib}=/{,usr/}lib{,exec,32,64}
|
|
|
|
# Common places for temporary files
|
|
@{tmp}=/tmp/ /tmp/user/@{uid}/
|
|
|
|
# Udev data dynamic assignment ranges
|
|
@{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254
|
|
@{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511
|
|
|
|
# Dbus unique name
|
|
@{busname}=:1.@{u16} :not.active.yet
|
|
|
|
# Common architecture names
|
|
@{arch}=x86_64 amd64 i386 i686
|
|
|
|
# OpenSUSE does not have the same multiarch structure
|
|
@{multiarch}+=*-suse-linux* #aa:only opensuse
|
|
|
|
# vim:syntax=apparmor
|