apparmor.d/pkg/aa/data_test.go

395 lines
11 KiB
Go
Raw Normal View History

// apparmor.d - Full set of apparmor profiles
// Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
// SPDX-License-Identifier: GPL-2.0-only
package aa
var (
2024-05-28 19:23:37 +02:00
// Comment
comment1 = &Comment{RuleBase: RuleBase{Comment: "comment", IsLineRule: true}}
comment2 = &Comment{RuleBase: RuleBase{Comment: "another comment", IsLineRule: true}}
// Abi
abi1 = &Abi{IsMagic: true, Path: "abi/4.0"}
abi2 = &Abi{IsMagic: true, Path: "abi/3.0"}
// Alias
alias1 = &Alias{Path: "/mnt/usr", RewrittenPath: "/usr"}
alias2 = &Alias{Path: "/mnt/var", RewrittenPath: "/var"}
2023-09-30 14:55:56 +02:00
// Include
2023-10-01 20:04:43 +02:00
include1 = &Include{IsMagic: true, Path: "abstraction/base"}
include2 = &Include{IsMagic: false, Path: "abstraction/base"}
include3 = &Include{IfExists: true, IsMagic: true, Path: "abstraction/base"}
includeLocal1 = &Include{IfExists: true, IsMagic: true, Path: "local/foo"}
2024-05-28 19:23:37 +02:00
// Variable
variable1 = &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true}
variable2 = &Variable{Name: "exec_path", Values: []string{"@{bin}/foo", "@{lib}/foo"}, Define: true}
// All
all1 = &All{}
all2 = &All{RuleBase: RuleBase{Comment: "comment"}}
2023-10-01 20:04:43 +02:00
// Rlimit
rlimit1 = &Rlimit{Key: "nproc", Op: "<=", Value: "200"}
rlimit2 = &Rlimit{Key: "cpu", Op: "<=", Value: "2"}
rlimit3 = &Rlimit{Key: "nproc", Op: "<", Value: "2"}
2023-09-30 14:55:56 +02:00
2024-05-28 19:23:37 +02:00
// Userns
userns1 = &Userns{Create: true}
userns2 = &Userns{}
// Capability
capability1Log = map[string]string{
"apparmor": "ALLOWED",
"class": "cap",
"operation": "capable",
"capname": "net_admin",
"capability": "12",
"profile": "pkexec",
"comm": "pkexec",
}
capability1 = &Capability{Names: []string{"net_admin"}}
capability2 = &Capability{Names: []string{"sys_ptrace"}}
// Network
network1Log = map[string]string{
"apparmor": "ALLOWED",
"class": "net",
"operation": "create",
"family": "netlink",
"profile": "sddm-greeter",
"sock_type": "raw",
"protocol": "15",
"requested_mask": "create",
"denied_mask": "create",
"comm": "sddm-greeter",
}
2023-10-01 20:04:43 +02:00
network1 = &Network{Domain: "netlink", Type: "raw", Protocol: "15"}
network2 = &Network{Domain: "inet", Type: "dgram"}
// Mount
mount1Log = map[string]string{
"apparmor": "ALLOWED",
"class": "mount",
"operation": "mount",
"info": "failed perms check",
"error": "-13",
"profile": "dockerd",
"name": "/var/lib/docker/overlay2/opaque-bug-check1209538631/merged/",
"comm": "dockerd",
"fstype": "overlay",
"srcname": "overlay",
}
mount2Log = map[string]string{
"apparmor": "ALLOWED",
"class": "mount",
"operation": "mount",
"info": "failed perms check",
"error": "-13",
"profile": "loupe",
"name": "/newroot/dev/tty",
"comm": "bwrap",
"srcname": "/oldroot/dev/tty",
"flags": "rw, rbind",
}
mount1 = &Mount{
2024-05-25 23:16:31 +02:00
RuleBase: RuleBase{Comment: " failed perms check"},
MountConditions: MountConditions{FsType: "overlay"},
2023-09-29 21:10:38 +02:00
Source: "overlay",
MountPoint: "/var/lib/docker/overlay2/opaque-bug-check1209538631/merged/",
}
mount2 = &Mount{
2024-05-25 23:16:31 +02:00
RuleBase: RuleBase{Comment: " failed perms check"},
MountConditions: MountConditions{Options: []string{"rw", "rbind"}},
Source: "/oldroot/dev/tty",
MountPoint: "/newroot/dev/tty",
}
2024-05-28 19:23:37 +02:00
// Remount
remount1 = &Remount{MountPoint: "/"}
remount2 = &Remount{MountPoint: "/{,**}/"}
// Umount
2024-05-28 19:23:37 +02:00
umount1Log = map[string]string{
"apparmor": "ALLOWED",
"class": "mount",
"operation": "umount",
"profile": "systemd",
"name": "/",
"comm": "(ostnamed)",
}
umount1 = &Umount{MountPoint: "/"}
umount2 = &Umount{MountPoint: "/oldroot/"}
// PivotRoot
2023-11-28 16:31:43 +01:00
pivotroot1Log = map[string]string{
"apparmor": "ALLOWED",
"class": "mount",
"profile": "systemd",
"operation": "pivotroot",
"comm": "(ostnamed)",
"name": "@{run}/systemd/mount-rootfs/",
"srcname": "@{run}/systemd/mount-rootfs/",
}
pivotroot1 = &PivotRoot{
OldRoot: "@{run}/systemd/mount-rootfs/",
NewRoot: "@{run}/systemd/mount-rootfs/",
}
pivotroot2 = &PivotRoot{
OldRoot: "@{run}/systemd/mount-rootfs/",
NewRoot: "/newroot",
TargetProfile: "brwap",
}
pivotroot3 = &PivotRoot{
NewRoot: "/newroot",
}
2023-10-01 20:04:43 +02:00
// Change Profile
changeprofile1Log = map[string]string{
"apparmor": "ALLOWED",
"class": "file",
"profile": "systemd",
"operation": "change_onexec",
"comm": "(systemd)",
"name": "systemd-user",
"target": "systemd-user",
}
changeprofile1 = &ChangeProfile{ProfileName: "systemd-user"}
changeprofile2 = &ChangeProfile{ProfileName: "brwap"}
changeprofile3 = &ChangeProfile{ExecMode: "safe", Exec: "/bin/bash", ProfileName: "brwap//default"}
2023-10-01 20:04:43 +02:00
2024-05-28 19:23:37 +02:00
// Mqueue
mqueue1 = &Mqueue{Access: []string{"r"}, Type: "posix", Name: "/"}
mqueue2 = &Mqueue{Access: []string{"r"}, Type: "sysv", Name: "/"}
// IO Uring
iouring1 = &IOUring{Access: []string{"sqpoll"}, Label: "foo"}
iouring2 = &IOUring{Access: []string{"override_creds"}}
// Signal
signal1Log = map[string]string{
"apparmor": "ALLOWED",
"class": "signal",
"profile": "firefox",
"operation": "signal",
"comm": "49504320492F4F20506172656E74",
"requested_mask": "receive",
"denied_mask": "receive",
"signal": "kill",
"peer": "firefox//&firejail-default",
}
signal1 = &Signal{
Access: []string{"receive"},
Set: []string{"kill"},
2023-09-29 21:10:38 +02:00
Peer: "firefox//&firejail-default",
}
signal2 = &Signal{
Access: []string{"receive"},
Set: []string{"up"},
2023-09-29 21:10:38 +02:00
Peer: "firefox//&firejail-default",
}
// Ptrace
ptrace1Log = map[string]string{
"apparmor": "ALLOWED",
"class": "ptrace",
"profile": "xdg-document-portal",
"operation": "ptrace",
"comm": "pool-/usr/lib/x",
"requested_mask": "read",
"denied_mask": "read",
"peer": "nautilus",
}
ptrace2Log = map[string]string{
"apparmor": "DENIED",
"class": "ptrace",
"operation": "ptrace",
"comm": "systemd-journal",
"requested_mask": "readby",
"denied_mask": "readby",
"peer": "systemd-journald",
}
ptrace1 = &Ptrace{Access: []string{"read"}, Peer: "nautilus"}
ptrace2 = &Ptrace{Access: []string{"readby"}, Peer: "systemd-journald"}
// Unix
unix1Log = map[string]string{
"apparmor": "ALLOWED",
"class": "unix",
"family": "unix",
"operation": "file_perm",
"profile": "gsettings",
"comm": "dbus-daemon",
"requested_mask": "send receive",
"addr": "none",
"peer_addr": "@/tmp/dbus-AaKMpxzC4k",
"peer": "dbus-daemon",
"denied_mask": "send receive",
"sock_type": "stream",
"protocol": "0",
}
unix1 = &Unix{
2024-05-25 23:16:31 +02:00
Access: []string{"send", "receive"},
2024-04-15 00:58:34 +02:00
Type: "stream",
Protocol: "0",
Address: "none",
PeerAddr: "@/tmp/dbus-AaKMpxzC4k",
PeerLabel: "dbus-daemon",
}
unix2 = &Unix{
RuleBase: RuleBase{FileInherit: true},
Access: []string{"receive"},
Type: "stream",
}
// Dbus
dbus1Log = map[string]string{
"apparmor": "ALLOWED",
"operation": "dbus_method_call",
"bus": "session",
"path": "/org/gtk/vfs/metadata",
"interface": "org.gtk.vfs.Metadata",
"member": "Remove",
"name": ":1.15",
"mask": "receive",
"label": "gvfsd-metadata",
"peer_pid": "3888",
"peer_label": "tracker-extract",
}
dbus2Log = map[string]string{
"apparmor": "ALLOWED",
"operation": "dbus_bind",
"bus": "session",
"name": "org.gnome.evolution.dataserver.Sources5",
"mask": "bind",
"pid": "3442",
"label": "evolution-source-registry",
}
dbus1 = &Dbus{
Access: []string{"receive"},
Bus: "session",
Path: "/org/gtk/vfs/metadata",
Interface: "org.gtk.vfs.Metadata",
Member: "Remove",
2024-04-15 00:58:34 +02:00
PeerName: ":1.15",
PeerLabel: "tracker-extract",
}
dbus2 = &Dbus{
Access: []string{"bind"},
Bus: "session",
Name: "org.gnome.evolution.dataserver.Sources5",
}
2023-10-01 20:04:43 +02:00
dbus3 = &Dbus{
Access: []string{"bind"},
2023-10-01 20:04:43 +02:00
Bus: "session",
Name: "org.gnome.evolution.dataserver",
}
// File
file1Log = map[string]string{
"apparmor": "ALLOWED",
"operation": "open",
"class": "file",
"profile": "cupsd",
"name": "/usr/share/poppler/cMap/Identity-H",
"comm": "gs",
"requested_mask": "r",
"denied_mask": "r",
"fsuid": "209",
"FSUID": "cups",
"ouid": "0",
"OUID": "root",
}
file2Log = map[string]string{
"apparmor": "ALLOWED",
"operation": "open",
"class": "file",
"profile": "gsd-print-notifications",
"name": "@{PROC}/4163/cgroup",
"comm": "gsd-print-notif",
"requested_mask": "r",
"denied_mask": "r",
"fsuid": "1000",
"FSUID": "user",
"ouid": "1000",
"OUID": "user",
"error": "-1",
}
file1 = &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"r"}}
file2 = &File{
RuleBase: RuleBase{NoNewPrivs: true},
Owner: true,
Path: "@{PROC}/4163/cgroup",
Access: []string{"r"},
}
2024-05-25 23:16:31 +02:00
// Link
link3LogStr = `apparmor="ALLOWED" operation="link" class="file" profile="dolphin" name="@{user_config_dirs}/kiorc" comm="dolphin" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="@{user_config_dirs}/#3954"`
2024-05-25 23:16:31 +02:00
link1Log = map[string]string{
"apparmor": "ALLOWED",
"operation": "link",
"class": "file",
"profile": "mkinitcpio",
"name": "/tmp/mkinitcpio.QDWtza/early@{lib}/firmware/i915/dg1_dmc_ver2_02.bin.zst",
"comm": "cp",
"requested_mask": "l",
"denied_mask": "l",
"fsuid": "0",
"ouid": "0",
"target": "/tmp/mkinitcpio.QDWtza/root@{lib}/firmware/i915/dg1_dmc_ver2_02.bin.zst",
"FSUID": "root",
"OUID": "root",
}
link3Log = map[string]string{
"apparmor": "ALLOWED",
"operation": "link",
"class": "file",
"profile": "dolphin",
"name": "@{user_config_dirs}/kiorc",
"comm": "dolphin",
"requested_mask": "l",
"denied_mask": "l",
"fsuid": "1000",
"ouid": "1000",
"target": "@{user_config_dirs}/#3954",
}
2024-05-25 23:16:31 +02:00
link1 = &Link{
Path: "/tmp/mkinitcpio.QDWtza/early@{lib}/firmware/i915/dg1_dmc_ver2_02.bin.zst",
Target: "/tmp/mkinitcpio.QDWtza/root@{lib}/firmware/i915/dg1_dmc_ver2_02.bin.zst",
}
link2 = &Link{
2024-05-25 23:16:31 +02:00
Owner: true,
Path: "@{user_config_dirs}/powerdevilrc{,.@{rand6}}",
Target: "@{user_config_dirs}/#@{int}",
}
link3 = &Link{
Owner: true,
Path: "@{user_config_dirs}/kiorc",
Target: "@{user_config_dirs}/#3954",
}
2024-05-28 19:23:37 +02:00
// Profile
profile1 = &Profile{
Header: Header{
Name: "sudo",
Attachments: []string{},
Attributes: map[string]string{},
Flags: []string{},
},
}
profile2 = &Profile{
Header: Header{
Name: "systemctl",
Attachments: []string{},
Attributes: map[string]string{},
Flags: []string{},
},
}
// Hat
hat1 = &Hat{Name: "user"}
hat2 = &Hat{Name: "root"}
)