parser: pegs cpu and does not finish when compiling some profiles
When processing some profiles, the parser enters and infinite loop, pegging the cpu at 100%, and does not finish.
example profile that breaks the parser
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
##included <tunables/global>
# ------------------------------------------------------------------
#
# Copyright (C) 2006-2009 Novell/SUSE
# Copyright (C) 2010-2014 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# All the tunables definitions that should be available to every profile
# should be included here
##included <tunables/home>
# ------------------------------------------------------------------
#
# Copyright (C) 2006-2009 Novell/SUSE
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# @{HOMEDIRS} is a space-separated list of where user home directories
# are stored, for programs that must enumerate all home directories on a
# system.
@{HOMEDIRS}=/home/
# @{HOME} is a space-separated list of all user home directories. While
# it doesn't refer to a specific home directory (AppArmor doesn't
# enforce discretionary access controls) it can be used as if it did
# refer to a specific home directory
@{HOME}=@{HOMEDIRS}/*/ /root/
# Also, include files in tunables/home.d for site-specific adjustments
##included <tunables/home.d>
#@{HOMEDIRS}+=/daheim/
# @{foo} += /nixda/
# ------------------------------------------------------------------
#
# Copyright (C) 2010 Canonical Ltd.
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# The following is a space-separated list of where additional user home
# directories are stored, each must have a trailing '/'. Directories added
# here are appended to @{HOMEDIRS}. See tunables/home for details. Eg:
#@{HOMEDIRS}+=/srv/nfs/home/ /mnt/home/
# apparmor.d - Full set of apparmor profiles
# Extended user XDG directories definition
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# To allow extended personalisation by the user without breaking everything.
# All apparmor profiles should always use the variables defined here.
# XDG_*_DIR variables are relative pathnames from the user home directory.
# user_*_dirs variables are absolute path.
# First part, second part in /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d
# Extra user personal directories
@{XDG_BOOKS_DIR}="Books"
@{XDG_PROJECTS_DIR}="Projects"
@{XDG_WORK_DIR}="Work"
@{XDG_SYNC_DIR}="Sync"
@{XDG_TORRENTS_DIR}="Torrents"
@{XDG_GAMES_DIR}=".games"
@{XDG_VM_DIR}=".vm"
@{XDG_VM_SHARES_DIR}="VM_Shares"
@{XDG_IMG_DIR}="images"
@{XDG_MAIL_DIR}="Mail" ".{m,M}ail"
@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots"
@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers"
# User personal keyrings
@{XDG_SSH_DIR}=".ssh"
@{XDG_GPG_DIR}=".gnupg"
@{XDG_PASSWORD_STORE_DIR}=".password-store"
# User personal private directories
@{XDG_PRIVATE_DIR}=".{p,P}rivate" "{p,P}rivate"
# Definition of local user configuration directories
@{XDG_CACHE_DIR}=".cache"
@{XDG_CONFIG_DIR}=".config"
@{XDG_DATA_DIR}=".local/share"
@{XDG_STATE_DIR}=".local/state"
@{XDG_BIN_DIR}=".local/bin"
@{XDG_LIB_DIR}=".local/lib"
# Full path of the user configuration directories
@{user_cache_dirs}=@{HOME}/@{XDG_CACHE_DIR}
@{user_config_dirs}=@{HOME}/@{XDG_CONFIG_DIR}
@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR}
@{user_bin_dirs}=@{HOME}/@{XDG_BIN_DIR}
@{user_lib_dirs}=@{HOME}/@{XDG_LIB_DIR}
# User build directories and output
@{user_build_dirs}="/tmp/build/"
@{user_pkg_dirs}="/tmp/pkg/"
@{user_tmp_dirs}=@{run}/user/@{uid} /tmp/
@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}
# Other user directories
@{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}
@{user_games_dirs}=@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}
@{user_mail_dirs}=@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}
@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}
@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}
@{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}
@{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}
@{user_work_dirs}=@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}
@{user_password_store_dirs}=@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}
@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}
##included <tunables/multiarch>
# ------------------------------------------------------------------
#
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# @{multiarch} is the set of patterns matching multi-arch library
# install prefixes.
@{multiarch}=*-linux-gnu*
# Also, include files in tunables/multiarch.d for site-specific adjustments
##included <tunables/multiarch.d>
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Define some extra paths for some commonly used system user
# Full path of the GDM configuration directories
@{GDM_HOME}=/var/lib/gdm{,3}/
@{gdm_cache_dirs}=@{GDM_HOME}/.cache/
@{gdm_config_dirs}=@{GDM_HOME}/.config/
@{gdm_local_dirs}=@{GDM_HOME}/.local/
@{gdm_share_dirs}=@{GDM_HOME}/.local/share/
# Full path of the SDDM configuration directories
@{SDDM_HOME}=/var/lib/sddm/
@{sddm_cache_dirs}=@{SDDM_HOME}/.cache/
@{sddm_config_dirs}=@{SDDM_HOME}/.config/
@{sddm_local_dirs}=@{SDDM_HOME}/.local/
@{sddm_share_dirs}=@{SDDM_HOME}/.local/share/
# Full path of the LIGHTDM configuration directories
@{LIGHTDM_HOME}=/var/lib/lightdm/
@{lightdm_cache_dirs}=@{LIGHTDM_HOME}/.cache/
@{lightdm_config_dirs}=@{LIGHTDM_HOME}/.config/
@{lightdm_local_dirs}=@{LIGHTDM_HOME}/.local/
@{lightdm_share_dirs}=@{LIGHTDM_HOME}/.local/share/
# Full path of all DE configuration directories
@{DESKTOP_HOME}=@{GDM_HOME} @{SDDM_HOME} @{LIGHTDM_HOME}
@{desktop_cache_dirs}=@{gdm_cache_dirs} @{sddm_cache_dirs} @{lightdm_cache_dirs}
@{desktop_config_dirs}=@{gdm_config_dirs} @{sddm_config_dirs} @{lightdm_config_dirs}
@{desktop_local_dirs}=@{gdm_local_dirs} @{sddm_local_dirs} @{lightdm_local_dirs}
@{desktop_share_dirs}=@{gdm_share_dirs} @{sddm_share_dirs} @{lightdm_share_dirs}
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# To allow extended personalisation without breaking everything.
# All apparmor profiles should always use the variables defined here.
# Single hexadecimal character
@{h}=[0-9a-fA-F]
# Single alphanumeric character
@{c}=[0-9a-zA-Z]
# Integer up to 10 digits (0-9999999999)
@{int}=[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}
# hexadecimal, alphanumeric up to 64 characters
@{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}
@{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}
# Any x digits characters
@{int2}=[0-9][0-9]
@{int4}=@{int2}@{int2}
@{int6}=@{int4}@{int2}
@{int8}=@{int4}@{int4}
@{int10}=@{int8}@{int2}
@{int16}=@{int8}@{int8}
@{int32}=@{int16}@{int16}
@{int64}=@{int32}@{int32}
# Any x hexadecimal characters
@{hex2}=@{h}@{h}
@{hex4}=@{hex2}@{hex2}
@{hex6}=@{hex4}@{hex2}
@{hex8}=@{hex4}@{hex4}
@{hex9}=@{hex8}@{h}
@{hex10}=@{hex8}@{hex2}
@{hex16}=@{hex8}@{hex8}
@{hex32}=@{hex16}@{hex16}
@{hex38}=@{hex32}@{hex6}
@{hex64}=@{hex32}@{hex32}
# Any x alphanumeric characters
@{rand2}=@{c}@{c}
@{rand4}=@{rand2}@{rand2}
@{rand6}=@{rand4}@{rand2}
@{rand8}=@{rand4}@{rand4}
@{rand9}=@{rand8}@{c}
@{rand10}=@{rand8}@{rand2}
@{rand16}=@{rand8}@{rand8}
@{rand32}=@{rand16}@{rand16}
@{rand64}=@{rand64}@{rand64}
# Universally unique identifier
@{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}
# Username & group valid characters
@{u}=[a-z0-9_]
@{user}=[a-z_]{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}
@{group}=@{user}
# Shortcut for PCI device
@{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h}
@{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h}
@{pci}=@{pci_bus}/**/
# hci devices
@{hci_id}=dev_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}
# @{MOUNTDIRS} is a space-separated list of where user mount directories
# are stored, for programs that must enumerate all mount directories on a
# system.
@{MOUNTDIRS}=/media/ @{run}/media/@{user}/ /mnt/
# @{MOUNTS} is a space-separated list of all user mounted directories.
@{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/
# Common places for binaries and libraries across distributions
@{bin}=/{,usr/}{,s}bin
@{lib}=/{,usr/}lib{,exec,32,64}
# Common places for temporary files
@{tmp}=/tmp/ /tmp/user/@{uid}/
# Udev data dynamic assignment ranges
@{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254
@{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511
# OpenSUSE does not have the same multiarch structure
@{multiarch}+=*-suse-linux* #aa:only opensuse
# ------------------------------------------------------------------
#
# Copyright (C) 2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# The following is a space-separated list of where additional multipath
# prefixes are stored, each should not have a trailing '/'. Directories
# added here are appended to @{multiarch}. See tunables/mutliarch for details. Eg:
#@{multiarch}+=*-freebsd* s390-hurd-zomg
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Define some some commonly used programs. This is not an exhaustive list.
# It is meant to label programs to easily provide access in profiles.
# Default distribution shells
@{sh} = sh bash dash
# All interactive shells users may want to use
@{shells} = sh zsh bash dash fish rbash ksh tcsh csh
# Coreutils programs that should not have dedicated profile
@{coreutils} = flags=(complain) {,g,m}awk b2sum base32 base64 basename basenc cat chcon chgrp chmod chown
@{coreutils} += cksum comm cp csplit cut date dd df dir dircolors dirname diff du echo env expand
@{coreutils} += expr factor false find fmt fold flags=(complain) {,e,f}grep head hostid id install join link
@{coreutils} += ln logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt
@{coreutils} += od paste pathchk pinky pr printenv printf ptx pwd readlink realpath rm rmdir
@{coreutils} += runcon sed seq sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf sleep
@{coreutils} += sort split stat stdbuf stty sum sync tac tail tee test timeout touch tr true
@{coreutils} += truncate tsort tty uname unexpand uniq unlink vdir wc who whoami xargs yes
# Browsers
@{brave_name} = brave{,-beta,-dev,-bin}
@{brave_lib_dirs} = /opt/brave{-bin,.com}{,/@{brave_name}}
@{chrome_name} = chrome{,-beta,-stable,-unstable}
@{chrome_lib_dirs} = /opt/google/@{chrome_name}
@{chromium_name} = chromium
@{chromium_lib_dirs} = @{lib}/@{chromium_name}
@{firefox_name} = firefox{,.sh,-esr,-bin}
@{firefox_lib_dirs} = @{lib}/@{firefox_name} /opt/@{firefox_name}
@{opera_name} = opera{,-beta,-developer}
@{opera_lib_dirs} = @{lib}/@{multiarch}/@{opera_name}
@{msedge_name} = msedge{,-beta,-dev}
@{msedge_lib_dirs} = /opt/microsoft/@{msedge_name}
@{torbrowser_name} = torbrowser "tor browser"
@{torbrowser_lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
# Emails
@{thunderbird_name} = thunderbird{,.sh,-bin}
@{thunderbird_lib_dirs} = @{lib}/@{thunderbird_name}
@{emails} = evolution geary
# File explorers
@{file_explorers} = dolphin nautilus thunar
# Text editors
@{text_editors} = code gedit mousepad gnome-text-editor
# Document viewers
@{document_viewers} = evince okular *{F,f}oliate YACReader
# Image viewers
@{image_viewers} = eog loupe ristretto
# Archive viewers
@{archive_viewers} = engrampa file-roller xarchiver
# Office suites
@{offices} = libreoffice soffice
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Define some variables for some commonly used profile. They may be used in
# other profiles peer label.
# All variables that refer to a profile name should be prefixed with `p_`
# Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user`
@{p_systemd}=unconfined
@{p_systemd_user}=unconfined
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Define some paths for some commonly used programs
# All variables that refer to a path should have the `_path` suffix.
# Shells
@{sh_path} = @{bin}/@{sh}
@{shells_path} = @{bin}/@{shells}
# Coreutils programs that should not have dedicated profile
@{coreutils_path} = @{bin}/@{coreutils}
# Browsers
@{brave_path} = @{brave_lib_dirs}/@{brave_name}
@{chrome_path} = @{opera_lib_dirs}/@{chrome_name}
@{chromium_path} = @{chromium_lib_dirs}/@{chromium_name}
@{firefox_path} = @{bin}/@{firefox_name} @{firefox_lib_dirs}/@{firefox_name}
@{msedge_path} = @{msedge_lib_dirs}/@{msedge_name}
@{opera_path} = @{opera_lib_dirs}/@{opera_name}
@{torbrowser_path} = @{torbrowser_lib_dirs}/firefox{,.real}
@{browsers_path} = @{bin}/chromium @{bin}/torbrowser
@{browsers_path} += @{brave_path} @{chrome_path} @{chromium_path} @{firefox_path} @{msedge_path} @{opera_path}
# Emails
@{thunderbird_path} = @{bin}/@{thunderbird_name} @{thunderbird_lib_dirs}/@{thunderbird_name}
@{emails_path} = @{thunderbird_path} @{bin}/@{emails}
# Open
@{open_path} = @{bin}/exo-open @{bin}/xdg-open @{bin}/gio
@{open_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop
@{open_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop
# File explorers
@{file_explorers_path} = @{bin}/@{file_explorers}
# Text editors
@{text_editors_path} = @{bin}/@{text_editors} /usr/share/code/{bin/,}code
# Document viewers
@{document_viewers_path} = @{bin}/@{document_viewers}
# Image viewers
@{image_viewers_path} = @{bin}/@{image_viewers}
# Archive viewers
@{archive_viewers_path} = @{bin}/@{archive_viewers}
# Office suites
@{offices_path} = @{bin}/@{offices} @{lib}/libreoffice/program/soffice
@{user_password_store_dirs}+= /home/cb/.opensuse-pass/ /home/cb/.cboltz-pass/
##included <tunables/proc>
# ------------------------------------------------------------------
#
# Copyright (C) 2006 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# @{PROC} is the location where procfs is mounted.
@{PROC}=/proc/
# Also, include files in tunables/proc.d for site-specific adjustments
##failed include <tunables/proc.d>
##included <tunables/alias>
# ------------------------------------------------------------------
#
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# Alias rules can be used to rewrite paths and are done after variable
# resolution. For example, if '/usr' is on removable media:
# alias /usr/ -> /mnt/usr/,
#
# Or if mysql databases are stored in /home:
# alias /var/lib/mysql/ -> /home/mysql/,
# Also, include files in tunables/alias.d for site-specific adjustments
##failed include <tunables/alias.d>
##included <tunables/kernelvars>
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# This file should contain declarations to kernel vars or variables
# that will become kernel vars at some point
# until kernel vars are implemented
# and until the parser supports nested groupings like
# @{pid}=[1-9]{[0-9]{[0-9]{[0-9]{[0-9]{[0-9],},},},},}
# use
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
#same pattern as @{pid} for now
@{tid}=@{pid}
#A pattern for pids that can appear
@{pids}=@{pid}
# Placeholder for user id until kernel var is implemented to match
# current user of the confined application.
# Values are 0...4,294,967,295 (32-bit unsigned, 10 digits).
@{uid}={[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}
#same pattern as @{uid} for now
@{uids}=@{uid}
# until kernel var is implemented
@{sys}=/sys/
# Also, include files in tunables/kernelvars.d for site-specific adjustments
##failed include <tunables/kernelvars.d>
##included <tunables/xdg-user-dirs>
# ------------------------------------------------------------------
#
# Copyright (C) 2014 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# Define the common set of XDG user directories (usually defined in
# /etc/xdg/user-dirs.defaults)
@{XDG_DESKTOP_DIR}="Desktop"
@{XDG_DOWNLOAD_DIR}="Downloads"
@{XDG_TEMPLATES_DIR}="Templates"
@{XDG_PUBLICSHARE_DIR}="Public"
@{XDG_DOCUMENTS_DIR}="Documents"
@{XDG_MUSIC_DIR}="Music"
@{XDG_PICTURES_DIR}="Pictures"
@{XDG_VIDEOS_DIR}="Videos"
# Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments
##included <tunables/xdg-user-dirs.d>
# ------------------------------------------------------------------
#
# Copyright (C) 2014 Canonical Ltd.
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# The following may be used to add additional entries such as for
# translations. See tunables/xdg-user-dirs for details. Eg:
#@{XDG_MUSIC_DIR}+="Musique"
#@{XDG_DESKTOP_DIR}+=""
#@{XDG_DOWNLOAD_DIR}+=""
#@{XDG_TEMPLATES_DIR}+=""
#@{XDG_PUBLICSHARE_DIR}+=""
#@{XDG_DOCUMENTS_DIR}+=""
#@{XDG_MUSIC_DIR}+=""
#@{XDG_PICTURES_DIR}+=""
#@{XDG_VIDEOS_DIR}+=""
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# To allow extended personalisation by the user without breaking everything.
# All apparmor profiles should always use the variables defined here.
# XDG_*_DIR variables are relative pathnames from the user home directory.
# user_*_dirs variables are absolute path.
# Second part. First part in /etc/apparmor.d/tunables/home.d/apparmor.d
# Other user directories
@{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR}
@{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}
@{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR}
@{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR}
@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR}
@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR}
@{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}
@{user_vm_shares}=@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}
##failed include <tunables/xdg-user-dirs.d/apparmor.d.d>
##included <tunables/share>
@{flatpak_exports_root} = {flatpak/exports,flatpak/{app,runtime}/*/*/*/*/export}
# System-wide directories with behaviour analogous to /usr/share
# in patterns like the freedesktop.org basedir spec. These are
# owned by root or a system user, appear in XDG_DATA_DIRS, and
# are the parent directory for `applications`, `themes`,
# `dbus-1/services`, etc.
@{system_share_dirs} = /{usr,usr/local,var/lib/@{flatpak_exports_root}}/share
# Per-user/personal directories with behaviour analogous to
# ~/.local/share in patterns like the freedesktop.org basedir spec.
# These are owned by the user running an application, appear in
# XDG_DATA_DIRS or XDG_DATA_HOME, and are the parent directory
# for the same subdirectories as @{system_share_dirs}
@{user_share_dirs} = @{HOME}/.local{,/share/@{flatpak_exports_root}}/share
# Also, include files in tunables/share.d for site-specific adjustments
##failed include <tunables/share.d>
##included <tunables/etc>
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# @{etc_ro} contains a space-separated list of the system configuration directories.
# Traditionally this means /etc/, but when using a read-only / filesystem and/or
# with the goal of having only user-modified config files in /etc/, directories
# like /usr/etc/ get introduced for storing the default config.
# @{etc_ro} contains directories with configuration files, including read-only directories.
# Do not use @{etc_ro} in rules that allow write access.
@{etc_ro}=/etc/ /usr/etc/
# @{etc_rw} contains directories where writing to configuration files is allowed.
# @{etc_rw} should always be a subset of @{etc_ro}.
#
# Only use @{etc_rw} if the profile allows writing to a configuration file.
# For rules that only allows read access, use @{etc_ro}.
@{etc_rw}=/etc/
# Also, include files in tunables/etc.d for site-specific adjustments
##included <tunables/etc.d>
@{user_videos_dirs}+=/dev/shm/
##included <tunables/run>
@{run}=/run/ /var/run/
# Also, include files in tunables/run.d for site-specific adjustments
##failed include <tunables/run.d>
# Also, include files in tunables/global.d for site-specific adjustments
##failed include <tunables/global.d>
@{exec_path} = @{lib}/{,@{multiarch}/}tumbler-1/tumblerd
profile tumblerd /{,usr/}lib{,exec,32,64}/{,*-linux-gnu*/}tumbler-1/tumblerd flags=(complain) {
##included <abstractions/base>
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
##included <abstractions/crypto>
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
# Copyright (C) 2021 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
# Global config of openssl
##included <abstractions/openssl>
# ------------------------------------------------------------------
#
# Copyright (C) 2011 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/4.0>,
/etc/ssl/openssl.cnf r,
/etc/ssl/openssl-*.cnf r,
/etc/ssl/{engdef*,engines*}.d/ r,
/etc/ssl/{engdef*,engines*}.d/*.cnf r,
/usr/share/ssl/openssl.cnf r,
# Include additions to the abstraction
##failed include <abstractions/openssl.d>
@{etc_ro}/gcrypt/hwf.deny r,
@{etc_ro}/gcrypt/random.conf r,
@{PROC}/sys/crypto/fips_enabled r,
# libgcrypt reads some flags from /proc
@{PROC}/sys/crypto/* r,
# crypto policies used by various libraries
/etc/crypto-policies/*/*.txt r,
/usr/share/crypto-policies/*/*.txt r,
# Global gnutls config
@{etc_ro}/gnutls/config r,
@{etc_ro}/gnutls/pkcs11.conf r,
##included <abstractions/crypto.d>
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
##skipped duplicate include <abstractions/openssl>
@{etc_ro}/gnutls/config r,
@{etc_ro}/gnutls/pkcs11.conf r,
# (Note that the ldd profile has inlined this file; if you make
# modifications here, please consider including them in the ldd
# profile as well.)
# The __canary_death_handler function writes a time-stamped log
# message to /dev/log for logging by syslogd. So, /dev/log, timezones,
# and localisations of date should be available EVERYWHERE, so
# StackGuard, FormatGuard, etc., alerts can be properly logged.
/dev/log w,
/dev/random r,
/dev/urandom r,
# Allow access to the uuidd daemon (this daemon is a thin wrapper around
# time and getrandom()/{,u}random and, when available, runs under an
# unprivilged, dedicated user).
@{run}/uuidd/request r,
@{etc_ro}/locale/** r,
@{etc_ro}/locale.alias r,
@{etc_ro}/localtime r,
@{etc_rw}/localtime r,
/usr/share/locale-bundle/** r,
/usr/share/locale-langpack/** r,
/usr/share/locale/ r,
/usr/share/locale/** r,
/usr/share/**/locale/** r,
/usr/share/zoneinfo{,-icu}/ r,
/usr/share/zoneinfo{,-icu}/** r,
/usr/share/X11/locale/** r,
@{run}/systemd/journal/dev-log w,
# systemd native journal API (see sd_journal_print(4))
@{run}/systemd/journal/socket w,
# Nested containers and anything using systemd-cat need this. 'r' shouldn't
# be required but applications fail without it. journald doesn't leak
# anything when reading so this is ok.
@{run}/systemd/journal/stdout rw,
/usr/lib{,32,64}/locale/** mr,
/usr/lib{,32,64}/gconv/*.so mr,
/usr/lib{,32,64}/gconv/gconv-modules* mr,
/usr/lib/@{multiarch}/gconv/*.so mr,
/usr/lib/@{multiarch}/gconv/gconv-modules* mr,
# used by glibc when binding to ephemeral ports
@{etc_ro}/bindresvport.blacklist r,
# ld.so.cache and ld are used to load shared libraries; they are best
# available everywhere
@{etc_ro}/ld.so.cache mr,
@{etc_ro}/ld.so.conf r,
@{etc_ro}/ld.so.conf.d/{,*.conf} r,
@{etc_ro}/ld.so.preload r,
@{etc_ro}/ld-musl-*.path r,
/{usr/,}lib{,32,64}/ld{,32,64}-*.so mr,
/{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
/{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,
/{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mr,
/opt/*-linux-uclibc/lib/ld-uClibc*so* mr,
# we might as well allow everything to use common libraries
/{usr/,}lib{,32,64}/** r,
/{usr/,}lib{,32,64}/**.so* mr,
/{usr/,}lib/@{multiarch}/** r,
/{usr/,}lib/@{multiarch}/**.so* mr,
/{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr,
/{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr,
# FIPS-140-2 versions of some crypto libraries need to access their
# associated integrity verification file, or they will abort.
/{usr/,}lib{,32,64}/.lib*.so*.hmac r,
/{usr/,}lib/@{multiarch}/.lib*.so*.hmac r,
# /dev/null is pretty harmless and frequently used
/dev/null rw,
# as is /dev/zero
/dev/zero rw,
# recent glibc uses /dev/full in preference to /dev/null for programs
# that don't have open fds at exec()
/dev/full rw,
# Sometimes used to determine kernel/user interfaces to use
@{PROC}/sys/kernel/version r,
# Depending on which glibc routine uses this file, base may not be the
# best place -- but many profiles require it, and it is quite harmless.
@{PROC}/sys/kernel/ngroups_max r,
# glibc's sysconf(3) routine to determine free memory, etc
@{PROC}/meminfo r,
@{PROC}/stat r,
@{PROC}/cpuinfo r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/online r,
@{sys}/devices/system/cpu/possible r,
# transparent hugepage support
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# glibc's *printf protections read the maps file
@{PROC}/@{pid}/{maps,auxv,status} r,
# some applications will display license information
/usr/share/common-licenses/** r,
# glibc statvfs
@{PROC}/filesystems r,
# glibc malloc (man 5 proc)
@{PROC}/sys/vm/overcommit_memory r,
# Allow determining the highest valid capability of the running kernel
@{PROC}/sys/kernel/cap_last_cap r,
# Allow other processes to read our /proc entries, futexes, perf tracing and
# kcmp for now (they will need 'read' in the first place). Administrators can
# override with:
# deny ptrace (readby) ...
ptrace (readby),
# Allow other processes to trace us by default (they will need 'trace' in
# the first place). Administrators can override with:
# deny ptrace (tracedby) ...
ptrace (tracedby),
# Allow us to ptrace read ourselves
ptrace (read) peer=@{profile_name},
# Allow unconfined processes to send us signals by default
signal (receive) peer=unconfined,
# Allow us to signal ourselves
signal peer=@{profile_name},
# Checking for PID existence is quite common so add it by default for now
signal (receive, send) set=("exists"),
# Allow us to create and use abstract and anonymous sockets
unix peer=(label=@{profile_name}),
# Allow unconfined processes to us via unix sockets
unix (receive) peer=(label=unconfined),
# Allow us to create abstract and anonymous sockets
unix (create),
# Allow us to getattr, getopt, setop and shutdown on unix sockets
unix (getattr, getopt, setopt, shutdown),
# Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
# filesystems generally. This does not appreciably decrease security with
# Ubuntu profiles because the user is expected to have access to files owned
# by him/her. Exceptions to this are explicit in the profiles. While this rule
# grants access to those exceptions, the intended privacy is maintained due to
# the encrypted contents of the files in this directory. Files in this
# directory will also use filename encryption by default, so the files are
# further protected. Also, with the use of 'owner', this rule properly
# prevents access to the files from processes running under a different uid.
# encrypted ~/.Private and old-style encrypted $HOME
owner @{HOME}/.Private/ r,
owner @{HOME}/.Private/** mrixwlk,
# new-style encrypted $HOME
owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
# Include additions to the abstraction
##included <abstractions/base.d>
/etc/ld.so.cache r,
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Allow to receive some signals from new well-known profiles
signal (receive) peer=htop,
signal (receive) peer=sudo,
signal (receive) peer=top,
signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown,
signal (receive) set=(cont,term) peer=@{p_systemd_user},
signal (receive) set=(cont,term) peer=@{p_systemd},
signal (receive) set=(hup) peer=xinit,
signal (receive) set=(term,kill) peer=gnome-shell,
signal (receive) set=(term,kill) peer=gnome-system-monitor,
signal (receive) set=(term,kill) peer=openbox,
signal (receive) set=(term,kill) peer=su,
ptrace (readby) peer=systemd-coredump,
/usr/share/locale/ r,
@{etc_rw}/localtime r,
/etc/locale.conf r,
@{sys}/devices/system/cpu/possible r,
@{PROC}/sys/kernel/core_pattern r,
deny /apparmor/.null rw,
##included <abstractions/gstreamer>
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
@{lib}/@{multiarch}/libproxy/*/modules/*.so mr,
@{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr,
@{lib}/frei0r-@{int}/*.so mr,
# FIXME: not compatible with FSP mode due conflicting x modifiers
@{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rix,
@{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rix,
@{lib}/gstreamer-1.0/gst-plugin-scanner rix,
/etc/openni2/OpenNI.ini r,
/tmp/ r,
/var/tmp/ r,
owner @{HOME}/orcexec.@{rand6} rw,
owner @{HOME}/.gstreamer-@{int}.@{int}/ rw,
owner @{HOME}/.gstreamer-@{int}.@{int}/registry.*.bin{,.tmp@{rand6}} rw,
owner @{user_cache_dirs}/gstreamer-@{int}.@{int}/ rw,
owner @{user_cache_dirs}/gstreamer-@{int}.@{int}/registry.*.bin{,.tmp@{rand6}} rw,
# The orcexec.* file is JIT compiled code for various GStreamer elements.
# If one is blocked the next is used instead.
# The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag.
owner @{run}/user/@{uid}/orcexec.@{rand6} mrw,
#owner /tmp/orcexec.* mrw,
#owner @{HOME}/orcexec.* mrw,
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+usb:* r, # For /dev/bus/usb/**
@{run}/udev/data/c81:@{int} r, # For video4linux
@{run}/udev/data/c189:@{int} r, # For USB serial converters
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]*
@{sys}/bus/ r,
@{sys}/bus/media/devices/ r,
@{sys}/bus/usb/devices/ r,
@{sys}/class/ r,
@{sys}/class/drm/ r,
@{sys}/class/video4linux/ r,
@{sys}/devices/@{pci}/{busnum,config,devnum,descriptors,speed,uevent} r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,
/dev/ r,
/dev/bus/usb/ r,
/dev/dri/ r,
##included <abstractions/gstreamer.d>
/usr/libexec/gstreamer-1.0/gst-plugin-scanner-x86_64 mrix,
##included <abstractions/nameservice-strict>
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Many programs wish to perform nameservice-like operations, such as looking up
# users by name or id, groups by name or id, hosts by name or IP, etc.
@{etc_ro}/default/nss r,
@{etc_ro}/gai.conf r,
@{etc_ro}/group r,
@{etc_ro}/host.conf r,
@{etc_ro}/hosts r,
@{etc_ro}/nsswitch.conf r,
@{etc_ro}/passwd r,
@{etc_ro}/protocols r,
@{etc_ro}/resolv.conf r,
@{etc_ro}/services r,
# On systems with authselect installed, /etc/nsswitch.conf is a symlink to /etc/authselect/nsswitch.conf
@{etc_ro}/authselect/nsswitch.conf r,
# Alternative location for group & passwd files
/var/lib/extrausers/group r,
/var/lib/extrausers/passwd r,
/var/lib/nscd/group r,
/var/lib/nscd/passwd r,
@{run}/nscd/db* r,
@{run}/resolvconf/resolv.conf r,
@{run}/systemd/resolve/resolv.conf r,
@{run}/systemd/resolve/stub-resolv.conf r,
# NSS records from systemd-userdbd.service
#
# Allow User/Group lookups via common VarLink socket APIs. Applications need
# to either consult all of them or the io.systemd.Multiplexer frontend.
#
# https://systemd.io/USER_GROUP_API/
# https://systemd.io/USER_RECORD/
# https://www.freedesktop.org/software/systemd/man/nss-systemd.html
#
@{run}/systemd/userdb/ r,
@{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users
@{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs
@{run}/systemd/userdb/io.systemd.Machine rw, # systemd-machined
@{run}/systemd/userdb/io.systemd.Multiplexer rw,
@{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS
@{PROC}/sys/kernel/random/boot_id r,
##failed include <abstractions/nameservice-strict.d>
##included <abstractions/thumbnails-cache-write>
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
owner @{user_cache_dirs}/thumbnails/ rw,
owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ rw,
owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ rw,
owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/*.png rw,
owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png rwl -> @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int},
owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} rw,
owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int} rw,
##failed include <abstractions/thumbnails-cache-write.d>
@{exec_path} mr,
/usr/share/backgrounds/xfce/{,**} r,
/usr/share/thumbnailers/{,**} r,
/etc/fstab r,
/etc/xdg/tumbler/* r,
owner @{PROC}/@{pid}/mountinfo r,
/dev/ r,
##failed include <local/tumblerd>
}
Reported-by:
Edited by John Johansen