Linter

The profiles are checked for common style and security issues with just check. This page documents all the checks performed.

Check system

Future implementation will expand this basic check system to a full linter and security analyzer system.

Overview¶

Output	Check ID	Description
	`abi`	Missing ABI
	`abstractions`	Use of dangerous abstraction
	`abstractions`	Use of deprecated abstraction
	`abstractions`	Use of deprecated, ubuntu only abstraction
	`bin`	Use of `@{sbin}` instead of `@{bin}`
	`directory-mark`	Missing directory mark
	`equivalent`	Missing equivalent program
	`header`	Missing header
	`include`	Missing include
	`indentation`	Invalid indentation
	`profile`	Missing profile name
	`sbin`	Use of `@{bin}` instead of `@{sbin}`
	`subprofiles`	Missing subprofiles
	`tabs`	Tabs are not allowed
	`trailing`	Line has trailing whitespace
	`transition`	`Pix` transition leads to unmaintainable profile
	`transition`	Executable should be should be used inherited: `ix` or `Cx`
	`transition`	Executable should transition to another (sub)profile with `Px` or `Cx`
	`tunables`	Variables must be used
	`udev`	Udev data path without a description comment
	`useless`	Rule already included in the base abstraction
	`vim`	Missing vim syntax
	`transition`	Path `@{bin}/XXX` should transition to a subprofile with 'Cx'
	`too-wide`	Rule too wide may lead to confinement escape or data leaks

Directive¶

We use a special directive to ignore specific checks:

Inline directive is supported
Directive before a paragraph applies to all rules in the paragraph
Directive within the first 5 lines of a file applies to the whole file

Format

#aa:lint ignore=<check>

<check>: Check id to ignore.

Example

Ignore the too-wide check in the dpkg profile:

apparmor.d/groups/apt/dpkg

  #aa:lint ignore=too-wide
  # Install/update packages
  / r,
  /*{,/} rw,
  @{efi}/** rwl -> @{efi}/**,
  /etc/** rwl -> /etc/**,
  /opt/** rwl -> /opt/**,
  /srv/** rwl -> /srv/**,
  /usr/** rwlk -> /usr/**,
  /var/** rwlk -> /var/**,

Description Template¶

---
title: id
---

# `id`

<description of the check>

## Problematic rule

```sh
# WRONG
<example of problematic rule>
```

## Correct rule

```sh
<example of correct rule>
```

## Rationale

<explanation of why the correct rule is better>

## Exceptions

None

## Related Resources