[apparmor] [PATCH 10/10] Add basic info about link rules to apparmor.d man page

Fri Mar 20 19:06:07 UTC 2015

Hello,

Am Freitag, 20. März 2015 schrieb John Johansen:
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
>  parser/apparmor.d.pod | 27 +++++++++++++++++++++++++--
>  1 file changed, 25 insertions(+), 2 deletions(-)
> 
> diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
> index 03537ae..b437d21 100644
> --- a/parser/apparmor.d.pod
> +++ b/parser/apparmor.d.pod
...
> @@ -165,7 +165,7 @@ B<DBUS ACCESS> = ( 'send' | 'receive' | 'bind' |
> 'eavesdrop' )  (some accesses a
> 
>  B<AARE> = B<?*[]{}^> (see below for meanings)
> 
> -B<UNIX RILE> = [ I<QUALIFIERS> ] 'unix' [ I<UNIX ACCESS EXPR> ] [
> I<UNIX RULE CONDS> ] [ I<UNIX LOCAL EXPR> ] [ I<UNIX PEER EXPR> ]
> +B<UNIX RULE> = [ I<QUALIFIERS> ] 'unix' [ I<UNIX ACCESS EXPR> ] [
> I<UNIX RULE CONDS> ] [ I<UNIX LOCAL EXPR> ] [ I<UNIX PEER EXPR> ]

Nice typo ;-)

> @@ -207,6 +207,8 @@ B<EXEC TRANSITION> =  ( 'ix' | 'ux' | 'Ux' | 'px'
> | 'Px' | 'cx' | 'Cx' | 'pix' |
> 
>  B<EXEC TARGET> = name  (requires I<EXEC TRANSITION> specified)
> 
> +B<LINK RULE> = I<FILE QUALIFIERS> 'link' [ 'subset' ] <FILEGLOB> (
> 'to' | '-E<gt>' ) <FILEGLOB> ',' +
>  B<VARIABLE> = '@{' I<ALPHA> [ ( I<ALPHANUMERIC> | '_' ) ... ] '}'
> 
>  B<VARIABLE ASSIGNMENT> = I<VARIABLE> ('=' | '+=') (space separated
> values) @@ -530,6 +532,27 @@ may be allowed, Eg.
> 
>  =back
> 
> +=head2 Link rules
> +
> +Link rules allow specifying permission to form a hard link as a link
> +target pair.  If the subset condition is specified then the
> permissions +to access the link file must be a subset of the profiles
> permissions +to access the target file.

'subset' usually translates to "need aspirin" when trying to understand 
it. Maybe a short example profile would make it easier to understand.

> +The link rule is equivalent to specifying the 'l' link permission as
> +a leading permission with no other file access permissions. When this
> +is done the link rule options can be specified.
> +
> +The following link rule is equivalent to the 'l' permission file rule
> +  link /foo -> bar,
> +  l /foo -> /bar,
> +
> +File rules that specify the 'l' permission and don't specify the
> extend +link permissions map to link rules as follows.
> +  /foo l,
> +  l /foo,
> +  link subset /foo -> /**,

With or without an example for subset added,
Acked-by: Christian Boltz <apparmor at cboltz.de>

BTW: My Acks in this patchset are also for 2.9, even if I didn't mention 
it on each patch.

Regards,

Christian Boltz
-- 
> über browser?, wie wärs mit (ISDN)Telefon - ich hab da reboot und
> rcsmpppd restart
Habe ich mir auch schon überlegt! Aber die Vorstellung war dann doch
etwas komisch: "Ja, Schatz! Ich komme gleich ins Bett! Muss nur noch
kurz meinen Router (unterm Tisch) anrufen, damit er runterfährt!"
[> Andre Fischer und Michael Frank in suse-linux]