[apparmor] [PATCH 06/10] Add basic documentation of change_profile rules to apparmor.d man page
John Johansen
john.johansen at canonical.com
Sat Mar 21 10:41:45 UTC 2015
On 03/20/2015 05:53 AM, Christian Boltz wrote:
> Hello,
>
> Am Freitag, 20. März 2015 schrieb John Johansen:
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>> ---
>> parser/apparmor.d.pod | 22 +++++++++++++++++++++-
>> 1 file changed, 21 insertions(+), 1 deletion(-)
>>
>> diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
>> index 70d9c8c..08407de 100644
>> --- a/parser/apparmor.d.pod
>> +++ b/parser/apparmor.d.pod
> ...
>> +=head2 change_profile rules
>> +
>> +AppArmor supports self directed profile transitions via the
>> change_profile +api. Change_profile rules control which permissions
>> for which profiles +a confined task can transition to. The profile
>> name can contain apparmor +pattern matching to specify different
>> profiles.
>> +
>> + change_profile -> **,
>> +
>> +The change_profile api allows the transition to be delayed until when
>> +a task executes another application.
>
> Please make the following a separate paragraph.
>
>> Change_profile permission can
>> +restrict which profiles can be transitioned to based off of the
>> executable +name by specifying the exec condition.
>> +
>> + change_profile /bin/bash -> new_profile,
>
> A short explanation why this is useful would be nice, for example
> something like (assuming I understand it right)
>
> Specifying an exec condition is useful if your profile contains ix
> rules, and you want to allow the transition only if done by the
> specific executable.
>
> Feel free to adjust the text ;-)
>
> With the above changes,
> Acked-by: Christian Boltz <apparmor at cboltz.de>
I haven't added your Acked-by to the new revision of the patch because
I ended up editing more of the description than what you pointed out.
More information about the AppArmor
mailing list