[apparmor] apparmor.vim - profile format changes since 2.3?

John Johansen john.johansen at canonical.com
Fri Dec 17 09:31:15 GMT 2010

On 12/03/2010 07:37 AM, Christian Boltz wrote:
> Hello,
> the apparmor.vim syntax highlighting is still based on AppArmor 2.3 
> profile syntax.
> Does somebody have a list of changes to the profile format between 
> AppArmor 2.3 and 2.5?
> On https://apparmor.wiki.kernel.org/index.php/TechnicalDoc#Capabilities
> I see user=(...), file-specific capabilities and ipc rules. However the 
> page doesn't say in which version this was (or will be?) added, and 
> maybe doesn't contain all new stuff.
Hey Christian sorry this got dropped.  The answer is very little has
actually changed at the profile language level.  Most of the time has been
spend rewriting parts, and doing under the hood improvements, instead of
getting new features in.

So the changes that I can think of that currently extend 2.3 are

New x transitions
  pix, Pix - which tries px and then falls back to ix if the profile doesn't
  pux, Pux - same thing as pix except falling back to ux

New capabilities have been added
  audit_write, audit_control, set_fcap, mac_override, mac_admin

Profile names can now have globing in them,
  /** {

  would define a default profile.  Matches are prioritized by longest left
  /bin/** { }  would be the preferred match over /** { }, etc.  with the
  exact name being the most preferred match.

The profile flags= keyword is now optional
  eg.  /foo flags=(complain) { }   can now be written as /foo (complain) { }

There some new profile flags
  attach_disconnect, no_attach_disconnected,  chroot_attach, chroot_no_attach, 
  chroot_relative, namespace_relative

include statement do not require # infront of them any more
  #include <abstractions/base>
  include <abstractions/base>

permissions can be specified before the file match.
  rw /foo,

  for named transitions it is written like
  /foo px -> bar,
  px /foo -> bar,  

In the current development versions it will possible to name a profile,
  profile firefox /usr/bin/firefox-* { }

  this makes the profile spec look something like

  [profile] <attachment> [[flags=](<flags>+] { }
  profile <name> [<attachment>] [[flags=](<flags>+] { }

  where names must start with an alphanum
  and attachment must start with / or @{varname}

More information about the AppArmor mailing list