[apparmor] [PATCH] update man page for recent mount rule additions

[John Johansen]

So just a little more explanation of the mount rules weirdness.

On the backend we are are given a bit mask, with one bit per flag and some
flags are the inverse of the other, eg. ro is set, rw when the bit is cleared.

The backend apparmor rule match a trianary.  Set, clear, or don't care (either
value set).


No to the front end, it actually tracks the positive and negative sets separately
so at the front end we could say

  options in (ro,nodev)

is only {ro, nodev}, {ro}, {nodev} but there is no point because we can't
distinguish in the backend so options in basically becomes a list of flags that
are don't cares (can be set or clear).

Yes it is a mess, and confusing but I don't see a way to fix this