[apparmor] [PATCH] update man page for recent mount rule additions
John Johansen
john.johansen at canonical.com
Wed Apr 11 16:56:58 UTC 2012
On 04/11/2012 09:32 AM, Steve Beattie wrote:
> On Wed, Apr 11, 2012 at 11:22:20AM -0500, Jamie Strandboge wrote:
>> On Wed, 2012-04-11 at 07:50 -0700, Steve Beattie wrote:
>>> On Tue, Apr 10, 2012 at 05:06:59PM -0500, Jamie Strandboge wrote:
>>
>>>> +=item B<mount options=ro, mount options=atime /dev/foo,>
>>>
>>> Doesn't the first part need to be 'mount options=ro /dev/foo,' in order
>>> for it to allow the mount of only /dev/foo anywhere?
>>
>> I'd like for John to comment here, but based on the wiki[1], no. Eg:
>>
>> "When both = and in conditional operators are used the options within
>> each condition type can be combined and split interchangeably.
>>
>> mount options=(ro, acl) options in (nodev, user)"
>
> Right, except your example has two rules, no?
>
> mount options=ro,
> mount options=atime /dev/foo,
>
> if it were
>
> mount options=ro options=atime /dev/foo,
>
> then it would do what you want, I think. At least, based on my
> understanding of how the rules work.
>
yep, the first rule allows mounting anything as long as the options
set = ro
the second is allowing /dev/foo to be mounted anywhere.
So for the
>> "When both = and in conditional operators are used the options within
>> each condition type can be combined and split interchangeably."
is for within a single rule
that is to say
mount options=ro options=atime /dev/foo,
is equivalent to
mount options=(ro, atime) /dev/foo,
not
mount options=ro /dev/foo,
mount options=atime /dev/foo,
though now thinking about it, this last interpretation might be better.
It is not to late to change this, so I would like opions
More information about the AppArmor
mailing list