[apparmor] [PATCH] update man page for recent mount rule additions
Jamie Strandboge
jamie at canonical.com
Wed Apr 11 17:26:30 UTC 2012
On Wed, 2012-04-11 at 10:09 -0700, Steve Beattie wrote:
> On Wed, Apr 11, 2012 at 09:56:58AM -0700, John Johansen wrote:
> > So for the
> > >> "When both = and in conditional operators are used the options within
> > >> each condition type can be combined and split interchangeably."
> >
> > is for within a single rule
> >
> > that is to say
> >
> > mount options=ro options=atime /dev/foo,
> >
> > is equivalent to
> > mount options=(ro, atime) /dev/foo,
> >
> > not
> > mount options=ro /dev/foo,
> > mount options=atime /dev/foo,
> >
> > though now thinking about it, this last interpretation might be better.
> > It is not to late to change this, so I would like opions
>
> For the record, what I was hoping/exoecting the 'in' syntax would
> accomplish was eliminating the need to write stuff like the latter;
> i.e. that
>
> mount options in (ro, atime) /dev/foo,
>
> would be equivalent to
>
> mount options=ro /dev/foo,
> mount options=atime /dev/foo,
>
> and not
>
> mount options=ro /dev/foo,
> mount options=rw /dev/foo,
> mount options=atime /dev/foo,
> mount options=noatime /dev/foo,
>
'in' does more than that. Ie:
mount options=ro /dev/foo,
mount options=atime /dev/foo,
Means these match:
$ mount -o ro /dev/foo ...
$ mount -o atime /dev/foo ...
But this doesn't:
$ mount -o ro,atime /dev/foo
We can already do 'mount options=(ro,atime)' which does the above. What
makes 'in' useful is the combinations it affords:
mount options in (ro, atime) /dev/foo
matches:
$ mount -o ro /dev/foo ...
$ mount -o atime /dev/foo ...
$ mount -o ro,atime /dev/foo ...
It regrettably (due to kernel limitations) also lets the inverse options
in there too (eg 'mount -o rw,noatime /dev/foo ...' also matches the
above 'in' rule). It might be worth reconsidering if the null set should
be allowed, which seems goofy to me.
Eg
mount options in (ro, atime) /dev/foo
currently matches:
$ mount -o /dev/foo ...
which does seem a bit odd. I'm ok with living with it in 12.04 if needed
though.
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120411/d7f9b2b1/attachment.pgp>
More information about the AppArmor
mailing list