[apparmor] [PATCH] update man page for recent mount rule additions
John Johansen
john.johansen at canonical.com
Wed Apr 11 17:27:48 UTC 2012
On 04/11/2012 10:09 AM, Steve Beattie wrote:
> On Wed, Apr 11, 2012 at 09:56:58AM -0700, John Johansen wrote:
>> So for the
>>>> "When both = and in conditional operators are used the options within
>>>> each condition type can be combined and split interchangeably."
>>
>> is for within a single rule
>>
>> that is to say
>>
>> mount options=ro options=atime /dev/foo,
>>
>> is equivalent to
>> mount options=(ro, atime) /dev/foo,
>>
>> not
>> mount options=ro /dev/foo,
>> mount options=atime /dev/foo,
>>
>> though now thinking about it, this last interpretation might be better.
>> It is not to late to change this, so I would like opions
>
> For the record, what I was hoping/exoecting the 'in' syntax would
> accomplish was eliminating the need to write stuff like the latter;
> i.e. that
>
> mount options in (ro, atime) /dev/foo,
>
> would be equivalent to
>
> mount options=ro /dev/foo,
> mount options=atime /dev/foo,
>
that is close to what I intended, I did it as
mount options=(ro,atime) /dev/foo,
mount options=ro /dev/foo,
mount options=atime /dev/foo,
however because of the implementation it also picks up, the others. I have
thought about this some more, and its actually an implementational detail.
It doesn't have to imply the other sets. I started poking at it last night
but I was just too tired. Basically this needs more work to fix than we
have time.
We can and probably should rework this, we could document it as above and
remove the offending implied options. And then issue a patch after release
that fixes the behavior, so we would be releasing a parser with a bug that
allows more permissions than it should.
> and not
>
> mount options=ro /dev/foo,
> mount options=rw /dev/foo,
> mount options=atime /dev/foo,
> mount options=noatime /dev/foo,
>
> That said, I can kind of see the consistency argument, where multiple
> options= entries are like multiple permission modes (r, w, m) on file
> permissions.
>
>
>
>
More information about the AppArmor
mailing list