[apparmor] [PATCH] update man page for recent mount rule additions
Steve Beattie
steve at nxnw.org
Wed Apr 11 18:08:43 UTC 2012
On Wed, Apr 11, 2012 at 10:45:59AM -0700, John Johansen wrote:
> On 04/11/2012 10:35 AM, Steve Beattie wrote:
> > Wait, the mount options don't accumulate? So
> >
> > mount options=ro /dev/foo,
> > mount options=atime /dev/foo,
> >
> > would allow
> >
> > mount -o ro /dev/foo /some/mnt/location/
> >
> > and
> >
> > mount -o atime /dev/foo /some/mnt/location/
> >
> > but would not allow
> >
> > mount -o ro,atime /dev/foo /some/mnt/location/
> >
> > ? This is seriously confusing.
> >
> How so? Within a single rule options set they do accumulate
> mount options=ro /dev/foo,
> mount options=atime /dev/foo,
>
> are separate rules
> mount options in (ro,atime) /dev/foo,
>
> is a different rule and it is equivalent to the 3 rules
> mount options=ro /dev/foo,
> mount options=atime /dev/foo,
> mount options=(ro,atime) /dev/foo,
Sorry, my confusion was thinking that mount options in separate
rules were or'ed together (accumulation across rules), not treated
independently. I.E. I had thought that by stating
mount options=ro /dev/foo,
mount options=atime /dev/foo,
it implicitly overlapped
mount options=(ro,atime) /dev/foo,
and thus made the last rule redundant.
I can see the case for treating these as XOR, eliminating the need
to write a deny rule if that's what you want.
> not saying we couldn't treat 'in' as a straight up list of single '=' options but
> it always was a set to me.
No, I was entirely expecting it to behave as a set.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120411/c7e3d3f1/attachment.pgp>
More information about the AppArmor
mailing list