[apparmor] [PATCH 09/13] Allow the 'file' keyword to be optionally used on file rules.
Kees Cook
kees at ubuntu.com
Tue Feb 14 19:30:23 UTC 2012
On Tue, Feb 14, 2012 at 09:32:31AM -0800, John Johansen wrote:
> Add the optional 'file' keyword to the language/grammer. The main reason
> for doing this is to support false token injection. Which is needed
> to move towards the parser being broken out into an api that can be
> used to parse individual rule types, separate from parsing the whole file.
>
> Since we are adding the token to the grammar expose it to userspace with
> the 'file' keyword. While not needed it helps bring consistency, as all
> the other rule types start with a keyword (capability, network, rlimit, ...).
>
> Also allow the bare keyword to be used to represent allowing all file
> operations, just as with network and capability. Domain transitions are
> defaulted to ix. Thus
>
> file,
>
> is equivalent to
>
> /** rwlkmix,
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
Oh, very cool. I like this. :)
Acked-by: Kees Cook <kees at ubuntu.com>
--
Kees Cook
More information about the AppArmor
mailing list