[apparmor] AppArmor 2.8 syntax changes
John Johansen
john.johansen at canonical.com
Sun Mar 11 02:25:51 UTC 2012
So while these have been discussed, in patches etc the follow are the current
extension to AppArmor syntax for the upcoming 2.8 release
* File rules
The file keyword can now be optionally added in front of file rules. This
was done to add consistency with other rule types.
Eg.
file /tmp/** rw,
The file keyword can also be used bare to represent granting access to all files.
file,
* capability rules
The capability syntax has been extended to allow multiple capability keywords in
a single rule.
Eg.
capability sys_admin mac_admin dac_override,
It can also be used to as a bare keyword to represent all capabilities
capability,
Which can be combined with deny to allow all but a few capabilities
capability,
deny capability mac_admin,
* Mount rules
AppArmor has been expanded to support mount rules. They have the following basic
syntax
[audit] [deny] mount <conds>* [(<device>|<src>) ->] [<dest>],
[audit] [deny] remount <conds>* [path],
[audit] [deny] umount <conds>* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
where <conds> can be
fstype=<expr>
options=<expr>
owner[=<expr>]
and <expr> can be
<re> | '(' (<re>[,])+ ')'
mount, # allow any mount
mount /dev/foo, # allow mounting of /dev/foo anywhere
mount options=ro /dev/foo, #allow mounting /dev/foo as read only
mount options=(ro,foo) /dev/foo,
mount options=ro options=foo /dev/foo,
mount -> /mnt/**, # allow any mount on dirs under /mnt/
mount options=ro -> /mnt/**, # allow any read only mount under /mnt/
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
remount options=(ro) /dev/foo,
umount,
umount /dev/foo,
pivotroot,
pivotroot oldroot=/var/old /foo,
pivotroot oldroot=/var/old /foo -> profile_bar,
More information about the AppArmor
mailing list