[apparmor] Was it necessary to use both "/Extra/ rw" and "/Extra/** rw"
John Johansen
john.johansen at canonical.com
Tue Jan 8 07:58:37 UTC 2013
On 01/07/2013 10:47 PM, Aaron Lewis wrote:
> Hi,
>
> If I granted a program to with
>
> /Extra/** rw
>
> Do I still need:
>
> /Extra rw
>
yes,
/Extra/** will only grant permission to files and directories under /Extra/
while /Extra would grant permission to access a file at that location.
Note that apparmor treats /Extra and /Extra/ as different
if you don't care if its a file or a directory you can do
/Extra{/,} rw,
We can make this a single expression by doing
/Extra/{**,} rw,
to grant access to the dir /Extra/ and all files and directories under it
or
/Extra{/,/**,} rw,
to grant access to the file /Extra, the directory /Extra/ and all files and
directories under /Extra/
Note that there is a difference between * and ** in apparmor that is not
intuitive and I wish had been defined differently, but it wasn't so we have
been stuck with it.
* - will only match files
** - will match files and directories
so
/foo/* # match files
/foo/*/ # match dirs
/foo/*{/,} # single level files or dir
but
/foo/** # match files and dirs
/foo/**/ # match only dirs under /foo/
/foo/**[^/] # match only files under /foo/
More information about the AppArmor
mailing list