[apparmor] Using r, w, m, c altogether
Seth Arnold
seth.arnold at canonical.com
Wed Jun 26 00:21:49 UTC 2013
On Wed, Jun 26, 2013 at 07:54:46AM +0800, Aaron Lewis wrote:
> Hi,
>
> Looks like I can use rwmc altogether, am I wrong?
>
> owner @{HOME}/.config/google-googletalkplugin/{**,} rwmc,
I can't see 'c' support in our current parser source code, not can I get
this to work in a test profile:
$ echo "/t { / rwmc, }" | apparmor_parser -Q -d
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
AppArmor parser error, in stdin line 1: syntax error, unexpected TOK_ID, expecting TOK_MODE
But removing the 'c':
$ echo "/t { / rwm, }" | apparmor_parser -Q -d
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
----- Debugging built structures -----
Name: /t
Profile Mode: Enforce
--- Entries ---
Mode: rwam:rwam Name: (/)
$
When the kernel logs a denied mode of 'c', it is indeed a process trying
to create the file, but there is currently no way to give _only_ this
privilege to a process. 'w' will also grant this permission.
All you need is 'rwm'.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130625/3b013e18/attachment.pgp>
More information about the AppArmor
mailing list