[apparmor] [PATCH 4/4] Add documentation of qualifier blocks to apparmor.d man page

John Johansen john.johansen at canonical.com
Wed Apr 1 09:32:30 UTC 2015 

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/apparmor.d.pod | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
index 6047eda..59705fe 100644
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -78,7 +78,7 @@ B<LINE RULES> = ( I<COMMENT> | I<INCLUDE> ) [ '\r' ] '\n'
 
 B<COMMA RULES> = ( I<CAPABILITY RULE> | I<NETWORK RULE> | I<MOUNT RULE> | I<PIVOT ROOT RULE> | I<UNIX RULE> | I<FILE RULE> | I<LINK RULE> | I<CHANGE_PROFILE RULE> | I<RLIMIT RULE> | I<ALIAS RULE> | I<DBUS RULE> )
 
-B<BLOCK RULES> = ( I<SUBPROFILE> | I<HAT> )
+B<BLOCK RULES> = ( I<SUBPROFILE> | I<HAT> | I<QUALIFIER BLOCK> )
 
 B<BLOCK> = '{' ( I<RULES> )* '}'
 
@@ -88,6 +88,8 @@ B<HAT> = ('hat' | '^') I<HATNAME> [ <PROFILE FLAG CONDS> ] I<BLOCK>
 
 B<HATNAME> = '^'  ( {IDS}|{QUOTED_ID see aa_change_hat(2) for a description of how this "hat" is used.)
 
+B<QUALIFIER BLOCK> = I<QUALIFIERS> I<BLOCK>
+
 B<ACCESS TYPE> = ( 'allow' | 'deny' )
 
 B<QUALIFIERS> = [ 'audit' ] [ I<ACCESS TYPE> ]
@@ -1325,6 +1327,12 @@ Rule qualifiers can modify the rule and/or permissions within the rule.
 
 =over 4
 
+=item B<allow>
+
+Specifies that permissions requests that match the rule are allowed. This
+is the default value for rules and does not need to be specified. Conflicts
+with the I<deny> qualifier.
+
 =item B<audit>
 
 Specifies that permissions requests that match the rule should be recorded
@@ -1333,13 +1341,24 @@ to the audit log.
 =item B<deny>
 
 Specifies that permissions requests that match the rule should be denied
-without logging. Can be combined with 'audit' to enable logging.
+without logging. Can be combined with 'audit' to enable logging. Conflicts
+with the I<allow> qualifier.
 
 =item B<owner>
 
 Specifies that the task must have the same euid/fsuid as the object being
 referenced by the permission check.
 
+=head3 Qualifier Blocks
+
+Rule Qualifiers can be applied to multiple rules at a time by grouping the
+rules into a rule block.
+
+  audit {
+     /foo r,
+     network,
+  }
+
 =back
 
 =head2 #include mechanism
-- 
2.1.4

More information about the AppArmor mailing list