[apparmor] [PATCH 10/10] Add basic info about link rules to apparmor.d man page

John Johansen john.johansen at canonical.com
Fri Mar 20 12:02:34 UTC 2015


Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/apparmor.d.pod | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
index 03537ae..b437d21 100644
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -54,7 +54,7 @@ B<COMMENT> = '#' I<TEXT>
 
 B<TEXT> = any characters
 
-B<PROFILE> = [ I<COMMENT> ... ] [ I<VARIABLE ASSIGNMENT> ... ] ( '"' I<PROGRAM> '"' | I<PROGRAM> ) [ 'flags=(complain)' ]'{' [ ( I<RESOURCE RULE> | I<COMMENT> | I<INCLUDE> | I<SUBPROFILE> | I<CAPABILITY RULE> | I<NETWORK RULE> | I<MOUNT RULE> | I<PIVOT ROOT RULE> | I<DBUS RULE> | I<UNIX RULE> | I<FILE RULE> | I<CHANGE_PROFILE RULE> ) ... ] '}'
+B<PROFILE> = [ I<COMMENT> ... ] [ I<VARIABLE ASSIGNMENT> ... ] ( '"' I<PROGRAM> '"' | I<PROGRAM> ) [ 'flags=(complain)' ]'{' [ ( I<RESOURCE RULE> | I<COMMENT> | I<INCLUDE> | I<SUBPROFILE> | I<CAPABILITY RULE> | I<NETWORK RULE> | I<MOUNT RULE> | I<PIVOT ROOT RULE> | I<DBUS RULE> | I<UNIX RULE> | I<FILE RULE> | I<LINK RULE> | I<CHANGE_PROFILE RULE> ) ... ] '}'
 
 B<SUBPROFILE> = [ I<COMMENT> ... ] ( I<PROGRAMHAT> | 'profile ' I<PROGRAMCHILD> ) '{' [ ( I<FILE RULE> | I<COMMENT> | I<INCLUDE> ) ... ] '}'
 
@@ -165,7 +165,7 @@ B<DBUS ACCESS> = ( 'send' | 'receive' | 'bind' | 'eavesdrop' )  (some accesses a
 
 B<AARE> = B<?*[]{}^> (see below for meanings)
 
-B<UNIX RILE> = [ I<QUALIFIERS> ] 'unix' [ I<UNIX ACCESS EXPR> ] [ I<UNIX RULE CONDS> ] [ I<UNIX LOCAL EXPR> ] [ I<UNIX PEER EXPR> ]
+B<UNIX RULE> = [ I<QUALIFIERS> ] 'unix' [ I<UNIX ACCESS EXPR> ] [ I<UNIX RULE CONDS> ] [ I<UNIX LOCAL EXPR> ] [ I<UNIX PEER EXPR> ]
 
 B<UNIX ACCESS EXPR> = ( I<UNIX ACCESS> | I<UNIX ACCESS LIST> )
 
@@ -207,6 +207,8 @@ B<EXEC TRANSITION> =  ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' |
 
 B<EXEC TARGET> = name  (requires I<EXEC TRANSITION> specified)
 
+B<LINK RULE> = I<FILE QUALIFIERS> 'link' [ 'subset' ] <FILEGLOB> ( 'to' | '-E<gt>' ) <FILEGLOB> ','
+
 B<VARIABLE> = '@{' I<ALPHA> [ ( I<ALPHANUMERIC> | '_' ) ... ] '}'
 
 B<VARIABLE ASSIGNMENT> = I<VARIABLE> ('=' | '+=') (space separated values)
@@ -530,6 +532,27 @@ may be allowed, Eg.
 
 =back
 
+=head2 Link rules
+
+Link rules allow specifying permission to form a hard link as a link
+target pair.  If the subset condition is specified then the permissions
+to access the link file must be a subset of the profiles permissions
+to access the target file.
+
+The link rule is equivalent to specifying the 'l' link permission as
+a leading permission with no other file access permissions. When this
+is done the link rule options can be specified.
+
+The following link rule is equivalent to the 'l' permission file rule
+  link /foo -> bar,
+  l /foo -> /bar,
+
+File rules that specify the 'l' permission and don't specify the extend
+link permissions map to link rules as follows.
+  /foo l,
+  l /foo,
+  link subset /foo -> /**,
+
 =head2 Comments
 
 Comments start with # and may begin at any place within a line. The
-- 
2.1.4




More information about the AppArmor mailing list