[apparmor] [PATCH 06/10] Add basic documentation of change_profile rules to apparmor.d man page

Christian Boltz apparmor at cboltz.de
Fri Mar 20 12:53:06 UTC 2015


Hello,

Am Freitag, 20. März 2015 schrieb John Johansen:
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
>  parser/apparmor.d.pod | 22 +++++++++++++++++++++-
>  1 file changed, 21 insertions(+), 1 deletion(-)
> 
> diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
> index 70d9c8c..08407de 100644
> --- a/parser/apparmor.d.pod
> +++ b/parser/apparmor.d.pod
...
> +=head2 change_profile rules
> +
> +AppArmor supports self directed profile transitions via the
> change_profile +api. Change_profile rules control which permissions
> for which profiles +a confined task can transition to.  The profile
> name can contain apparmor +pattern matching to specify different
> profiles.
> +
> +  change_profile -> **,
> +
> +The change_profile api allows the transition to be delayed until when
> +a task executes another application. 

Please make the following a separate paragraph.

> Change_profile permission can
> +restrict which profiles can be transitioned to based off of the
> executable +name by specifying the exec condition.
> +
> +  change_profile /bin/bash -> new_profile,

A short explanation why this is useful would be nice, for example 
something like (assuming I understand it right)

    Specifying an exec condition is useful if your profile contains ix 
    rules, and you want to allow the transition only if done by the
    specific executable.

Feel free to adjust the text ;-)

With the above changes,
Acked-by: Christian Boltz <apparmor at cboltz.de>


Regards,

Christian Boltz
-- 
The mission statement is simply 'world domination', 
but we don't tell anybody. :-)
[Juergen Weigert in opensuse-project]




More information about the AppArmor mailing list