[apparmor] [PATCH 07/10] Update exec transition documentation.

Christian Boltz apparmor at cboltz.de
Fri Mar 20 18:23:58 UTC 2015 

Hallo Leute,

Am Freitag, 20. März 2015 schrieb John Johansen:
> Add miss ix and ux fallback permission modes, named profile
> transitions. Also fix the file access modes and rule pattern to
> properly reflect what is allowed.
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
>  parser/apparmor.d.pod | 100
> +++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 90
> insertions(+), 10 deletions(-)
> 
> diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
> index 08407de..d44fe33 100644
> --- a/parser/apparmor.d.pod
> +++ b/parser/apparmor.d.pod
> @@ -195,13 +195,17 @@ B<UNIX ATTR COND> 'attr' '=' ( I<AARE> | '(' '"'
> I<AARE> '"' | I<AARE> ')' )
> 
>  B<UNIX OPT COND> 'opt' '=' ( I<AARE> | '(' '"' I<AARE> '"' | I<AARE>
> ')' )
> 
> -B<FILE RULE> = I<FILE QUALIFIERS> ( '"' I<FILEGLOB> '"' | I<FILEGLOB>
> ) I<ACCESS> ',' 
> +B<FILE RULE> = I<FILE QUALIFIERS> ( '"' I<FILEGLOB>

As in 5/10, please change this to ... = l<QUALIFIERS> [ 'owner' ] ... 
and ... 

> '"' | I<FILEGLOB> ) I<ACCESS> [ -E<gt> <EXEC TARGET> ] ',' +
> +B<FILE QUALIFIERS> = [ I<QUALIFIERS> ] [ 'owner' ] [ 'file' ]

... drop the <FILE QUALIFIERS defnition.

>  B<FILEGLOB> = (must start with '/' (after variable expansion),
> B<AARE> have special meanings; see below. May include I<VARIABLE>.
> Rules with embedded spaces or tabs must be quoted. Rules must end
> with '/' to apply to directories.)
> 
> -B<FILE QUALIFIERS> [ I<QUALIFIERS> ] [ 'owner' ]
> +B<ACCESS> = ( 'r' | 'w' | 'a' | 'l' | 'k' | 'm' | I<EXEC TRANSITION>
> )+  (not all combinations are allowed; see below.) +
> +B<EXEC TRANSITION> =  ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' |
> 'Cx' | 'pix' | 'Pix' | 'cix' | 'Cix' | 'pux' | 'Pux' | 'cux' | 'Cux'
> )

Is the mixed upper-/lowercase in Pux and Cux correct or should it be 
PUx/CUx?

I seem to remember that the first letter decides about scrubbing the 
environment, so this should probably be PUx and CUx (with Ux as their 
fallback)

[...]
> +=item B<Pux>

PUx?

> +- discrete profile execute with fallback to unconfined -- scrub the
> environment +
> +=item B<cux>
> +
> +- transition to subprofile on execute with fallback to unconfined
> +
> +=item B<Cux>

CUx?

[...]
> +=item B<Profile transition with inheritance fallback execute mode>
> +
> +These modes attempt to preform a domain transition as specified by

Should this be p_er_form instead of p_re_form?

[...]
> +=item B<Profile transition with unconfined fallback execute mode>
> +
> +These modes attempt to preform a domain transition as specified by
> +the matching permission (shown below) and if that transition fails
> +to find the matching profile the domain transition proceeds using
> +the 'ux' transition mode if 'pux', 'cux' or the 'Ux' transition mode
> +if 'Pux', 'Cux' is used.
> +
> +  'Pux' == 'Px' with fallback to 'ux'
> +  'pux' == 'px' with fallback to 'ux'
> +  'Cux' == 'Cx' with fallback to 'ux'
> +  'cux' == 'cx' with fallback to 'ux'

PUx/CUx instead of Pux/Cux?

> +Incompatible with other exec transition modes.
> +
> +=item B<Directed profile transitions>
> +
> +The directed ('px', 'Px', 'pix', 'Pix', 'pux', 'Pux') profile and
> +subprofile ('cx', 'Cx', 'cix', 'Cix', 'cux', 'Cux') transitions

PUx/CUx instead of Pux/Cux?


Regards,

Christian Boltz
-- 
> check up on dusted up coolers / vents etc. 
That is the first thing that I did, but I can't imagine that 
the amount of dust is automatically changing with the kernel ?
[> David Haller and Raymond Wooninck in opensuse-factory]

More information about the AppArmor mailing list