[apparmor] [PATCH 10/10] Add basic info about link rules to apparmor.d man page

Sat Mar 21 10:56:06 UTC 2015

On 03/20/2015 12:06 PM, Christian Boltz wrote:
> Hello,
> 
> Am Freitag, 20. März 2015 schrieb John Johansen:
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>> ---
>>  parser/apparmor.d.pod | 27 +++++++++++++++++++++++++--
>>  1 file changed, 25 insertions(+), 2 deletions(-)
>>
>> diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
>> index 03537ae..b437d21 100644
>> --- a/parser/apparmor.d.pod
>> +++ b/parser/apparmor.d.pod
> ...
>> @@ -165,7 +165,7 @@ B<DBUS ACCESS> = ( 'send' | 'receive' | 'bind' |
>> 'eavesdrop' )  (some accesses a
>>
>>  B<AARE> = B<?*[]{}^> (see below for meanings)
>>
>> -B<UNIX RILE> = [ I<QUALIFIERS> ] 'unix' [ I<UNIX ACCESS EXPR> ] [
>> I<UNIX RULE CONDS> ] [ I<UNIX LOCAL EXPR> ] [ I<UNIX PEER EXPR> ]
>> +B<UNIX RULE> = [ I<QUALIFIERS> ] 'unix' [ I<UNIX ACCESS EXPR> ] [
>> I<UNIX RULE CONDS> ] [ I<UNIX LOCAL EXPR> ] [ I<UNIX PEER EXPR> ]
> 
> Nice typo ;-)
> 
>> @@ -207,6 +207,8 @@ B<EXEC TRANSITION> =  ( 'ix' | 'ux' | 'Ux' | 'px'
>> | 'Px' | 'cx' | 'Cx' | 'pix' |
>>
>>  B<EXEC TARGET> = name  (requires I<EXEC TRANSITION> specified)
>>
>> +B<LINK RULE> = I<FILE QUALIFIERS> 'link' [ 'subset' ] <FILEGLOB> (
>> 'to' | '-E<gt>' ) <FILEGLOB> ',' +
>>  B<VARIABLE> = '@{' I<ALPHA> [ ( I<ALPHANUMERIC> | '_' ) ... ] '}'
>>
>>  B<VARIABLE ASSIGNMENT> = I<VARIABLE> ('=' | '+=') (space separated
>> values) @@ -530,6 +532,27 @@ may be allowed, Eg.
>>
>>  =back
>>
>> +=head2 Link rules
>> +
>> +Link rules allow specifying permission to form a hard link as a link
>> +target pair.  If the subset condition is specified then the
>> permissions +to access the link file must be a subset of the profiles
>> permissions +to access the target file.
> 
> 'subset' usually translates to "need aspirin" when trying to understand 
> it. Maybe a short example profile would make it easier to understand.
> 
>> +The link rule is equivalent to specifying the 'l' link permission as
>> +a leading permission with no other file access permissions. When this
>> +is done the link rule options can be specified.
>> +
>> +The following link rule is equivalent to the 'l' permission file rule
>> +  link /foo -> bar,
>> +  l /foo -> /bar,
>> +
>> +File rules that specify the 'l' permission and don't specify the
>> extend +link permissions map to link rules as follows.
>> +  /foo l,
>> +  l /foo,
>> +  link subset /foo -> /**,
> 

I added

Eg.

  /file1  r,
  /file2  rwk,
  /link*  rw,
  link subset /link* -> /**,

  The link rule allows linking of /link to both /file1 or /file2 by
  name however because the /link file has 'rw' permissions it is not
  allowed to link to /file1 because that would grant an access path
  to /file1 with more permissions than the 'r' permissions the profile
  specifies.

  A link of /link to /file2 would be allowed because the 'rw' permissions
  of /link are a subset of the 'rwk' permissions for /file1.

> With or without an example for subset added,
> Acked-by: Christian Boltz <apparmor at cboltz.de>
> 
> BTW: My Acks in this patchset are also for 2.9, even if I didn't mention 
> it on each patch.
> 
> 
> Regards,
> 
> Christian Boltz
> 