[apparmor] [PATCH 3/7] Update apparmor.d man page to document file rules with leading permissions
John Johansen
john.johansen at canonical.com
Sat Mar 21 11:53:17 UTC 2015
Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-by: Christian Boltz <apparmor at cboltz.de>
---
parser/apparmor.d.pod | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
index 5c97896..661d924 100644
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -195,7 +195,7 @@ B<UNIX ATTR COND> 'attr' '=' ( I<AARE> | '(' '"' I<AARE> '"' | I<AARE> ')' )
B<UNIX OPT COND> 'opt' '=' ( I<AARE> | '(' '"' I<AARE> '"' | I<AARE> ')' )
-B<FILE RULE> = [ I<QUALIFIERS> ] [ 'owner' ] [ 'file' ] ( '"' I<FILEGLOB> '"' | I<FILEGLOB> ) I<ACCESS> [ -E<gt> <EXEC TARGET> ] ','
+B<FILE RULE> = [ I<QUALIFIERS> ] [ 'owner' ] [ 'file' ] ( ( '"' I<FILEGLOB> '"' | I<FILEGLOB> ) I<ACCESS> | [I<ACCESS> ( '"' I<FILEGLOB> '"' | I<FILEGLOB> ) ) [ -E<gt> <EXEC TARGET> ] ','
B<FILEGLOB> = (must start with '/' (after variable expansion), B<AARE> have special meanings; see below. May include I<VARIABLE>. Rules with embedded spaces or tabs must be quoted. Rules must end with '/' to apply to directories.)
@@ -513,6 +513,19 @@ on the new link, it must match the original file exactly.
Allows the program to be able lock a file with this name. This permission
covers both advisory and mandatory locking.
+=item B<leading OR trailing access permissions>
+
+File rules can be specified with the access permission either leading
+or trailing the file glob. Eg.
+
+ rw /**, # leading permissions
+
+ /** rw, # trailing permissions
+
+When a leading permissions is used further rule options and context
+may be allowed, Eg.
+ l /foo -> /bar, # lead 'l' link permission is equivalent to link rules
+
=back
=head2 Comments
--
2.1.4
More information about the AppArmor
mailing list