[apparmor] [PATCH 2/2] apparmor.d.pod: refactor profile file, profile, subprofile, hat patterns
John Johansen
john.johansen at canonical.com
Tue Mar 24 11:11:46 UTC 2015
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
parser/apparmor.d.pod | 36 +++++++++++++++++++++++++-----------
1 file changed, 25 insertions(+), 11 deletions(-)
diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
index 51a8284..b877e21 100644
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -44,6 +44,12 @@ to the policy; this behaviour is modelled after cpp(1).
=over 4
+B<PROFILE FILE> = I<PREAMBLE> I<PROFILES>
+
+B<PREAMBLE> = ( I<COMMENT> | I<VARIABLE ASSIGNMENT> | I<INCLUDE> )*
+
+B<PROFILES> = ( B<PROFILE> )*
+
B<INCLUDE> = '#include' ( I<ABS PATH> | I<MAGIC PATH> )
B<ABS PATH> = '"' path '"' (the path is passed to open(2))
@@ -54,7 +60,15 @@ B<COMMENT> = '#' I<TEXT>
B<TEXT> = any characters
-B<PROFILE> = [ I<COMMENT> ... ] [ I<VARIABLE ASSIGNMENT> ... ] ( '"' I<PROGRAM> '"' | I<PROGRAM> ) [ 'flags=(complain)' ]'{' ( I<RULES> )* '}'
+B<PROFILE> = ( I<FILEGLOB> | I<PROFILE NAME> ) [ I<ATTACHMENT SPECIFICATION> ] [ <PROFILE FLAG CONDS> ] I<BLOCK>
+
+B<PROFILE NAME> = 'profile' I<AARE>
+
+B<ATTACHMENT SPECIFICATION> = I<FILEGLOB>
+
+B<PROFILE FLAG CONDS> = 'flags=(' comma or white space separated list of I<PROFILE FLAGS> ')'
+
+B<PROFILE FLAGS> = 'complain' | 'enforce' | 'mediate_deleted' | attach_disconnected'
B<RULES> = [ ( I<COMMENT> | I<LINE RULES> [ '\r' ] '\n' | I<COMMA RULES> ',' | I<BLOCK RULES> )
@@ -62,9 +76,15 @@ B<LINE RULES> = ( I<COMMENT> | I<INCLUDE> )
B<COMMA RULES> = ( I<CAPABILITY RULE> | I<NETWORK RULE> | I<MOUNT RULE> | I<PIVOT ROOT RULE> | I<UNIX RULE> | I<FILE RULE> | I<LINK RULE> | I<CHANGE_PROFILE RULE> | I<RLIMIT RULE> | I<DBUS RULE> )
-B<BLOCK RULES> = I<SUBPROFILE>
+B<BLOCK RULES> = ( I<SUBPROFILE> | I<HAT> )
-B<SUBPROFILE> = [ I<COMMENT> ... ] ( I<PROGRAMHAT> | 'profile ' I<PROGRAMCHILD> ) '{' [ ( I<FILE RULE> | I<COMMENT> | I<INCLUDE> ) ... ] '}'
+B<BLOCK> = '{' ( I<RULES> )* '}'
+
+B<SUBPROFILE> = I<PROFILE NAME> [ I<ATTACHMENT SPECIFICATION> ] [ <PROFILE FLAG CONDS> ] I<BLOCK>
+
+B<HAT> = ('hat' | '^') I<HATNAME> [ <PROFILE FLAG CONDS> ] I<BLOCK>
+
+B<HATNAME> = '^' (non-whitespace characters; see aa_change_hat(2) for a description of how this "hat" is used.)
B<ACCESS TYPE> = ( 'allow' | 'deny' )
@@ -85,12 +105,6 @@ B<TYPE> = ( 'stream' | 'dgram' | 'seqpacket' | 'rdm' | 'raw' | 'packet' )
B<PROTOCOL> = ( 'tcp' | 'udp' | 'icmp' )
-B<PROGRAM> = (non-whitespace characters except for '^', must start with '/'. Embedded spaces or tabs must be quoted.)
-
-B<PROGRAMHAT> = '^' (non-whitespace characters; see aa_change_hat(2) for a description of how this "hat" is used.)
-
-B<PROGRAMCHILD> = I<SUBPROFILE> name
-
B<MOUNT RULE> = ( I<MOUNT> | I<REMOUNT> | I<UMOUNT> )
B<MOUNT> = [ I<QUALIFIERS> ] 'mount' [ I<MOUNT CONDITIONS> ] [ I<SOURCE FILEGLOB> ] [ -E<gt> [ I<MOUNTPOINT FILEGLOB> ]
@@ -113,7 +127,7 @@ B<MOUNT FLAGS> = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' | 'noexec'
B<MOUNT EXPRESSION> = ( I<ALPHANUMERIC> | I<AARE> ) ...
-B<PIVOT ROOT RULE> = [ I<QUALIFIERS> ] pivot_root [ oldroot=I<OLD PUT FILEGLOB> ] [ I<NEW ROOT FILEGLOB> ] [ -E<gt> I<PROGRAMCHILD> ]
+B<PIVOT ROOT RULE> = [ I<QUALIFIERS> ] pivot_root [ oldroot=I<OLD PUT FILEGLOB> ] [ I<NEW ROOT FILEGLOB> ] [ -E<gt> I<PROFILE NAME> ]
B<SOURCE FILEGLOB> = I<FILEGLOB>
@@ -251,7 +265,7 @@ B<ALPHA> = ('a', 'b', 'c', ... 'z', 'A', 'B', ... 'Z')
B<ALPHANUMERIC> = ('0', '1', '2', ... '9', 'a', 'b', 'c', ... 'z', 'A', 'B', ... 'Z')
-B<CHANGE_PROFILE RULE> = 'change_profile' [ I<EXEC COND> ] [ -E<gt> I<PROGRAMCHILD> ]
+B<CHANGE_PROFILE RULE> = 'change_profile' [ I<EXEC COND> ] [ -E<gt> I<PROFILE NAME> ]
B<EXEC COND> = I<FILEGLOB>
--
2.1.4
More information about the AppArmor
mailing list