[apparmor] [PATCH 1/3] libapparmor: Remove incorrect statement in aa_change_profile man page

Wed Jan 27 00:18:32 UTC 2016

The statement was meant to convey the difference between aa_change_hat()
and aa_change_profile(). Unfortunately, it read as if there was
something preventing a program from using aa_change_profile() twice to
move from profile A to profile B and back to profile A, even if profiles
A and B contained the necessary rules.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Reported-by: Seth Arnold <seth.arnold at canonical.com>
---
 libraries/libapparmor/doc/aa_change_profile.pod | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/libraries/libapparmor/doc/aa_change_profile.pod b/libraries/libapparmor/doc/aa_change_profile.pod
index e5ac0be..6457c33 100644
--- a/libraries/libapparmor/doc/aa_change_profile.pod
+++ b/libraries/libapparmor/doc/aa_change_profile.pod
@@ -40,14 +40,13 @@ An AppArmor profile applies to an executable program; if a portion of
 the program needs different access permissions than other portions,
 the program can "change profile" to a different profile. To change into a
 new profile, it can use the aa_change_profile() function to do so. It passes
-in a pointer to the I<profile> to transition to. Transitioning to another
-profile via aa_change_profile() is permanent and the process is not
-permitted to transition back to the original profile. Confined programs
-wanting to use aa_change_profile() need to have rules permitting changing
-to the named profile. See apparmor.d(8) for details.
+in a pointer to the I<profile> to transition to. Confined programs wanting to
+use aa_change_profile() need to have rules permitting changing to the named
+profile. See apparmor.d(8) for details.
 
 If a program wants to return out of the current profile to the
-original profile, it should use aa_change_hat(2) instead.
+original profile, it may use aa_change_hat(2). Otherwise, the two profiles must
+have rules permitting changing between the two profiles.
 
 Open file descriptors are not remediated after a call to aa_change_profile()
 so the calling program must close(2) open file descriptors to ensure they
-- 
2.5.0


