[apparmor] [patch] man page touchups

Steve Beattie steve at nxnw.org
Fri Mar 18 19:28:59 UTC 2016 

This makes some of the references to functions in the aa_query_label(2)
manpage more consistent and fixes a couple of grammar issues. It also
tries to make the qualifying statements in apparmor.d(5) more distinct,
and also fixes some typos there as well.

Signed-off-by: Steve Beattie <steve at nxnw.org>
---
 libraries/libapparmor/doc/aa_query_label.pod |   16 +++++-----
 parser/apparmor.d.pod                        |   40 ++++++++++++++++-----------
 2 files changed, 33 insertions(+), 23 deletions(-)

Index: b/libraries/libapparmor/doc/aa_query_label.pod
===================================================================
--- a/libraries/libapparmor/doc/aa_query_label.pod
+++ b/libraries/libapparmor/doc/aa_query_label.pod
@@ -47,22 +47,22 @@ Link with B<-lapparmor> when compiling.
 
 =head1 DESCRIPTION
 
-The aa_query_label function fetches the current permissions granted by the
+The B<aa_query_label> function fetches the current permissions granted by the
 specified I<label> in the I<query> string.
 
 The query is a raw binary formatted query, containing the label and
 permission query to make. The returned I<allowed> and I<audited> values are
-interpreted boolean values, simple stating whether the query is allowed and
+interpreted boolean values, simply stating whether the query is allowed and
 if it is audited.
 
 The mask of the query string is a bit mask of permissions to query and is
-class type dependent (see AA_CLASS_xxx) entries in I<sys/apparmor.h>.
+class type dependent (see B<AA_CLASS_xxx> entries in I<sys/apparmor.h>).
 
 The format of the query string is also dependent on the B<AA_CLASS> and as
-such the the aa_query_xxx helper functions should usually be used instead
-of directly using I<aa_query_label>. If directly using the interface the
+such the aa_query_xxx helper functions should usually be used instead
+of directly using B<aa_query_label>. If directly using the interface the
 I<query> string is required to have a header of B<AA_QUERY_CMD_LABEL_SIZE>
-that will be used by I<aa_query_label>.
+that will be used by B<aa_query_label>.
 
 The B<aa_query_file_path> and B<aa_query_file_path_len> functions are helper
 function that assemble a properly formatted file path query for the
@@ -92,9 +92,9 @@ error, -1 is returned, and errno(3) is s
 
 The requested I<mask> is empty.
 
-The I<size> of the query is E<lt> the query B<AA_QUER?Y_CMD_LABEL_SIZE>
+The I<size> of the query is less than the query B<AA_QUERY_CMD_LABEL_SIZE>
 
-The apparmor kernel module is not loaded or the he kernel interface access
+The apparmor kernel module is not loaded or the kernel interface access
 interface is not available
 
 =item B<ENOMEM>
Index: b/parser/apparmor.d.pod
===================================================================
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -46,13 +46,15 @@ to the policy; this behaviour is modelle
 
 B<PROFILE FILE> = ( [ I<PREAMBLE> ] [ I<PROFILE> ] )*
 
-B<PREAMBLE> = ( I<COMMENT> | I<VARIABLE ASSIGNMENT> | I<INCLUDE> )* (variable assignment must come before the profile)
+B<PREAMBLE> = ( I<COMMENT> | I<VARIABLE ASSIGNMENT> | I<INCLUDE> )*
+  Variable assignment must come before the profile.
 
 B<INCLUDE> = '#include' ( I<ABS PATH> | I<MAGIC PATH> )
 
 B<ABS PATH> = '"' path '"' (the path is passed to open(2))
 
-B<MAGIC PATH> = 'E<lt>' relative path 'E<gt>' (the path is relative to F</etc/apparmor.d/>)
+B<MAGIC PATH> = 'E<lt>' relative path 'E<gt>'
+  The path is relative to F</etc/apparmor.d/>.
 
 B<COMMENT> = '#' I<TEXT> [ '\r' ] '\n'
 
@@ -86,7 +88,7 @@ B<SUBPROFILE> = 'profile' I<PROFILE NAME
 
 B<HAT> = ('hat' | '^') I<HATNAME> [ I<PROFILE FLAG CONDS> ] '{' ( I<RULES> )* '}'
 
-B<HATNAME> = ( must start with alphanumeric character. see aa_change_hat(2) for a description of how this "hat" is used. IF '^' is used to start a hat then there is no space between the '^' and I<HATNAME>)
+B<HATNAME> = (must start with alphanumeric character. See aa_change_hat(2) for a description of how this "hat" is used. If '^' is used to start a hat then there is no space between the '^' and I<HATNAME>)
 
 B<QUALIFIER BLOCK> = I<QUALIFIERS> I<BLOCK>
 
@@ -193,31 +195,33 @@ B<DBUS LABEL> = 'label' '=' '(' '"' I<AA
 
 B<DBUS ACCESS LIST> = Comma separated list of I<DBUS ACCESS>
 
-B<DBUS ACCESS> = ( 'send' | 'receive' | 'bind' | 'eavesdrop' )  (some accesses are incompatible with some rules; see below.)
+B<DBUS ACCESS> = ( 'send' | 'receive' | 'bind' | 'eavesdrop' )
+  Some accesses are incompatible with some rules; see below.
 
-B<AARE> = B<?*[]{}^> (see below for meanings)
+B<AARE> = B<?*[]{}^>
+  See below for meanings.
 
 B<UNIX RULE> = [ I<QUALIFIERS> ] 'unix' [ I<UNIX ACCESS EXPR> ] [ I<UNIX RULE CONDS> ] [ I<UNIX LOCAL EXPR> ] [ I<UNIX PEER EXPR> ]
 
 B<UNIX ACCESS EXPR> = ( I<UNIX ACCESS> | I<UNIX ACCESS LIST> )
 
 B<UNIX ACCESS> = ( 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' )
- (some access modes are incompatible with some rules or require additional parameters)
+  Some access modes are incompatible with some rules or require additional parameters.
 
 B<UNIX ACCESS LIST> = '(' I<UNIX ACCESS> ( [','] I<UNIX ACCESS> )* ')'
 
 B<UNIX RULE CONDS> = ( I<TYPE COND> | I<PROTO COND> )
- each cond can appear at most once
+  Each cond can appear at most once.
 
 B<TYPE COND> = 'type' '='  ( I<AARE> | '(' ( '"' I<AARE> '"' | I<AARE> )+ ')' )
 
 B<PROTO COND> = 'protocol' '='  ( I<AARE> | '(' ( '"' I<AARE> '"' | I<AARE> )+ ')' )
 
 B<UNIX LOCAL EXPR> = ( I<UNIX ADDRESS COND> | I<UNIX LABEL COND> | I<UNIX ATTR COND> | I<UNIX OPT COND> )*
- each cond can appear at most once
+  Each cond can appear at most once.
 
 B<UNIX PEER EXPR> = 'peer' '=' ( I<UNIX ADDRESS COND> | I<UNIX LABEL COND> )+
- each cond can appear at most once
+  Each cond can appear at most once.
 
 B<UNIX ADDRESS COND> 'addr' '=' ( I<AARE> | '(' '"' I<AARE> '"' | I<AARE> ')' )
 
@@ -233,13 +237,17 @@ B<RLIMIT> = ( 'cpu' | 'fsize' | 'data' |
 
 B<RLIMIT VALUE> = ( I<RLIMIT SIZE> | I<RLIMIT NUMBER> | I<RLIMIT TIME> | I<RLIMIT NICE> )
 
-B<RLIMIT SIZE> = I<NUMBER> ( 'K' | 'M' | 'G' ) Only applies to RLIMIT of 'fsize', 'data', 'stack', 'core', 'rss', 'as', 'memlock', 'msgqueue'.
+B<RLIMIT SIZE> = I<NUMBER> ( 'K' | 'M' | 'G' )
+  Only applies to RLIMIT of 'fsize', 'data', 'stack', 'core', 'rss', 'as', 'memlock', 'msgqueue'.
 
-B<RLIMIT NUMBER> = number from 0 to max rlimit value. Only applies ot RLIMIT of 'ofile', 'nofile', 'locks', 'sigpending', 'nproc', 'rtprio'
+B<RLIMIT NUMBER> = number from 0 to max rlimit value.
+  Only applies to RLIMIT of 'ofile', 'nofile', 'locks', 'sigpending', 'nproc', 'rtprio'.
 
-B<RLIMIT TIME> = I<NUMBER> ( 'us' | 'microsecond' | 'microseconds' | 'ms' | 'millisecond' | 'milliseconds' | 's' | 'sec' | 'second' | 'seconds' | 'min' | 'minute' | 'minutes' | 'h' | 'hour' | 'hours' | 'd' | 'day' | 'days' | 'week' | 'weeks' ) Only applies to RLIMIT of 'cpu', 'rttime'. RLIMIT 'cpu' only allows units >= 'seconds'.
+B<RLIMIT TIME> = I<NUMBER> ( 'us' | 'microsecond' | 'microseconds' | 'ms' | 'millisecond' | 'milliseconds' | 's' | 'sec' | 'second' | 'seconds' | 'min' | 'minute' | 'minutes' | 'h' | 'hour' | 'hours' | 'd' | 'day' | 'days' | 'week' | 'weeks' )
+  Only applies to RLIMIT of 'cpu' and 'rttime'. RLIMIT 'cpu' only allows units E<gt>= 'seconds'.
 
-B<RLIMIT NICE> = a number between -20 and 19. Only applies to RLIMIT of 'nice'
+B<RLIMIT NICE> = a number between -20 and 19.
+  Only applies to RLIMIT of 'nice'.
 
 B<FILE RULE> = [ I<QUALIFIERS> ] [ 'owner' ] ( 'file' | [ 'file' ] ( I<FILEGLOB> I<ACCESS>  | I<ACCESS> I<FILEGLOB> ) [ '-E<gt>' I<EXEC TARGET> ] )
 
@@ -251,9 +259,11 @@ B<UNQUOTED FILEGLOB> = (must start with
 
 B<ACCESS> = ( 'r' | 'w' | 'a' | 'l' | 'k' | 'm' | I<EXEC TRANSITION> )+  (not all combinations are allowed; see below.)
 
-B<EXEC TRANSITION> =  ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' | 'Pix' | 'cix' | 'Cix' | 'pux' | 'PUx' | 'cux' | 'CUx' | 'x' )  ('x' is only allowed in rules with the deny qualifier, everything else only without the deny qualifier)
+B<EXEC TRANSITION> =  ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' | 'Pix' | 'cix' | 'Cix' | 'pux' | 'PUx' | 'cux' | 'CUx' | 'x' )
+  A bare 'x' is only allowed in rules with the deny qualifier, everything else only without the deny qualifier.
 
-B<EXEC TARGET> = name  (requires I<EXEC TRANSITION> specified)
+B<EXEC TARGET> = name
+  Requires I<EXEC TRANSITION> specified.
 
 B<LINK RULE> = I<QUALIFIERS> [ 'owner' ] 'link' [ 'subset' ] I<FILEGLOB> ( 'to' | '-E<gt>' ) I<FILEGLOB>
 

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160318/7f19a093/attachment.pgp>

More information about the AppArmor mailing list