[apparmor] [PATCH 10/11] parser: Document change_profile exec modes in apparmor.d man page
John Johansen
john.johansen at canonical.com
Fri May 27 12:25:45 UTC 2016
On 05/25/2016 01:59 PM, Tyler Hicks wrote:
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Acked-by: John Johansen <john.johansen at canonical.com>
> ---
> parser/apparmor.d.pod | 18 +++++++++++++++++-
> 1 file changed, 17 insertions(+), 1 deletion(-)
>
> diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
> index 96d8ec4..fff471b 100644
> --- a/parser/apparmor.d.pod
> +++ b/parser/apparmor.d.pod
> @@ -277,7 +277,9 @@ B<ALPHA> = ('a', 'b', 'c', ... 'z', 'A', 'B', ... 'Z')
>
> B<ALPHANUMERIC> = ('0', '1', '2', ... '9', 'a', 'b', 'c', ... 'z', 'A', 'B', ... 'Z')
>
> -B<CHANGE_PROFILE RULE> = 'change_profile' [ I<EXEC COND> ] [ '-E<gt>' I<PROFILE NAME> ]
> +B<CHANGE_PROFILE RULE> = 'change_profile' [ [ I<EXEC MODE> ] I<EXEC COND> ] [ '-E<gt>' I<PROFILE NAME> ]
> +
> +B<EXEC_MODE> = ( 'safe' | 'unsafe' )
>
> B<EXEC COND> = I<FILEGLOB>
>
> @@ -1208,6 +1210,20 @@ rule set. Eg.
> /bin/bash Px -> new_profile1,
> change_profile /bin/bash -> {new_profile1,new_profile2,new_profile3},
>
> +The exec mode dictates whether or not the Linux Kernel's B<unsafe_exec>
> +routines should be used to scrub the environment, similar to setuid programs.
> +(See ld.so(8) for some information on setuid/setgid environment scrubbing.) The
> +B<safe> mode sets up environment scrubbing to occur when the new application is
> +executed and B<unsafe> mode disables AppArmor's requirement for environment
> +scrubbing (the kernel and/or libc may still require environment scrubbing). An
> +exec mode can only be specified when an exec condition is present.
> +
> + change_profile safe /bin/bash -> new_profile,
> +
> +Not all kernels support B<safe> mode and the parser will downgrade rules to
> +B<unsafe> mode in that situation. If no exec mode is specified, the default is
> +B<safe> mode in kernels that support it.
> +
> =head2 rlimit rules
>
> AppArmor can set and control the resource limits associated with a
>
More information about the AppArmor
mailing list