mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 01:57:43 +00:00
Code Issues Releases Wiki Activity

This patch fixes several formatting issues with the apparmor.d man page:

Browse Source 
- missing formatting code prefixes, usually I for BNFish arguments
 - added blank lines before preformatted sections as the html formatter
   wasn't treating them as seperate from the preceding text (also, they
   generated podchecker warnings)
 - fixed a grammar issue
 - fixed link description text block that was mistakenly indented and
   thus treated as preformatted text
 - moved the "Qualifier Blocks" subsection out of the =over/=back as
   all the pod tools did not like this and it caused podchecker to exit
   with an error, breaking builds that ran make check on the parser
   tree.

Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This commit is contained in:
Steve Beattie 2015-06-02 16:05:37 -07:00
parent d7436a872c
commit 23a2d8b68c
1 changed files with 21 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
parser/apparmor.d.pod
View File

@ -46,7 +46,7 @@ to the policy; this behaviour is modelled after cpp(1).
B<PROFILE FILE> = ( [ I<PREAMBLE> ] [ I<PROFILE> ] )* B<PROFILE FILE> = ( [ I<PREAMBLE> ] [ I<PROFILE> ] )*
B<PREAMBLE> = ( I<COMMENT> | I<VARIABLE ASSIGNMENT> | I<INCLUDE> )* (variable assignment must come before the profile) B<PREAMBLE> = ( I<COMMENT> | I<VARIABLE ASSIGNMENT> | I<INCLUDE> )* (variable assignment must come before the profile)
B<INCLUDE> = '#include' ( I<ABS PATH> | I<MAGIC PATH> ) B<INCLUDE> = '#include' ( I<ABS PATH> | I<MAGIC PATH> )
@ -58,7 +58,7 @@ B<COMMENT> = '#' I<TEXT> [ '\r' ] '\n'
B<TEXT> = any characters B<TEXT> = any characters
B<PROFILE> = ( I<PROFILE HEAD> ) [ I<ATTACHMENT SPECIFICATION> ] [ <PROFILE FLAG CONDS> ] '{' ( I<RULES> )* '}' B<PROFILE> = ( I<PROFILE HEAD> ) [ I<ATTACHMENT SPECIFICATION> ] [ I<PROFILE FLAG CONDS> ] '{' ( I<RULES> )* '}'
B<PROFILE HEAD> = [ 'profile' ] I<FILEGLOB> | 'profile' I<PROFILE NAME> B<PROFILE HEAD> = [ 'profile' ] I<FILEGLOB> | 'profile' I<PROFILE NAME>
@ -82,9 +82,9 @@ B<COMMA RULES> = ( I<CAPABILITY RULE> | I<NETWORK RULE> | I<MOUNT RULE> | I<PIVO
B<BLOCK RULES> = ( I<SUBPROFILE> | I<HAT> | I<QUALIFIER BLOCK> ) B<BLOCK RULES> = ( I<SUBPROFILE> | I<HAT> | I<QUALIFIER BLOCK> )
B<SUBPROFILE> = 'profile' I<PROFILE NAME> [ I<ATTACHMENT SPECIFICATION> ] [ <PROFILE FLAG CONDS> ] '{' ( I<RULES> )* '}' B<SUBPROFILE> = 'profile' I<PROFILE NAME> [ I<ATTACHMENT SPECIFICATION> ] [ I<PROFILE FLAG CONDS> ] '{' ( I<RULES> )* '}'
B<HAT> = ('hat' | '^') I<HATNAME> [ <PROFILE FLAG CONDS> ] '{' ( I<RULES> )* '}' B<HAT> = ('hat' | '^') I<HATNAME> [ I<PROFILE FLAG CONDS> ] '{' ( I<RULES> )* '}'
B<HATNAME> = ( must start with alphanumeric character. see aa_change_hat(2) for a description of how this "hat" is used. IF '^' is used to start a hat then there is no space between the '^' and I<HATNAME>) B<HATNAME> = ( must start with alphanumeric character. see aa_change_hat(2) for a description of how this "hat" is used. IF '^' is used to start a hat then there is no space between the '^' and I<HATNAME>)
@ -231,7 +231,7 @@ B<RLIMIT RULE> = 'set' 'rlimit' [I<RLIMIT> 'E<lt>=' I<RLIMIT VALUE> ]
B<RLIMIT> = ( 'cpu' | 'fsize' | 'data' | 'stack' | 'core' | 'rss' | 'nofile' | 'ofile' | 'as' | 'nproc' | 'memlock' | 'locks' | 'sigpending' | 'msgqueue' | 'nice' | 'rtprio' | 'rttime' ) B<RLIMIT> = ( 'cpu' | 'fsize' | 'data' | 'stack' | 'core' | 'rss' | 'nofile' | 'ofile' | 'as' | 'nproc' | 'memlock' | 'locks' | 'sigpending' | 'msgqueue' | 'nice' | 'rtprio' | 'rttime' )
B<RLIMIT VALUE> = ( I<RLIMIT SIZE> | I<RLIMIT NUMBER> | I <RLIMIT NICE> ) B<RLIMIT VALUE> = ( I<RLIMIT SIZE> | I<RLIMIT NUMBER> | I<RLIMIT NICE> )
B<RLIMIT SIZE> = I<NUMBER> ( 'K' | 'M' | 'G' ) Only applies to RLIMIT of 'fsize', 'data', 'stack', 'core', 'rss', 'as', 'memlock', 'msgqueue'. B<RLIMIT SIZE> = I<NUMBER> ( 'K' | 'M' | 'G' ) Only applies to RLIMIT of 'fsize', 'data', 'stack', 'core', 'rss', 'as', 'memlock', 'msgqueue'.
@ -239,7 +239,7 @@ B<RLIMIT NUMBER> = number from 0 to max rlimit value. Only applies ot RLIMIT of
B<RLIMIT NICE> = a number between -20 and 19. Only applies to RLIMIT of 'nice' B<RLIMIT NICE> = a number between -20 and 19. Only applies to RLIMIT of 'nice'
B<FILE RULE> = [ I<QUALIFIERS> ] [ 'owner' ] ( 'file' | [ 'file' ] ( I<FILEGLOB> I<ACCESS> | I<ACCESS> I<FILEGLOB> ) [ -E<gt> <EXEC TARGET> ] ) B<FILE RULE> = [ I<QUALIFIERS> ] [ 'owner' ] ( 'file' | [ 'file' ] ( I<FILEGLOB> I<ACCESS> | I<ACCESS> I<FILEGLOB> ) [ -E<gt> I<EXEC TARGET> ] )
B<FILEGLOB> = ( I<QUOTED FILEGLOB> | I<UNQUOTED FILEGLOB> ) B<FILEGLOB> = ( I<QUOTED FILEGLOB> | I<UNQUOTED FILEGLOB> )
@ -253,7 +253,7 @@ B<EXEC TRANSITION> = ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' |
B<EXEC TARGET> = name (requires I<EXEC TRANSITION> specified) B<EXEC TARGET> = name (requires I<EXEC TRANSITION> specified)
B<LINK RULE> = I<QUALIFIERS> [ 'owner' ] 'link' [ 'subset' ] <FILEGLOB> ( 'to' | '-E<gt>' ) <FILEGLOB> B<LINK RULE> = I<QUALIFIERS> [ 'owner' ] 'link' [ 'subset' ] I<FILEGLOB> ( 'to' | '-E<gt>' ) I<FILEGLOB>
B<VARIABLE> = '@{' I<ALPHA> [ ( I<ALPHANUMERIC> | '_' ) ... ] '}' B<VARIABLE> = '@{' I<ALPHA> [ ( I<ALPHANUMERIC> | '_' ) ... ] '}'
@ -532,7 +532,7 @@ determine the profile to transition to from the executable name. It
is however possible to specify the name of the profile that the transition is however possible to specify the name of the profile that the transition
should use. should use.
The name of the profile to transition to is specified using the '->' The name of the profile to transition to is specified using the '-E<gt>'
followed by the name of the profile to transition to. Eg. followed by the name of the profile to transition to. Eg.
/bin/** px -> profile, /bin/** px -> profile,
@ -572,8 +572,9 @@ or trailing the file glob. Eg.
/** rw, # trailing permissions /** rw, # trailing permissions
When a leading permissions is used further rule options and context When leading permissions are used further rule options and context
may be allowed, Eg. may be allowed, Eg.
l /foo -> /bar, # lead 'l' link permission is equivalent to link rules l /foo -> /bar, # lead 'l' link permission is equivalent to link rules
=back =back
@ -593,25 +594,27 @@ Eg.
/link* rw, /link* rw,
link subset /link* -> /**, link subset /link* -> /**,
The link rule allows linking of /link to both /file1 or /file2 by The link rule allows linking of /link to both /file1 or /file2 by
name however because the /link file has 'rw' permissions it is not name however because the /link file has 'rw' permissions it is not
allowed to link to /file1 because that would grant an access path allowed to link to /file1 because that would grant an access path
to /file1 with more permissions than the 'r' permissions the profile to /file1 with more permissions than the 'r' permissions the profile
specifies. specifies.
A link of /link to /file2 would be allowed because the 'rw' permissions A link of /link to /file2 would be allowed because the 'rw' permissions
of /link are a subset of the 'rwk' permissions for /file1. of /link are a subset of the 'rwk' permissions for /file1.
The link rule is equivalent to specifying the 'l' link permission as The link rule is equivalent to specifying the 'l' link permission as
a leading permission with no other file access permissions. When this a leading permission with no other file access permissions. When this
is done the link rule options can be specified. is done the link rule options can be specified.
The following link rule is equivalent to the 'l' permission file rule The following link rule is equivalent to the 'l' permission file rule
link /foo -> bar, link /foo -> bar,
l /foo -> /bar, l /foo -> /bar,
File rules that specify the 'l' permission and don't specify the extend File rules that specify the 'l' permission and don't specify the extend
link permissions map to link rules as follows. link permissions map to link rules as follows.
/foo l, /foo l,
l /foo, l /foo,
link subset /foo -> /**, link subset /foo -> /**,
@ -1349,6 +1352,8 @@ with the I<allow> qualifier.
Specifies that the task must have the same euid/fsuid as the object being Specifies that the task must have the same euid/fsuid as the object being
referenced by the permission check. referenced by the permission check.
=back
=head3 Qualifier Blocks =head3 Qualifier Blocks
Rule Qualifiers can be applied to multiple rules at a time by grouping the Rule Qualifiers can be applied to multiple rules at a time by grouping the
@ -1359,8 +1364,6 @@ rules into a rule block.
network, network,
} }
=back
=head2 #include mechanism =head2 #include mechanism
AppArmor provides an easy abstraction mechanism to group common file AppArmor provides an easy abstraction mechanism to group common file