diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod index ae75e584a..fac14ae2e 100644 --- a/parser/apparmor.d.pod +++ b/parser/apparmor.d.pod @@ -74,7 +74,9 @@ B = (non-whitespace characters except for '^', must start with '/'. Emb B = '^' (non-whitespace characters; see change_hat(2) for a description of how this "hat" is used.) -B = ( '"' I '"' | I ) I ',' +B = I ( '"' I '"' | I ) I ',' + +B = [ 'audit' ] [ 'deny' ] [ 'owner' ] B = (must start with '/' (after variable expansion), B have special meanings; see below. May include I. Rules with embedded spaces or tabs must be quoted. Rules must end with '/' to apply to directories.) @@ -380,6 +382,30 @@ Directories anywhere underneath F. =back +=head2 Rule Qualifiers + +There are several rule qualifiers that can be applied to permission rules. +Rule qualifiers can modify the rule and/or permissions within the rule. + +=over 4 + +=item B + +Specifies that permissions requests that match the rule should be recorded +to the audit log. + +=item B + +Specifies that permissions requests that match the rule should be denied +without logging. Can be combined with 'audit' to enable logging. + +=item B + +Specifies that the task must have the same euid/fsuid as the object being +referenced by the permission check. + +=back + =head2 #include mechanism AppArmor provides an easy abstraction mechanism to group common file