From c92b5c71e5cb32285fa50b95685812c3c4bfda88 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Tue, 24 Mar 2015 03:52:43 -0700
Subject: [PATCH] Update apparmor.d man page to document file rules with
 leading permissions

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
---
 parser/apparmor.d.pod | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
index 5c9789666..661d924e1 100644
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -195,7 +195,7 @@ B<UNIX ATTR COND> 'attr' '=' ( I<AARE> | '(' '"' I<AARE> '"' | I<AARE> ')' )
 
 B<UNIX OPT COND> 'opt' '=' ( I<AARE> | '(' '"' I<AARE> '"' | I<AARE> ')' )
 
-B<FILE RULE> = [ I<QUALIFIERS> ] [ 'owner' ] [ 'file' ] ( '"' I<FILEGLOB> '"' | I<FILEGLOB> ) I<ACCESS>  [ -E<gt> <EXEC TARGET> ] ','
+B<FILE RULE> = [ I<QUALIFIERS> ] [ 'owner' ] [ 'file' ] ( ( '"' I<FILEGLOB> '"' | I<FILEGLOB> ) I<ACCESS>  | [I<ACCESS> ( '"' I<FILEGLOB> '"' | I<FILEGLOB> ) ) [ -E<gt> <EXEC TARGET> ] ','
 
 B<FILEGLOB> = (must start with '/' (after variable expansion), B<AARE> have special meanings; see below. May include I<VARIABLE>. Rules with embedded spaces or tabs must be quoted. Rules must end with '/' to apply to directories.)
 
@@ -513,6 +513,19 @@ on the new link, it must match the original file exactly.
 Allows the program to be able lock a file with this name.  This permission
 covers both advisory and mandatory locking.
 
+=item B<leading OR trailing access permissions>
+
+File rules can be specified with the access permission either leading
+or trailing the file glob. Eg.
+
+  rw /**,		# leading permissions
+
+  /** rw,		# trailing permissions
+
+When a leading permissions is used further rule options and context
+may be allowed, Eg.
+  l /foo -> /bar,	# lead 'l' link permission is equivalent to link rules
+
 =back
 
 =head2 Comments