parser: add support for prompt profile mode

Add support for the prompt profile mode. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-31 06:16:03 +00:00 · 2019-12-05 14:20:24 -08:00
parent a271b2474c
commit e5dace9ffd
16 changed files with 144 additions and 3 deletions
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -115,7 +115,7 @@ B<PROFILE FLAG CONDS> =  [ 'flags=' ] '(' comma or white space separated list of

 B<PROFILE FLAGS> = I<PROFILE MODE> | I<AUDIT_MODE> | 'mediate_deleted' | 'attach_disconnected' | 'chroot_relative' | 'debug'

-B<PROFILE MODE> = 'enforce' | 'complain' | 'kill' | 'unconfined'
+B<PROFILE MODE> = 'enforce' | 'complain' | 'kill' | 'unconfined' | 'prompt'

 B<AUDIT MODE> = 'audit'

@@ -459,6 +459,11 @@ profile replacement. This mode is should not be used under regular
 deployment but can be useful during debugging and some system
 initialization scenarios.

+=item B<prompt> This mode allows task mediation to send an up call to
+userspace to ask for a decision when there isn't a rule covering the
+permission request. If userspace does not respond then the access
+will be denied.
+
 =back

 =head4 Audit Mode