mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity

man page touchups

Browse Source 
This makes some of the references to functions in the aa_query_label(2)
manpage more consistent and fixes a couple of grammar issues. It also
tries to make the qualifying statements in apparmor.d(5) more distinct,
and also fixes some typos there as well.

Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This commit is contained in:
Steve Beattie 2016-03-19 01:48:11 -07:00
parent fd8ccd3dd7
commit e69891c222
2 changed files with 33 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
libraries/libapparmor/doc/aa_query_label.pod
View File

@ -47,22 +47,22 @@ Link with B<-lapparmor> when compiling.
=head1 DESCRIPTION =head1 DESCRIPTION
The aa_query_label function fetches the current permissions granted by the The B<aa_query_label> function fetches the current permissions granted by the
specified I<label> in the I<query> string. specified I<label> in the I<query> string.
The query is a raw binary formatted query, containing the label and The query is a raw binary formatted query, containing the label and
permission query to make. The returned I<allowed> and I<audited> values are permission query to make. The returned I<allowed> and I<audited> values are
interpreted boolean values, simple stating whether the query is allowed and interpreted boolean values, simply stating whether the query is allowed and
if it is audited. if it is audited.
The mask of the query string is a bit mask of permissions to query and is The mask of the query string is a bit mask of permissions to query and is
class type dependent (see AA_CLASS_xxx) entries in I<sys/apparmor.h>. class type dependent (see B<AA_CLASS_xxx> entries in I<sys/apparmor.h>).
The format of the query string is also dependent on the B<AA_CLASS> and as The format of the query string is also dependent on the B<AA_CLASS> and as
such the the aa_query_xxx helper functions should usually be used instead such the B<aa_query_xxx> helper functions should usually be used instead
of directly using I<aa_query_label>. If directly using the interface the of directly using B<aa_query_label>. If directly using the interface the
I<query> string is required to have a header of B<AA_QUERY_CMD_LABEL_SIZE> I<query> string is required to have a header of B<AA_QUERY_CMD_LABEL_SIZE>
that will be used by I<aa_query_label>. that will be used by B<aa_query_label>.
The B<aa_query_file_path> and B<aa_query_file_path_len> functions are helper The B<aa_query_file_path> and B<aa_query_file_path_len> functions are helper
function that assemble a properly formatted file path query for the function that assemble a properly formatted file path query for the
@ -92,9 +92,9 @@ error, -1 is returned, and errno(3) is set appropriately.
The requested I<mask> is empty. The requested I<mask> is empty.
The I<size> of the query is E<lt> the query B<AA_QUER?Y_CMD_LABEL_SIZE> The I<size> of the query is less than the query B<AA_QUERY_CMD_LABEL_SIZE>
The apparmor kernel module is not loaded or the he kernel interface access The apparmor kernel module is not loaded or the kernel interface access
interface is not available interface is not available
=item B<ENOMEM> =item B<ENOMEM>

40
parser/apparmor.d.pod
View File

@ -46,13 +46,15 @@ to the policy; this behaviour is modelled after cpp(1).
B<PROFILE FILE> = ( [ I<PREAMBLE> ] [ I<PROFILE> ] )* B<PROFILE FILE> = ( [ I<PREAMBLE> ] [ I<PROFILE> ] )*
B<PREAMBLE> = ( I<COMMENT> | I<VARIABLE ASSIGNMENT> | I<INCLUDE> )* (variable assignment must come before the profile) B<PREAMBLE> = ( I<COMMENT> | I<VARIABLE ASSIGNMENT> | I<INCLUDE> )*
Variable assignment must come before the profile.
B<INCLUDE> = '#include' ( I<ABS PATH> | I<MAGIC PATH> ) B<INCLUDE> = '#include' ( I<ABS PATH> | I<MAGIC PATH> )
B<ABS PATH> = '"' path '"' (the path is passed to open(2)) B<ABS PATH> = '"' path '"' (the path is passed to open(2))
B<MAGIC PATH> = 'E<lt>' relative path 'E<gt>' (the path is relative to F</etc/apparmor.d/>) B<MAGIC PATH> = 'E<lt>' relative path 'E<gt>'
The path is relative to F</etc/apparmor.d/>.
B<COMMENT> = '#' I<TEXT> [ '\r' ] '\n' B<COMMENT> = '#' I<TEXT> [ '\r' ] '\n'
@ -86,7 +88,7 @@ B<SUBPROFILE> = 'profile' I<PROFILE NAME> [ I<ATTACHMENT SPECIFICATION> ] [ I<PR
B<HAT> = ('hat' | '^') I<HATNAME> [ I<PROFILE FLAG CONDS> ] '{' ( I<RULES> )* '}' B<HAT> = ('hat' | '^') I<HATNAME> [ I<PROFILE FLAG CONDS> ] '{' ( I<RULES> )* '}'
B<HATNAME> = ( must start with alphanumeric character. see aa_change_hat(2) for a description of how this "hat" is used. IF '^' is used to start a hat then there is no space between the '^' and I<HATNAME>) B<HATNAME> = (must start with alphanumeric character. See aa_change_hat(2) for a description of how this "hat" is used. If '^' is used to start a hat then there is no space between the '^' and I<HATNAME>)
B<QUALIFIER BLOCK> = I<QUALIFIERS> I<BLOCK> B<QUALIFIER BLOCK> = I<QUALIFIERS> I<BLOCK>
@ -193,31 +195,33 @@ B<DBUS LABEL> = 'label' '=' '(' '"' I<AARE> '"' | I<AARE> ')'
B<DBUS ACCESS LIST> = Comma separated list of I<DBUS ACCESS> B<DBUS ACCESS LIST> = Comma separated list of I<DBUS ACCESS>
B<DBUS ACCESS> = ( 'send' | 'receive' | 'bind' | 'eavesdrop' ) (some accesses are incompatible with some rules; see below.) B<DBUS ACCESS> = ( 'send' | 'receive' | 'bind' | 'eavesdrop' )
Some accesses are incompatible with some rules; see below.
B<AARE> = B<?*[]{}^> (see below for meanings) B<AARE> = B<?*[]{}^>
See below for meanings.
B<UNIX RULE> = [ I<QUALIFIERS> ] 'unix' [ I<UNIX ACCESS EXPR> ] [ I<UNIX RULE CONDS> ] [ I<UNIX LOCAL EXPR> ] [ I<UNIX PEER EXPR> ] B<UNIX RULE> = [ I<QUALIFIERS> ] 'unix' [ I<UNIX ACCESS EXPR> ] [ I<UNIX RULE CONDS> ] [ I<UNIX LOCAL EXPR> ] [ I<UNIX PEER EXPR> ]
B<UNIX ACCESS EXPR> = ( I<UNIX ACCESS> | I<UNIX ACCESS LIST> ) B<UNIX ACCESS EXPR> = ( I<UNIX ACCESS> | I<UNIX ACCESS LIST> )
B<UNIX ACCESS> = ( 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) B<UNIX ACCESS> = ( 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' )
(some access modes are incompatible with some rules or require additional parameters) Some access modes are incompatible with some rules or require additional parameters.
B<UNIX ACCESS LIST> = '(' I<UNIX ACCESS> ( [','] I<UNIX ACCESS> )* ')' B<UNIX ACCESS LIST> = '(' I<UNIX ACCESS> ( [','] I<UNIX ACCESS> )* ')'
B<UNIX RULE CONDS> = ( I<TYPE COND> | I<PROTO COND> ) B<UNIX RULE CONDS> = ( I<TYPE COND> | I<PROTO COND> )
each cond can appear at most once Each cond can appear at most once.
B<TYPE COND> = 'type' '=' ( I<AARE> | '(' ( '"' I<AARE> '"' | I<AARE> )+ ')' ) B<TYPE COND> = 'type' '=' ( I<AARE> | '(' ( '"' I<AARE> '"' | I<AARE> )+ ')' )
B<PROTO COND> = 'protocol' '=' ( I<AARE> | '(' ( '"' I<AARE> '"' | I<AARE> )+ ')' ) B<PROTO COND> = 'protocol' '=' ( I<AARE> | '(' ( '"' I<AARE> '"' | I<AARE> )+ ')' )
B<UNIX LOCAL EXPR> = ( I<UNIX ADDRESS COND> | I<UNIX LABEL COND> | I<UNIX ATTR COND> | I<UNIX OPT COND> )* B<UNIX LOCAL EXPR> = ( I<UNIX ADDRESS COND> | I<UNIX LABEL COND> | I<UNIX ATTR COND> | I<UNIX OPT COND> )*
each cond can appear at most once Each cond can appear at most once.
B<UNIX PEER EXPR> = 'peer' '=' ( I<UNIX ADDRESS COND> | I<UNIX LABEL COND> )+ B<UNIX PEER EXPR> = 'peer' '=' ( I<UNIX ADDRESS COND> | I<UNIX LABEL COND> )+
each cond can appear at most once Each cond can appear at most once.
B<UNIX ADDRESS COND> 'addr' '=' ( I<AARE> | '(' '"' I<AARE> '"' | I<AARE> ')' ) B<UNIX ADDRESS COND> 'addr' '=' ( I<AARE> | '(' '"' I<AARE> '"' | I<AARE> ')' )
@ -233,13 +237,17 @@ B<RLIMIT> = ( 'cpu' | 'fsize' | 'data' | 'stack' | 'core' | 'rss' | 'nofile' | '
B<RLIMIT VALUE> = ( I<RLIMIT SIZE> | I<RLIMIT NUMBER> | I<RLIMIT TIME> | I<RLIMIT NICE> ) B<RLIMIT VALUE> = ( I<RLIMIT SIZE> | I<RLIMIT NUMBER> | I<RLIMIT TIME> | I<RLIMIT NICE> )
B<RLIMIT SIZE> = I<NUMBER> ( 'K' | 'M' | 'G' ) Only applies to RLIMIT of 'fsize', 'data', 'stack', 'core', 'rss', 'as', 'memlock', 'msgqueue'. B<RLIMIT SIZE> = I<NUMBER> ( 'K' | 'M' | 'G' )
Only applies to RLIMIT of 'fsize', 'data', 'stack', 'core', 'rss', 'as', 'memlock', 'msgqueue'.
B<RLIMIT NUMBER> = number from 0 to max rlimit value. Only applies ot RLIMIT of 'ofile', 'nofile', 'locks', 'sigpending', 'nproc', 'rtprio' B<RLIMIT NUMBER> = number from 0 to max rlimit value.
Only applies to RLIMIT of 'ofile', 'nofile', 'locks', 'sigpending', 'nproc', 'rtprio'.
B<RLIMIT TIME> = I<NUMBER> ( 'us' | 'microsecond' | 'microseconds' | 'ms' | 'millisecond' | 'milliseconds' | 's' | 'sec' | 'second' | 'seconds' | 'min' | 'minute' | 'minutes' | 'h' | 'hour' | 'hours' | 'd' | 'day' | 'days' | 'week' | 'weeks' ) Only applies to RLIMIT of 'cpu', 'rttime'. RLIMIT 'cpu' only allows units >= 'seconds'. B<RLIMIT TIME> = I<NUMBER> ( 'us' | 'microsecond' | 'microseconds' | 'ms' | 'millisecond' | 'milliseconds' | 's' | 'sec' | 'second' | 'seconds' | 'min' | 'minute' | 'minutes' | 'h' | 'hour' | 'hours' | 'd' | 'day' | 'days' | 'week' | 'weeks' )
Only applies to RLIMIT of 'cpu' and 'rttime'. RLIMIT 'cpu' only allows units E<gt>= 'seconds'.
B<RLIMIT NICE> = a number between -20 and 19. Only applies to RLIMIT of 'nice' B<RLIMIT NICE> = a number between -20 and 19.
Only applies to RLIMIT of 'nice'.
B<FILE RULE> = [ I<QUALIFIERS> ] [ 'owner' ] ( 'file' | [ 'file' ] ( I<FILEGLOB> I<ACCESS> | I<ACCESS> I<FILEGLOB> ) [ '-E<gt>' I<EXEC TARGET> ] ) B<FILE RULE> = [ I<QUALIFIERS> ] [ 'owner' ] ( 'file' | [ 'file' ] ( I<FILEGLOB> I<ACCESS> | I<ACCESS> I<FILEGLOB> ) [ '-E<gt>' I<EXEC TARGET> ] )
@ -251,9 +259,11 @@ B<UNQUOTED FILEGLOB> = (must start with '/' (after variable expansion), B<AARE>
B<ACCESS> = ( 'r' | 'w' | 'a' | 'l' | 'k' | 'm' | I<EXEC TRANSITION> )+ (not all combinations are allowed; see below.) B<ACCESS> = ( 'r' | 'w' | 'a' | 'l' | 'k' | 'm' | I<EXEC TRANSITION> )+ (not all combinations are allowed; see below.)
B<EXEC TRANSITION> = ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' | 'Pix' | 'cix' | 'Cix' | 'pux' | 'PUx' | 'cux' | 'CUx' | 'x' ) ('x' is only allowed in rules with the deny qualifier, everything else only without the deny qualifier) B<EXEC TRANSITION> = ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' | 'Pix' | 'cix' | 'Cix' | 'pux' | 'PUx' | 'cux' | 'CUx' | 'x' )
A bare 'x' is only allowed in rules with the deny qualifier, everything else only without the deny qualifier.
B<EXEC TARGET> = name (requires I<EXEC TRANSITION> specified) B<EXEC TARGET> = name
Requires I<EXEC TRANSITION> specified.
B<LINK RULE> = I<QUALIFIERS> [ 'owner' ] 'link' [ 'subset' ] I<FILEGLOB> ( 'to' | '-E<gt>' ) I<FILEGLOB> B<LINK RULE> = I<QUALIFIERS> [ 'owner' ] 'link' [ 'subset' ] I<FILEGLOB> ( 'to' | '-E<gt>' ) I<FILEGLOB>