[Apparmor-dev] Profile syntax changes?

John Johansen jjohansen at suse.de
Wed Aug 8 19:06:33 MDT 2007 

On Thu, Aug 09, 2007 at 02:24:54AM +0200, Christian Boltz wrote:
> Hello,
> 
> if I got it right, there were several syntax changes in the profile 
> files since openSUSE 10.2 was released.
> 
> Can someone please send a list of syntax changes and additions?
> 
there are only a few changes that have made it so far


2 new permission modes where added
  k - lock permission needed to take an advisory or mandatory lock on
      a file.
  a - append, grants permission for appending writes only.  The a perm
      is mutually exclusive to the w perm.  ie a rule can have either
      'a' or 'w' but not both.


a very crude subset of our networking rules was added.  It allows
screening of networking based on type and family.  Also the tools
beyond the parser currently only support a subset of the subset :(

  syntax
  'network' [[<domain>] [<type>] [<protocol>]] ','

  <domain> comes from the AF_NAMES with exclusions for local, unix,
           netlink
  <type> stream, dgram, seqpacket, rdm, raw, packet
  <protocol> tcp, udp, icmp

  The protocol specification is very limited currently in that it only
  allows those 3 and only if <type> is not specified.

  eg.
  network,		# allow all networking
  network inet,		# allow use of all inet networking
  network inet stream,	# allow tcp
  network inet tcp,	# dito
  network tcp,		# allow inet and inet6 tcp,


a new change_profile policy specification was added.  Change_profile
is similar to change_hat but allows changing to any profile (including
hats), not just hats.  The restriction is that the profiles that can be
changed to must be specified.  To change to a hat via change_profile
instead of change_hat the hat name is specified by separating the
profile and hat_name with //
   syntax
   'change_profile' <profile> ','

   eg.
   change_profile /bin/foo,   #allow change_profile to /bin/foo
   change_profile /bin/foo//hat  # allow change_profile to ^hat in /bin/foo


some other minor changes that are really just bug fixes
- the ',' used as an end of rule terminator can not occur in the middle
  of a path name unless it is quoted
  /foo,/bar    #used to valid but isn't anymore
  "/foo,/bar"  #still valid

- the '^' character can be properly used in pathnames and character
  classes
  /foo[^b]   # used to be broken /foo[ and hat b] even if it was in
             # a file rule instead of specifying a profile
             # now it is handled correctly


And one more change that you may see in the change log but please
don't support just yet, nor use.  The parser supports it but none of
the other tools do.   It currently has slightly different syntax for
execute rules and there may be other syntax changes when we support it
in the tools.  And actually want to start using it.
- The parser now allows writting rules in reverse order
  eg.
  rw /tmp/foo,

 
> I'd like to update apparmor.vim...
> 
thanks, I know this will make a few people very happy


there could be a couple of other minor changes I am forgeting but I think
I have covered everything relavent to syntax highlighting.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20070808/cf3d6462/attachment.pgp

More information about the Apparmor-dev mailing list