apparmor/parser/parser.conf

# parser.conf is a global AppArmor config file for the apparmor_parser
#
# It can be used to specify the default options for the parser, which
# can then be overriden by options passed on the command line.
#
# Leading whitespace is ignored and lines that begin with # are treated
# as comments.
#
# Config options are specified one per line using the same format as the
# longform command line options (without the preceding --).
#
# If a value is specified twice the last version to appear is used.

## Suppress Warnings
#quiet

## Be verbose
#verbose

## Set additional include path
#Include /etc/apparmor.d/
# or
#Include /usr/share/apparmor


## Set location of apparmor filesystem
#subdomainfs /sys/kernel/security/apparmor

## Set match-string to use - for forcing compiler to treat different kernels
## the same
# match-string "pattern=aadfa audit perms=crwxamlk/ user::other"

## Turn creating/updating of the cache on by default
#write-cache

## Show cache hits
#show-cache

## skip cached policy
#skip-cache

## skip reading cache but allow updating
#skip-read-cache


#### Set Optimizaions.  Multiple Optimizations can be set, one per line ####
# For supported optimizations see
#   apparmor_parser --help=O

## Turn on equivalence classes
#equiv

## Turn off expr tree simplification
#Optimize=no-expr-simplify

## Turn off DFA minimization
#Optimize=no-minimize

## Adjust compression
#Optimize=compress-small
#Optimize=compress-fast

### The policy-features abi rule pins policy that does not have an abi
### rule to a given feature ABI. This enables apparmor 2.x developed
### policy to be used in AppArmor 3.x without the warning
###    Warning from stdin (stdin line 1): apparmor_parser: File 'example'
###    missing feature abi, falling back to default policy feature abi.

### Only a single feature ABI rule should be used at a time.
## Pin older policy to the 5.4 kernel abi
#policy-features=/etc/apparmor.d/abi/kernel-5.4-outoftree-network

## Pin older policy to the 5.4 kernel abi + out of tree network and af_unix
#policy-features=/etc/apparmor.d/abi/kernel-5.4-vanilla
Commit the example parser.conf file that was supposed to be part of commit r1834 Signed-off-by: John Johansen <john.johansen@canonical.com> 2011-10-09 20:15:03 -07:00			`# parser.conf is a global AppArmor config file for the apparmor_parser`
			`#`
			`# It can be used to specify the default options for the parser, which`
			`# can then be overriden by options passed on the command line.`
			`#`
			`# Leading whitespace is ignored and lines that begin with # are treated`
			`# as comments.`
			`#`
			`# Config options are specified one per line using the same format as the`
			`# longform command line options (without the preceding --).`
			`#`
			`# If a value is specified twice the last version to appear is used.`

			`## Suppress Warnings`
			`#quiet`

			`## Be verbose`
			`#verbose`

parser: adjust parser.conf example Include statements The parser.conf example statement for Include statements used /etc/apparmor.d/abstractions which is unlikely to make anyone enabling it happy as our shipped and example policies all include the 'abstractions/' directory in the relative paths. This patch adjusts the example and provides a second example, based on an enabled entry as shipped in Ubuntu. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de> 2015-03-09 10:43:13 -07:00			`## Set additional include path`
			`#Include /etc/apparmor.d/`
			`# or`
			`#Include /usr/share/apparmor`

Commit the example parser.conf file that was supposed to be part of commit r1834 Signed-off-by: John Johansen <john.johansen@canonical.com> 2011-10-09 20:15:03 -07:00
			`## Set location of apparmor filesystem`
			`#subdomainfs /sys/kernel/security/apparmor`

			`## Set match-string to use - for forcing compiler to treat different kernels`
			`## the same`
			`# match-string "pattern=aadfa audit perms=crwxamlk/ user::other"`

			`## Turn creating/updating of the cache on by default`
			`#write-cache`

			`## Show cache hits`
			`#show-cache`

			`## skip cached policy`
			`#skip-cache`

			`## skip reading cache but allow updating`
			`#skip-read-cache`


			`#### Set Optimizaions. Multiple Optimizations can be set, one per line ####`
			`# For supported optimizations see`
			`# apparmor_parser --help=O`

			`## Turn on equivalence classes`
			`#equiv`

			`## Turn off expr tree simplification`
			`#Optimize=no-expr-simplify`

			`## Turn off DFA minimization`
			`#Optimize=no-minimize`

			`## Adjust compression`
			`#Optimize=compress-small`
			`#Optimize=compress-fast`
policy: Provide example and base abi to pin pre 3.0 policy Provide example rules in parser.conf to pin pre 3.0 policy and appropriate abi files. abis for vanilla upstream kernels and outoftree network patched kernels are provided. With both ABIs dropping v8 support from advertised by the kernel as 2.x policy/userspace did not support it. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/598 Acked-by: Steve Beattie <steve.beattie@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2020-08-27 09:33:54 -07:00
			`### The policy-features abi rule pins policy that does not have an abi`
			`### rule to a given feature ABI. This enables apparmor 2.x developed`
			`### policy to be used in AppArmor 3.x without the warning`
			`### Warning from stdin (stdin line 1): apparmor_parser: File 'example'`
			`### missing feature abi, falling back to default policy feature abi.`

			`### Only a single feature ABI rule should be used at a time.`
			`## Pin older policy to the 5.4 kernel abi`
			`#policy-features=/etc/apparmor.d/abi/kernel-5.4-outoftree-network`

			`## Pin older policy to the 5.4 kernel abi + out of tree network and af_unix`
			`#policy-features=/etc/apparmor.d/abi/kernel-5.4-vanilla`