apparmor/parser/apparmor_parser.pod

# $Id$
# ----------------------------------------------------------------------
#    Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
#    NOVELL (All rights reserved)
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, contact Novell, Inc.
# ----------------------------------------------------------------------


=pod

=head1 NAME

apparmor_parser - loads AppArmor profiles into the kernel

=head1 SYNOPSIS

B<apparmor_parser [-adrR] [--add] [--debug]  [--replace] [--remove]
                  [--preprocess] [--Include n] [--base n] [ --Complain ]>

B<apparmor_parser [-hv] [--help] [--version]>

=head1 DESCRIPTION

B<apparmor_parser> is used to import new apparmor.d(5) profiles
into the Linux kernel. The profiles restrict the operations available
to processes by executable name.

The profiles are loaded into the Linux kernel by the B<apparmor_parser>
program, which takes its input from standard input. The input supplied to
B<apparmor_parser> should be in the format described in apparmor.d(5).

=head1 OPTIONS

=over 4

=item -a, --add

Insert the AppArmor definitions given into the kernel. This is the default
action. This gives an error message if a AppArmor definition by the same
name already exists in the kernel, or if the parser doesn't understand
its input. It reports when an addition succeeded.

=item -r, --replace

This flag is required if an AppArmor definition by the same name already
exists in the kernel; used to replace the definition already
in the kernel with the definition given on standard input.

=item -R, --remove

This flag is used to remove an AppArmor definition already in the kernel.
Note that it still requires a complete AppArmor definition as described
in apparmor.d(5) even though the contents of the definition aren't
used.

=item -C, --Complain

For the profile to load in complain mode.

=item -B, --binary

Load a binary (cached) profile, as produced with the -S option.

=item -N, --names

Produce a list of policies from a given set of profiles (implies -K).

=item -S, --stdout

Writes a binary (cached) profile to stdout (implies -K and -T).

=item -b n, --base n

Set the base directory for resolving #include directives
defined as relative paths.

=item -I n, --Include n

Add element n to the search path when resolving #include directives
defined as an absolute paths.

=item -f n, --subdomainfs n

Set the location of the apparmor security filesystem (default is
"/sys/kernel/security/apparmor").

=item -m n, --match-string n

Only use match features "n".

=item -n n, --namespace-string n

Force a profile to load in the namespace "n".

=item -X, --readimpliesX

In the case of profiles that are loading on systems were READ_IMPLIES_EXEC
is set in the kernel for a given process, load the profile so that any "r"
flags are processed as "mr".

=item -k, --show-cache

Report the cache processing (hit/miss details) when loading or saving
cached profiles.

=item -K, --skip-cache

Perform no caching at all: disables -W, implies -T.

=item -T, --skip-read-cache

By default, if a profile's cache is found in /etc/apparmor.d/cache/ and
the timestamp is newer than the profile, it will be loaded from the cache.
This option disables this cache loading behavior.

=item -W, --write-cache

Write out cached profiles to /etc/apparmor.d/cache/.  Off by default.
In cases where abstractions have been changed, and the parser is running
with "--replace", it may make sense to also use "--skip-read-cache" with
the "--write-cache" option.

=item -q, --quiet

Do not report on the profiles as they are loaded, and not show warnings.

=item -v, --verbose

Report on the profiles as they are loaded, and show warnings.

=item -V, --version

Print the version number and exit.

=item -d, --debug

Given once, only checks the profiles to ensure syntactic correctness.
Given twice, dumps its interpretation of the profile for checking.

=item -h, --help

Give a quick reference guide.

=back

=head1 BUGS

None known. If you find any, please report them to bugzilla at
L<http://bugzilla.novell.com>.

=head1 SEE ALSO

apparmor(7), apparmor.d(5), subdomain.conf(5), change_hat(2), and
L<http://forge.novell.com/modules/xfmod/project/?apparmor>.

=cut