mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

parser: Document eavesdropping permission syntax in apparmor.d(5)

Browse source 
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This commit is contained in:
Tyler Hicks 2013-12-06 11:18:17 -08:00
parent 1580ba5ac1
commit 99e509065f
1 changed files with 12 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
parser/apparmor.d.pod
View file

@ -99,12 +99,14 @@ B<MOUNT FLAGS> = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' | 'noexec'
B<MOUNT EXPRESSION> = ( I<ALPHANUMERIC> | I<AARE> ) ...
B<DBUS RULE> = ( I<DBUS MESSAGE RULE> | I<DBUS SERVICE RULE> | I<DBUS COMBINED RULE> )
B<DBUS RULE> = ( I<DBUS MESSAGE RULE> | I<DBUS SERVICE RULE> | I<DBUS EAVESDROP RULE> | I<DBUS COMBINED RULE> )
B<DBUS MESSAGE RULE> = [ 'audit' ] [ 'deny' ] 'dbus' [ I<DBUS ACCESS EXPRESSION> ] [ I<DBUS BUS> ] [ I<DBUS PATH> ] [ I<DBUS INTERFACE> ] [ I<DBUS MEMBER> ] [ I<DBUS PEER> ]
B<DBUS SERVICE RULE> = [ 'audit' ] [ 'deny' ] 'dbus' [ I<DBUS ACCESS EXPRESSION> ] [ I<DBUS BUS> ] [ I<DBUS NAME> ]
B<DBUS EAVESDROP RULE> = [ 'audit' ] [ 'deny' ] 'dbus' [ I<DBUS ACCESS EXPRESSION> ] [ I<DBUS BUS> ]
B<DBUS COMBINED RULE> = [ 'audit' ] [ 'deny' ] 'dbus' [ I<DBUS ACCESS EXPRESSION> ] [ I<DBUS BUS> ]
B<DBUS ACCESS EXPRESSION> = ( I<DBUS ACCESS> | '(' I<DBUS ACCESS LIST> ')' )
@ -125,7 +127,7 @@ B<DBUS LABEL> = 'label' '=' '(' '"' I<AARE> '"' | I<AARE> ')'
B<DBUS ACCESS LIST> = Comma separated list of I<DBUS ACCESS>
B<DBUS ACCESS> = ( 'send' | 'receive' | 'bind' ) (some accesses are incompatible with some rules; see below.)
B<DBUS ACCESS> = ( 'send' | 'receive' | 'bind' | 'eavesdrop' ) (some accesses are incompatible with some rules; see below.)
B<AARE> = B<?*[]{}^> (see below for meanings)
@ -669,7 +671,8 @@ examined.
Some AppArmor DBus permissions are not compatible with all AppArmor DBus rules.
The 'bind' permission cannot be used in message rules. The 'send' and 'receive'
permissions cannot be used in service rules.
permissions cannot be used in service rules. The 'eavesdrop' permission cannot
be used in rules containing any conditionals outside of the 'bus' conditional.
AppArmor DBus permissions are implied when a rule does not explicitly state an
access list. By default, all DBus permissions are implied. Only message
@ -705,6 +708,12 @@ Example AppArmor DBus rules:
member=ExampleMethod
peer=(name=(com.example.ExampleName1|com.example.ExampleName2)),
# Allow eavesdropping on the system bus
dbus eavesdrop bus=system,
# Allow and audit all eavesdropping
audit dbus eavesdrop,
=head2 Variables
AppArmor's policy language allows embedding variables into file rules