diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod index 8f1059888..9eeebcb25 100644 --- a/parser/apparmor.d.pod +++ b/parser/apparmor.d.pod @@ -251,7 +251,7 @@ B = (must start with '/' (after variable expansion), B B = ( 'r' | 'w' | 'a' | 'l' | 'k' | 'm' | I )+ (not all combinations are allowed; see below.) -B = ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' | 'Pix' | 'cix' | 'Cix' | 'pux' | 'PUx' | 'cux' | 'CUx' ) +B = ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' | 'Pix' | 'cix' | 'Cix' | 'pux' | 'PUx' | 'cux' | 'CUx' | 'x' ) ('x' is only allowed in rules with the deny qualifier, everything else only without the deny qualifier) B = name (requires I specified) @@ -366,6 +366,10 @@ modes: - transition to subprofile on execute with fallback to unconfined -- scrub the environment +=item B + +- disallow execute (in rules with the deny qualifier) + =item B - allow PROT_EXEC with mmap(2) calls @@ -425,7 +429,7 @@ over the callee. Use this mode only if the child absolutely must be run unconfined and LD_PRELOAD must be used. Any profile using this mode provides negligible security. Use at your own risk. -Incompatible with other exec transition modes. +Incompatible with other exec transition modes and the deny qualifier. =item B @@ -439,7 +443,7 @@ designated child processes to be run without any AppArmor protection. Use this mode only if the child absolutely must be run unconfined. Use at your own risk. -Incompatible with other exec transition modes. +Incompatible with other exec transition modes and the deny qualifier. =item B @@ -451,7 +455,7 @@ B 'px' does not scrub the environment of variables such as LD_PRELOAD; as a result, the calling domain may have an undue amount of influence over the callee. -Incompatible with other exec transition modes. +Incompatible with other exec transition modes and the deny qualifier. =item B @@ -460,7 +464,7 @@ will invoke the Linux Kernel's B routines to scrub the environment, similar to setuid programs. (See ld.so(8) for some information on setuid/setgid environment scrubbing.) -Incompatible with other exec transition modes. +Incompatible with other exec transition modes and the deny qualifier. =item B @@ -472,7 +476,7 @@ B 'cx' does not scrub the environment of variables such as LD_PRELOAD; as a result, the calling domain may have an undue amount of influence over the callee. -Incompatible with other exec transition modes. +Incompatible with other exec transition modes and the deny qualifier. =item B @@ -481,7 +485,7 @@ will invoke the Linux Kernel's B routines to scrub the environment, similar to setuid programs. (See ld.so(8) for some information on setuid/setgid environment scrubbing.) -Incompatible with other exec transition modes. +Incompatible with other exec transition modes and the deny qualifier. =item B @@ -495,7 +499,7 @@ profile, or losing the permissions of the current profile. There is no version to scrub the environment because 'ix' executions don't change privileges. -Incompatible with other exec transition modes. +Incompatible with other exec transition modes and the deny qualifier. =item B @@ -509,7 +513,7 @@ the 'ix' transition mode. 'Cix' == 'Cx' with fallback to 'ix' 'cix' == 'cx' with fallback to 'ix' -Incompatible with other exec transition modes. +Incompatible with other exec transition modes and the deny qualifier. =item B @@ -524,7 +528,14 @@ if 'PUx', 'CUx' is used. 'CUx' == 'Cx' with fallback to 'Ux' 'cux' == 'cx' with fallback to 'ux' -Incompatible with other exec transition modes. +Incompatible with other exec transition modes and the deny qualifier. + +=item B + +For rules including the deny modifier, only 'x' is allowed to deny execute. + +The 'ix', 'Px', 'px', 'Cx', 'cx' and the fallback modes conflict with the deny +modifier. =item B