mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
ec19ff9f72
The comments describing the example rules to pin the abi are wrong. The comments of the two example rules are swapped resulting in confusion. While we are at it. Add a reference to the wiki doc on abi, and how to disable abi warnings without pinning. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/648 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
79 lines
2.2 KiB
Text
79 lines
2.2 KiB
Text
# parser.conf is a global AppArmor config file for the apparmor_parser
|
|
#
|
|
# It can be used to specify the default options for the parser, which
|
|
# can then be overriden by options passed on the command line.
|
|
#
|
|
# Leading whitespace is ignored and lines that begin with # are treated
|
|
# as comments.
|
|
#
|
|
# Config options are specified one per line using the same format as the
|
|
# longform command line options (without the preceding --).
|
|
#
|
|
# If a value is specified twice the last version to appear is used.
|
|
|
|
## Suppress Warnings
|
|
#quiet
|
|
|
|
## Be verbose
|
|
#verbose
|
|
|
|
## Set additional include path
|
|
#Include /etc/apparmor.d/
|
|
# or
|
|
#Include /usr/share/apparmor
|
|
|
|
|
|
## Set location of apparmor filesystem
|
|
#subdomainfs /sys/kernel/security/apparmor
|
|
|
|
## Set match-string to use - for forcing compiler to treat different kernels
|
|
## the same
|
|
# match-string "pattern=aadfa audit perms=crwxamlk/ user::other"
|
|
|
|
## Turn creating/updating of the cache on by default
|
|
#write-cache
|
|
|
|
## Show cache hits
|
|
#show-cache
|
|
|
|
## skip cached policy
|
|
#skip-cache
|
|
|
|
## skip reading cache but allow updating
|
|
#skip-read-cache
|
|
|
|
|
|
#### Set Optimizaions. Multiple Optimizations can be set, one per line ####
|
|
# For supported optimizations see
|
|
# apparmor_parser --help=O
|
|
|
|
## Turn on equivalence classes
|
|
#equiv
|
|
|
|
## Turn off expr tree simplification
|
|
#Optimize=no-expr-simplify
|
|
|
|
## Turn off DFA minimization
|
|
#Optimize=no-minimize
|
|
|
|
## Adjust compression
|
|
#Optimize=compress-small
|
|
#Optimize=compress-fast
|
|
|
|
### The policy-features abi rule pins policy that does not have an abi
|
|
### rule to a given feature ABI. This enables apparmor 2.x developed
|
|
### policy to be used in AppArmor 3.x without the warning
|
|
### Warning from stdin (stdin line 1): apparmor_parser: File 'example'
|
|
### missing feature abi, falling back to default policy feature abi.
|
|
### For more info please see
|
|
### https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorpolicyfeaturesabi
|
|
|
|
### Turn off abi rule warnings without pinning the abi
|
|
#warn=no-abi
|
|
|
|
### Only a single feature ABI rule should be used at a time.
|
|
## Pin older policy to the 5.4 kernel abi
|
|
#policy-features=/etc/apparmor.d/abi/kernel-5.4-vanilla
|
|
|
|
## Pin older policy to the 5.4 kernel abi + out of tree network and af_unix
|
|
#policy-features=/etc/apparmor.d/abi/kernel-5.4-outoftree-network
|