mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/utils/logprof.conf.pod
Steve Beattie 60f2312372 Subject: Add manpages to utils package. 
Move the autodep(8), complain(8), enforce(8), logprof(8), genprof(8),
unconfined(8), logprof.conf(5), and apparmor_status(8) manpages, along
with their aa- form symlinks, to the utils package.
2007-04-03 19:13:35 +00:00

116 lines
4 KiB
Text
Raw Blame History

# $Id$
# This publication is intellectual property of Novell Inc. Its contents
# can be duplicated, either in part or in whole, provided that a copyright
# label is visibly located on each copy.
#
# All information found in this book has been compiled with utmost
# attention to detail. However, this does not guarantee complete accuracy.
# Neither SUSE LINUX GmbH, the authors, nor the translators shall be held
# liable for possible errors or the consequences thereof.
#
# Many of the software and hardware descriptions cited in this book
# are registered trademarks. All trade names are subject to copyright
# restrictions and may be registered trade marks. SUSE LINUX GmbH
# essentially adheres to the manufacturer's spelling.
#
# Names of products and trademarks appearing in this book (with or without
# specific notation) are likewise subject to trademark and trade protection
# laws and may thus fall under copyright restrictions.
#
# Please direct suggestions and comments to apparmor-general@forge.novell.com.
=pod
=head1 NAME
logprof.conf - configuration file for expert options that modify the
behavior of the AppArmor logprof(1) program.
=head1 DESCRIPTION
The logprof(1) program can be configured to have certain default behavior
by the contents of logprof.conf.
The B<[qualifiers]> section lists specific programs that should have
a subset of the full ix/px/ux list when asking what mode to execute
it using.
Since creating a separate profile for /bin/bash is dangerous, we can
specify that for /bin/bash, only (I)nherit, (U)nconstrained, and (D)eny
should be allowed options and only those will show up in the prompt when
we're asking about adding that to a profile.
Likewise, if someone currently exec's /bin/mount in ix or px mode, things
won't work, so we can provide only (U)nconstrained and (D)eny as options.
And certain apps like grep, awk, sed, cp, and mkdir should always
inherit the parent profile rather than having their own profile or
running unconfined, so for them we can specify that only (I)nherit and
(D)eny are the allowed options.
Any programs that are not listed in the qualifiers section get the full
(I)nherit / (P)rofile / (U)nconstrained / (D)eny option set.
If the user is doing something tricky and wants different behavior,
they can tweak or remove the corresponding line in the conf file.
The B<[defaulthat]> section lists changehat-aware programs and what hat
logprof(1) will collapse the entries to for that program if the user
specifies that the access should be allowed, but should not have it's
own hat.
The B<[globs]> section allows modification of the logprof rule engine
with respect to globbing suggestions that the user will be prompted with.
The format of each line is-- "<perl glob> = <apparmor glob>".
When logprof(1) asks about a specific path, if the perl glob matches the
path, it replaces the part of the path that matched with the corresponding
apparmor glob and adds it to the list of globbing suggestions.
Lines starting with # are comments and are ignored.
=head1 EXAMPLE
[qualifiers]
# things will very likely be painfully broken if bash has it's own profile
/bin/bash = iu
# mount doesn't work if it's confined
/bin/mount = u
# these helper utilities should inherit the parent profile and
# shouldn't have their own profiles
/bin/awk = i
/bin/grep = i
/bin/sed = i
[defaulthat]
/usr/sbin/sshd = EXEC
/usr/sbin/httpd2 = DEFAULT_URI
/usr/sbin/httpd2-prefork = DEFAULT_URI
[globs]
# /foo/bar/lib/libbaz.so -> /foo/bar/lib/lib*
/lib/lib[^\/]+so[^\/]*$ = /lib/lib*so*
# strip kernel version numbers from kernel module accesses
^/lib/modules/[^\/]+\/ = /lib/modules/*/
# strip pid numbers from /proc accesses
^/proc/\d+/ = /proc/*/
=head1 BUGS
None. Please report any you find to bugzilla at
L<http://bugzilla.novell.com>.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), enforce(1), change_hat(2),
complain(1), logprof(1), genprof(1), and
L<http://forge.novell.com/modules/xfmod/project/?apparmor>.
=cut
Reference in a new issue View git blame Copy permalink