mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/parser/apparmor_parser.pod
John Johansen 5fdf33c689 Add an option to allow setting the cache's location. 
Currently the cache location is fixed and links are needed to move it.
Add an option that can be set in the apparmor_parser.conf file so distros
can locate the cache where ever makes sense for them.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
2012-01-11 17:25:18 +01:00

249 lines
7.4 KiB
Text
Raw Blame History

# ----------------------------------------------------------------------
# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
# 2008, 2009
# NOVELL (All rights reserved)
#
# Copyright (c) 2010
# Canonical Ltd. (All rights reserved)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, contact Novell, Inc.
# ----------------------------------------------------------------------
=pod
=head1 NAME
apparmor_parser - loads AppArmor profiles into the kernel
=head1 SYNOPSIS
B<apparmor_parser [-adrR] [--add] [--debug] [--replace] [--remove]
[--preprocess] [--Include n] [--base n] [ --Complain ]>
B<apparmor_parser [-hv] [--help] [--version]>
=head1 DESCRIPTION
B<apparmor_parser> is used to import new apparmor.d(5) profiles
into the Linux kernel. The profiles restrict the operations available
to processes by executable name.
The profiles are loaded into the Linux kernel by the B<apparmor_parser>
program, which takes its input from standard input. The input supplied to
B<apparmor_parser> should be in the format described in apparmor.d(5).
=head1 OPTIONS
=over 4
=item -a, --add
Insert the AppArmor definitions given into the kernel. This is the default
action. This gives an error message if a AppArmor definition by the same
name already exists in the kernel, or if the parser doesn't understand
its input. It reports when an addition succeeded.
=item -r, --replace
This flag is required if an AppArmor definition by the same name already
exists in the kernel; used to replace the definition already
in the kernel with the definition given on standard input.
=item -R, --remove
This flag is used to remove an AppArmor definition already in the kernel.
Note that it still requires a complete AppArmor definition as described
in apparmor.d(5) even though the contents of the definition aren't
used.
=item -C, --Complain
For the profile to load in complain mode.
=item -B, --binary
Load a binary (cached) profile, as produced with the -S option.
=item -N, --names
Produce a list of policies from a given set of profiles (implies -K).
=item -S, --stdout
Writes a binary (cached) profile to stdout (implies -K and -T).
=item -o file, --ofile file
Writes a binary (cached) profile to the specified file (implies -K and -T)
=item -b n, --base n
Set the base directory for resolving #include directives
defined as relative paths.
=item -I n, --Include n
Add element n to the search path when resolving #include directives
defined as an absolute paths.
=item -f n, --subdomainfs n
Set the location of the apparmor security filesystem (default is
"/sys/kernel/security/apparmor").
=item -m n, --match-string n
Only use match features "n".
=item -n n, --namespace-string n
Force a profile to load in the namespace "n".
=item -X, --readimpliesX
In the case of profiles that are loading on systems were READ_IMPLIES_EXEC
is set in the kernel for a given process, load the profile so that any "r"
flags are processed as "mr".
=item -k, --show-cache
Report the cache processing (hit/miss details) when loading or saving
cached profiles.
=item -K, --skip-cache
Perform no caching at all: disables -W, implies -T.
=item -T, --skip-read-cache
By default, if a profile's cache is found in the location specified by
--cache-loc and the timestamp is newer than the profile, it will be loaded
from the cache. This option disables this cache loading behavior.
=item -W, --write-cache
Write out cached profiles to the location specified in --cache-loc. Off
by default. In cases where abstractions have been changed, and the parser
is running with "--replace", it may make sense to also use
"--skip-read-cache" with the "--write-cache" option.
=item -L, --cache-loc
Set the location of the cache directory. If not specified the cache location
defaults to /etc/apparmor.d/cache
=item -Q, --skip-kernel-load
Perform all actions except the actual loading of a profile into the kernel.
This is useful for testing profile generation, caching, etc, without making
changes to the running kernel profiles.
=item -q, --quiet
Do not report on the profiles as they are loaded, and not show warnings.
=item -v, --verbose
Report on the profiles as they are loaded, and show warnings.
=item -V, --version
Print the version number and exit.
=item -p, --preprocess
Dump the input profile to stdout out applying preprocessing flattening
includes into the output profile.
=item -d, --debug
Given once, only checks the profiles to ensure syntactic correctness.
Given twice, dumps its interpretation of the profile for checking.
=item -D n, --dump=n
Debug flag for dumping various structures and passes of policy compilation.
A single dump flag can be specified per --dump option, but the dump flag
can be passed multiple times. Note progress flags tend to also imply
the matching stats flag.
apparmor_parser --dump=dfa-stats --dump=trans-stats <file>
Use --help=dump to see a full list of which dump flags are supported
=item -O n, --optimize=n
Set the optimization flags used by policy compilation. A sinlge optimization
flag can be toggled per -O option, but the optimize flag can be passed
multiple times. Turning off some phases of the optimization can make
it so that policy can't complete compilation due to size constraints
(it is entirely possible to create a dfa with millions of states that will
take days or longer to compile).
Note: The parser is set to use a balanced default set of flags, that
will result in resonable compression but not take excessive amounts
of time to complete.
Use --help=optimize to see a full list of which optimization flags are
supported.
=item -h, --help
Give a quick reference guide.
=back
=head1 CONFIG FILE
An optional config file /etc/apparmor/parser.conf can be used to specify the
default options for the parser, which then can be overridden using the command
line options.
The config file ignores leading whitespace and treats lines that begin with #
as comments. Config options are specified one per line using the same format
as the longform command line options (without the preceding --).
Eg.
#comment
optimize=no-expr-tree
optimize=compress-fast
As with the command line some options accumulate and others override, ie. when
there are conflicting versions of switch the last option is the one chosen.
Eg.
Optimize=no-minimize
Optimize=minimize
would result in Optimize=minimize being set.
The Include, Dump, and Optimize options accululate except for the inversion
option (no-X vs. X), and a couple options that work by setting/clearing
multiple options (compress-small). In that case the option will override
the flags it sets but will may accumulate with others.
All other options override previously set values.
=head1 BUGS
If you find any bugs, please report them at
L<http://https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), subdomain.conf(5), aa_change_hat(2), and
L<http://wiki.apparmor.net>.
=cut
Reference in a new issue View git blame Copy permalink