update rule prefixes with basic info

Add basic info about rule prefixes Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-03-04 08:24:42 +01:00 · 2023-08-10 17:05:58 -07:00 · 2023-08-10 17:05:58 -07:00 · b5d0e3f124
commit b5d0e3f124
parent f766779bf2
1 changed files with 141 additions and 1 deletions
--- a/rule-prefixes-and-modes.md
+++ b/rule-prefixes-and-modes.md
@ -1 +1,141 @@
-foo
+# AppArmor Rule Prefixes and Modes
 Rule qualifiers allow modifying the behavior of individual
 profile rules. There are qualifiers for setting the rule mode, priority,
 and qualifiers that modify the rules audit behavior.
 ## Rule Modes
 Rule mode allow controlling the enforcement behavior of a profile rule.
 The default is to make the rule an ```allow``` rule if no mode qualifier
 is specified.
 * **allow** - The default mode, the qualifier is optional. For a given
       action is the rule matches the action will be allowed. The
       default audit action of an allow rule is to NOT audit that the
       action was allowed.
 * **deny** - For a given action, if the rule is matched, permission the
       action will be denied, with an EACCES or EPERM error code returned
       to userspace, and by default the violation will be logged with a tag
       of the access being DENIED.
       Within a given priority level deny rules have priority over all
       other rule modes. They can be used to carve out permissions from
       an allow rule of the same priority.
 * **kill** (**new** AppArmor 4.0) - This is a variant of enforce deny where
       in addition to returning I<EACCES> or I<EPERM> for a violation, the
       task is also sent a signal to kill it. Within a given priority level
       kill rules have priority over deny rules.
 * **complain** (**new** AppArmor 4.0) - For a given action, if the rule
       is matched the action will be allowed, but the violation will be
       logged with a tag of the access being ALLOWED (similar to the
       complain mode profile flag).
 * **prompt** (**new** AppArmor 4.0) - This is a variant of complain rule
       mode where the access request is sent to a user space daemon to
       determine if it is allowed. This only works with select rules and
       only if supported by the kernel. If the usespace daemon is not
       present the access request will be denied.
 * **access** (**new** AppArmor 4.0**) - This mode declares the rule as
       an audit modifier to other rules. It allows setting broad audit
       controls without granting or denying permission.
 ## audit control for rules
 * **audit** -
 * **quiet** -
 ## rule priority
 The priority qualifer allows raising and lowering the priority of a
 rule so it can override another rule when/where they overlap. Rules
 of the same priority will accumulate permissions in a declarative
 manner as they have always done. But when two rules overlap with a
 different priority the higher priority permission are used for the
 overlapping portion of the rule.
 If a priority is not specified the default priority is 0.
 * **priority=X** (**new** AppArmor 4.0) - allows specifying the priority
        for a given rule. The priority can be possitive or negative. The
 	priority if specified comes before the audit and rule mode qualifiers.
 ```
 priority=10 audit allow file rw @{HOME}/.ssh/*.pub,
 deny file @{HOME}/.ssh/*,
 ```
 ### Priority and rule blocks
 #### Priority overlap will only determine permission for the set of rules
       within the rule block. The block of rules will then be treated
       as a whole as a single rule.
 Eg.
 ```
 profile Eg. {
        deny file w /foo/bar,
        {
                priority=2 allow file rw /foo/**,
                deny file rw /**,
        }
 }
 ```
 In this example the ```deny file w /foo/bar``` in the profile block will
 take priority over the ```priority=2 allow file rw /foo/**``` rule in
 the block, because the whole block at the profile level has the same
 priority as the ```deny file w /foo/bar``` rule.
 Within the block however the ```priority=2 allow file rw /foo/**``` has
 priority over the deny rule.
 If the rule block should be treated with a different priority the
 priority qualifier can be added to the rule block.
 ```
 priority=2 {
 }
 ```
 ## ordered block qualifier
 * **ordered ** (**new** AppArmor 4.0) - The ordered block qualifier
       allows a block of rules to be treated as an ordered set of
       rules where the first rule matched will be applied. This block
       allows specifying rules in a manner similar to many firewalls
       and as such may be more natural for some network rules. Rules
       within an ordered block do not accumumate permissions the way a
       normal appamor declarative block does.
       The ordered block effectively gives each rule in the block a
       unique priority with the first rule having the highest priority
       and each following rule a lower priority.
       The priority qualifier is not allowed within an ordered block.
 ```
 profile Eg {
       ordered {
           allow network inet stream,
 	   deny network tcp,
       }
 }
 ```
 In this example the ```network inet stream``` rule will have priority over
 the ```deny network tcp``` rule even though normally the deny rule would
 dominate and disallow the access.