mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
Update AppArmorDelegation
John Johansen
parent
9f7983f6ae
commit
d4496b1a8e
1 changed files with 21 additions and 1 deletions
|
|
@ -182,12 +182,32 @@ If multiple permission rule sets are delegated the delegation have
|
|||
each component in arbitrary order
|
||||
|
||||
```
|
||||
bob//+policy//+father
|
||||
bob//+policy//+father
|
||||
```
|
||||
|
||||
The order of the Delegation is unimportant, the [identity](AppArmorDelegation#Identity) of the task is all of the profiles in the label.
|
||||
|
||||
|
||||
#### task labels with delegated objects
|
||||
|
||||
When delegation to a task is limited to objects
|
||||
|
||||
```
|
||||
profile example {
|
||||
|
||||
px /** -> bob + {
|
||||
open rw /dev/pts/*,
|
||||
}
|
||||
}
|
||||
|
||||
then the task label is NOT extended by the rule set name instead a trailing ```//*``` is added.
|
||||
|
||||
```
|
||||
bob//*
|
||||
```
|
||||
|
||||
|
||||
|
||||
conjunctive normal form
|
||||
|
||||
(bob//&jane)//+police => bob//+police//&jane//+police
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue