File: apparmor.d.pod

package info (click to toggle)
apparmor 2.13.4-3
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, sid
  • size: 28,524 kB
  • sloc: python: 19,111; ansic: 17,059; perl: 11,105; sh: 10,461; cpp: 5,396; yacc: 1,950; makefile: 1,678; pascal: 1,097; lex: 1,092; ruby: 374; exp: 250; java: 212; xml: 159
file content (1628 lines) | stat: -rw-r--r-- 56,145 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
# ----------------------------------------------------------------------
#    Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
#                  2008, 2009
#    NOVELL (All rights reserved)
#
#    Copyright (c) 2010 - 2014
#    Canonical Ltd. (All rights reserved)
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, contact Novell, Inc or Canonical
#    Ltd.
# ----------------------------------------------------------------------

=pod

=head1 NAME

apparmor.d - syntax of security profiles for AppArmor.

=head1 DESCRIPTION

AppArmor profiles describe mandatory access rights granted to given
programs and are fed to the AppArmor policy enforcement module using
apparmor_parser(8). This man page describes the format of the AppArmor
configuration files; see apparmor(7) for an overview of AppArmor.

Some features are not supported on Debian yet:

=over 8

=item B<Network Rules>

=item B<DBus rules>

=item B<Unix socket rules>

=back

=head1 FORMAT

The following is a BNF-style description of AppArmor policy
configuration files; see below for an example AppArmor policy file.
AppArmor configuration files are line-oriented; B<#> introduces a
comment, similar to shell scripting languages. The exception to this
rule is that B<#include> will I<include> the contents of a file inline
to the policy; this behaviour is modelled after cpp(1).

=over 4

B<PROFILE FILE> = ( [ I<PREAMBLE> ] [ I<PROFILE> ] )*

B<PREAMBLE> = ( I<COMMENT> | I<VARIABLE ASSIGNMENT> | I<ALIAS RULE> | I<INCLUDE> )*
  Variable assignment and alias rules must come before the profile.

B<VARIABLE ASSIGNMENT> = I<VARIABLE> ('=' | '+=') (space separated values)

B<VARIABLE> = '@{' I<ALPHA> [ ( I<ALPHANUMERIC> | '_' ) ... ] '}'

B<ALIAS RULE> = 'alias' I<ABS PATH> '-E<gt>' I<REWRITTEN ABS PATH> ','

B<INCLUDE> = ( '#include' | 'include' ) [ 'if exists' ] ( I<ABS PATH> | I<MAGIC PATH> )

B<ABS PATH> = '"' path '"' (the path is passed to open(2))

B<MAGIC PATH> = 'E<lt>' relative path 'E<gt>'
  The path is relative to F</etc/apparmor.d/>.

B<COMMENT> = '#' I<TEXT> [ '\r' ] '\n'

B<TEXT> = any characters

B<PROFILE> = ( I<PROFILE HEAD> ) [ I<ATTACHMENT SPECIFICATION> ] [ I<PROFILE FLAG CONDS> ] '{' ( I<RULES> )* '}'

B<PROFILE HEAD> = [ 'profile' ] I<FILEGLOB> | 'profile' I<PROFILE NAME>

B<PROFILE NAME> ( I<UNQUOTED PROFILE NAME> | I<QUOTED PROFILE NAME> )

B<QUOTED PROFILE NAME> = '"' I<UNQUOTED PROFILE NAME> '"'

B<UNQUOTED PROFILE NAME> = (must start with alphanumeric character (after variable expansion), or '/' B<AARE> have special meanings; see below. May include I<VARIABLE>. Rules with embedded spaces or tabs must be quoted.)

B<ATTACHMENT SPECIFICATION> = I<FILEGLOB>

B<PROFILE FLAG CONDS> =  [ 'flags=' ] '(' comma or white space separated list of I<PROFILE FLAGS> ')'

B<PROFILE FLAGS> = 'complain' | 'audit' | 'enforce' | 'mediate_deleted' | 'attach_disconnected' | 'chroot_relative'

B<RULES> = [ ( I<LINE RULES> | I<COMMA RULES> ',' | I<BLOCK RULES> )

B<LINE RULES> = ( I<COMMENT> | I<INCLUDE> ) [ '\r' ] '\n'

B<COMMA RULES> = ( I<CAPABILITY RULE> | I<NETWORK RULE> | I<MOUNT RULE> | I<PIVOT ROOT RULE> | I<UNIX RULE> | I<FILE RULE> | I<LINK RULE> | I<CHANGE_PROFILE RULE> | I<RLIMIT RULE> | I<DBUS RULE> )

B<BLOCK RULES> = ( I<SUBPROFILE> | I<HAT> | I<QUALIFIER BLOCK> )

B<SUBPROFILE> = 'profile' I<PROFILE NAME> [ I<ATTACHMENT SPECIFICATION> ] [ I<PROFILE FLAG CONDS> ] '{' ( I<RULES> )* '}'

B<HAT> = ('hat' | '^') I<HATNAME> [ I<PROFILE FLAG CONDS> ] '{' ( I<RULES> )* '}'

B<HATNAME> = (must start with alphanumeric character. See aa_change_hat(2) for a description of how this "hat" is used. If '^' is used to start a hat then there is no space between the '^' and I<HATNAME>)

B<QUALIFIER BLOCK> = I<QUALIFIERS> I<BLOCK>

B<ACCESS TYPE> = ( 'allow' | 'deny' )

B<QUALIFIERS> = [ 'audit' ] [ I<ACCESS TYPE> ]

B<CAPABILITY RULE> = [ I<QUALIFIERS> ] 'capability' [ I<CAPABILITY LIST> ]

B<CAPABILITY LIST> = ( I<CAPABILITY> )+

B<CAPABILITY> = (lowercase capability name without 'CAP_' prefix; see
capabilities(7))

B<NETWORK RULE> = [ I<QUALIFIERS> ] 'network' [ I<DOMAIN> ] [ I<TYPE> | I<PROTOCOL> ]

B<DOMAIN> = ( 'unix' | 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'netlink' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'rds' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'llc' | 'ib' | 'mpls' | 'can' | 'tipc' | 'bluetooth' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'kcm' | 'qipcrtr' | 'smc' | 'xdp' ) ','

B<TYPE> = ( 'stream' | 'dgram' | 'seqpacket' |  'rdm' | 'raw' | 'packet' )

B<PROTOCOL> = ( 'tcp' | 'udp' | 'icmp' )

B<MOUNT RULE> = ( I<MOUNT> | I<REMOUNT> | I<UMOUNT> )

B<MOUNT> = [ I<QUALIFIERS> ] 'mount' [ I<MOUNT CONDITIONS> ] [ I<SOURCE FILEGLOB> ] [ '-E<gt>' [ I<MOUNTPOINT FILEGLOB> ]

B<REMOUNT> = [ I<QUALIFIERS> ] 'remount' [ I<MOUNT CONDITIONS> ] I<MOUNTPOINT FILEGLOB>

B<UMOUNT> = [ I<QUALIFIERS> ] 'umount' [ I<MOUNT CONDITIONS> ] I<MOUNTPOINT FILEGLOB>

B<MOUNT CONDITIONS> = [ ( 'fstype' | 'vfstype' ) ( '=' | 'in' ) I<MOUNT FSTYPE EXPRESSION> ] [ 'options' ( '=' | 'in' ) I<MOUNT FLAGS EXPRESSION> ]

B<MOUNT FSTYPE EXPRESSION> = ( I<MOUNT FSTYPE LIST> | I<MOUNT EXPRESSION> )

B<MOUNT FSTYPE LIST> = Comma separated list of valid filesystem and virtual filesystem types (eg ext4, debugfs, devfs, etc)

B<MOUNT FLAGS EXPRESSION> = ( I<MOUNT FLAGS LIST> | I<MOUNT EXPRESSION> )

B<MOUNT FLAGS LIST> = Comma separated list of I<MOUNT FLAGS>.

B<MOUNT FLAGS> = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' | 'noexec' | 'exec' | 'sync' | 'async' | 'remount' | 'mand' | 'nomand' | 'dirsync' | 'noatime' | 'atime' | 'nodiratime' | 'diratime' | 'bind' | 'rbind' | 'move' | 'verbose' | 'silent' | 'loud' | 'acl' | 'noacl' | 'unbindable' | 'runbindable' | 'private' | 'rprivate' | 'slave' | 'rslave' | 'shared' | 'rshared' | 'relatime' | 'norelatime' | 'iversion' | 'noiversion' | 'strictatime' | 'nouser' | 'user' )

B<MOUNT EXPRESSION> = ( I<ALPHANUMERIC> | I<AARE> ) ...

B<PIVOT ROOT RULE> = [ I<QUALIFIERS> ] pivot_root [ oldroot=I<OLD PUT FILEGLOB> ] [ I<NEW ROOT FILEGLOB> ] [ '-E<gt>' I<PROFILE NAME> ]

B<SOURCE FILEGLOB> = I<FILEGLOB>

B<MOUNTPOINT FILEGLOB> = I<FILEGLOB>

B<OLD PUT FILEGLOB> = I<FILEGLOB>

B<PTRACE_RULE> = [ I<QUALIFIERS> ] 'ptrace' [ I<PTRACE ACCESS PERMISSIONS> ] [ I<PTRACE PEER> ]

B<PTRACE ACCESS PERMISSIONS> = I<PTRACE ACCESS> | I<PTRACE ACCESS LIST>

B<PTRACE ACCESS LIST> = '(' Comma or space separated list of I<PTRACE ACCESS> ')'

B<PTRACE ACCESS> = ( 'r' | 'w' | 'rw' | 'read' | 'readby' | 'trace' | 'tracedby' )

B<PTRACE PEER> = 'peer' '=' I<AARE>

B<SIGNAL_RULE> = [ I<QUALIFIERS> ] 'signal' [ I<SIGNAL ACCESS PERMISSIONS> ] [ I<SIGNAL SET> ] [ I<SIGNAL PEER> ]

B<SIGNAL ACCESS PERMISSIONS> = I<SIGNAL ACCESS> | I<SIGNAL ACCESS LIST>

B<SIGNAL ACCESS LIST> = '(' Comma or space separated list of I<SIGNAL ACCESS> ')'

B<SIGNAL ACCESS> = ( 'r' | 'w' | 'rw' | 'read' | 'write' | 'send' | 'receive' )

B<SIGNAL SET> = 'set' '=' '(' I<SIGNAL LIST> ')'

B<SIGNAL LIST> = Comma or space separated list of I<SIGNALS>

B<SIGNALS> = ( 'hup' | 'int' | 'quit' | 'ill' | 'trap' | 'abrt' | 'bus' | 'fpe' | 'kill' | 'usr1' | 'segv' | 'usr2' | 'pipe' | 'alrm' | 'term' | 'stkflt' | 'chld' | 'cont' | 'stop' | 'stp' | 'ttin' | 'ttou' | 'urg' | 'xcpu' | 'xfsz' | 'vtalrm' | 'prof' | 'winch' | 'io' | 'pwr' | 'sys' | 'emt' | 'exists' | 'rtmin+0' ... 'rtmin+32' )

B<SIGNAL PEER> = 'peer' '=' I<AARE>

B<DBUS RULE> = ( I<DBUS MESSAGE RULE> | I<DBUS SERVICE RULE> | I<DBUS EAVESDROP RULE> | I<DBUS COMBINED RULE> )

B<DBUS MESSAGE RULE> = [ I<QUALIFIERS> ] 'dbus' [ I<DBUS ACCESS EXPRESSION> ] [ I<DBUS BUS> ] [ I<DBUS PATH> ] [ I<DBUS INTERFACE> ] [ I<DBUS MEMBER> ] [ I<DBUS PEER> ]

B<DBUS SERVICE RULE> = [ I<QUALIFIERS> ] 'dbus' [ I<DBUS ACCESS EXPRESSION> ] [ I<DBUS BUS> ] [ I<DBUS NAME> ]

B<DBUS EAVESDROP RULE> = [ I<QUALIFIERS> ] 'dbus' [ I<DBUS ACCESS EXPRESSION> ] [ I<DBUS BUS> ]

B<DBUS COMBINED RULE> = [ I<QUALIFIERS> ] 'dbus' [ I<DBUS ACCESS EXPRESSION> ] [ I<DBUS BUS> ]

B<DBUS ACCESS EXPRESSION> = ( I<DBUS ACCESS> | '(' I<DBUS ACCESS LIST> ')' )

B<DBUS BUS> = 'bus' '=' '(' 'system' | 'session' | '"' I<AARE> '"' | I<AARE> ')'

B<DBUS PATH> = 'path' '=' '(' '"' I<AARE> '"' | I<AARE> ')'

B<DBUS INTERFACE> = 'interface' '=' '(' '"' I<AARE> '"' | I<AARE> ')'

B<DBUS MEMBER> = 'member' '=' '(' '"' I<AARE> '"' | I<AARE> ')'

B<DBUS PEER> = 'peer' '=' '(' [ I<DBUS NAME> ] [ I<DBUS LABEL> ] ')'

B<DBUS NAME> = 'name' '=' '(' '"' I<AARE> '"' | I<AARE> ')'

B<DBUS LABEL> = 'label' '=' '(' '"' I<AARE> '"' | I<AARE> ')'

B<DBUS ACCESS LIST> = Comma separated list of I<DBUS ACCESS>

B<DBUS ACCESS> = ( 'send' | 'receive' | 'bind' | 'eavesdrop' | 'r' | 'read' | 'w' | 'write' | 'rw' )
  Some accesses are incompatible with some rules; see below.

B<AARE> = B<?*[]{}^>
  See below for meanings.

B<UNIX RULE> = [ I<QUALIFIERS> ] 'unix' [ I<UNIX ACCESS EXPR> ] [ I<UNIX RULE CONDS> ] [ I<UNIX LOCAL EXPR> ] [ I<UNIX PEER EXPR> ]

B<UNIX ACCESS EXPR> = ( I<UNIX ACCESS> | I<UNIX ACCESS LIST> )

B<UNIX ACCESS> = ( 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' )
  Some access modes are incompatible with some rules or require additional parameters.

B<UNIX ACCESS LIST> = '(' I<UNIX ACCESS> ( [','] I<UNIX ACCESS> )* ')'

B<UNIX RULE CONDS> = ( I<TYPE COND> | I<PROTO COND> )
  Each cond can appear at most once.

B<TYPE COND> = 'type' '='  ( I<AARE> | '(' ( '"' I<AARE> '"' | I<AARE> )+ ')' )

B<PROTO COND> = 'protocol' '='  ( I<AARE> | '(' ( '"' I<AARE> '"' | I<AARE> )+ ')' )

B<UNIX LOCAL EXPR> = ( I<UNIX ADDRESS COND> | I<UNIX LABEL COND> | I<UNIX ATTR COND> | I<UNIX OPT COND> )*
  Each cond can appear at most once.

B<UNIX PEER EXPR> = 'peer' '=' ( I<UNIX ADDRESS COND> | I<UNIX LABEL COND> )+
  Each cond can appear at most once.

B<UNIX ADDRESS COND> 'addr' '=' ( I<AARE> | '(' '"' I<AARE> '"' | I<AARE> ')' )

B<UNIX LABEL COND> 'label' '=' ( I<AARE> | '(' '"' I<AARE> '"' | I<AARE> ')' )

B<UNIX ATTR COND> 'attr' '=' ( I<AARE> | '(' '"' I<AARE> '"' | I<AARE> ')' )

B<UNIX OPT COND> 'opt' '=' ( I<AARE> | '(' '"' I<AARE> '"' | I<AARE> ')' )

B<RLIMIT RULE> = 'set' 'rlimit' [I<RLIMIT> 'E<lt>=' I<RLIMIT VALUE> ]

B<RLIMIT> = ( 'cpu' | 'fsize' | 'data' | 'stack' | 'core' | 'rss' | 'nofile' | 'ofile' | 'as' | 'nproc' | 'memlock' | 'locks' | 'sigpending' | 'msgqueue' | 'nice' | 'rtprio' | 'rttime' )

B<RLIMIT VALUE> = ( I<RLIMIT SIZE> | I<RLIMIT NUMBER> | I<RLIMIT TIME> | I<RLIMIT NICE> )

B<RLIMIT SIZE> = I<NUMBER> ( 'K' | 'M' | 'G' )
  Only applies to RLIMIT of 'fsize', 'data', 'stack', 'core', 'rss', 'as', 'memlock', 'msgqueue'.

B<RLIMIT NUMBER> = number from 0 to max rlimit value.
  Only applies to RLIMIT of 'ofile', 'nofile', 'locks', 'sigpending', 'nproc', 'rtprio'.

B<RLIMIT TIME> = I<NUMBER> ( 'us' | 'microsecond' | 'microseconds' | 'ms' | 'millisecond' | 'milliseconds' | 's' | 'sec' | 'second' | 'seconds' | 'min' | 'minute' | 'minutes' | 'h' | 'hour' | 'hours' | 'd' | 'day' | 'days' | 'week' | 'weeks' )
  Only applies to RLIMIT of 'cpu' and 'rttime'. RLIMIT 'cpu' only allows units E<gt>= 'seconds'.

B<RLIMIT NICE> = a number between -20 and 19.
  Only applies to RLIMIT of 'nice'.

B<FILE RULE> = [ I<QUALIFIERS> ] [ 'owner' ] ( 'file' | [ 'file' ] ( I<FILEGLOB> I<ACCESS>  | I<ACCESS> I<FILEGLOB> ) [ '-E<gt>' I<EXEC TARGET> ] )

B<FILEGLOB> = ( I<QUOTED FILEGLOB> | I<UNQUOTED FILEGLOB> )

B<QUOTED FILEGLOB> = '"' I<UNQUOTED FILEGLOB> '"'

B<UNQUOTED FILEGLOB> = (must start with '/' (after variable expansion), B<AARE> have special meanings; see below. May include I<VARIABLE>. Rules with embedded spaces or tabs must be quoted. Rules must end with '/' to apply to directories.)

B<ACCESS> = ( 'r' | 'w' | 'a' | 'l' | 'k' | 'm' | I<EXEC TRANSITION> )+  (not all combinations are allowed; see below.)

B<EXEC TRANSITION> =  ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' | 'Pix' | 'cix' | 'Cix' | 'pux' | 'PUx' | 'cux' | 'CUx' | 'x' )
  A bare 'x' is only allowed in rules with the deny qualifier, everything else only without the deny qualifier.

B<EXEC TARGET> = name
  Requires I<EXEC TRANSITION> specified.

B<LINK RULE> = I<QUALIFIERS> [ 'owner' ] 'link' [ 'subset' ] I<FILEGLOB> '-E<gt>' I<FILEGLOB>

B<ALPHA> = ('a', 'b', 'c', ... 'z', 'A', 'B', ... 'Z')

B<ALPHANUMERIC> = ('0', '1', '2', ... '9', 'a', 'b', 'c', ... 'z', 'A', 'B', ... 'Z')

B<CHANGE_PROFILE RULE> = 'change_profile' [ [ I<EXEC MODE> ] I<EXEC COND> ] [ '-E<gt>' I<PROFILE NAME> ]

B<EXEC_MODE> = ( 'safe' | 'unsafe' )

B<EXEC COND> = I<FILEGLOB>

=back

All resources and programs need a full path. There may be any number of
subprofiles (aka child profiles) in a profile, limited only by kernel
memory. Subprofile names are limited to 974 characters.  Child profiles can
be used to confine an application in a special way, or when you want the
child to be unconfined on the system, but confined when called from the
parent.  Hats are a special child profile that can be used with the
aa_change_hat(2) API call.  Applications written or modified to use
aa_change_hat(2) can take advantage of subprofiles to run under different
confinements, dependent on program logic. Several aa_change_hat(2)-aware
applications exist, including an Apache module, mod_apparmor(5); a PAM
module, pam_apparmor; and a Tomcat valve, tomcat_apparmor. Applications
written or modified to use change_profile(2) transition permanently to the
specified profile. libvirt is one such application.

=head2 Access Modes

File permission access modes consists of combinations of the following
modes:

=over 8

=item B<r>

- read

=item B<w>

- write -- conflicts with append

=item B<a>

- append -- conflicts with write

=item B<ux>

- unconfined execute

=item B<Ux>

- unconfined execute -- scrub the environment

=item B<px>

- discrete profile execute

=item B<Px>

- discrete profile execute -- scrub the environment

=item B<cx>

- transition to subprofile on execute

=item B<Cx>

- transition to subprofile on execute -- scrub the environment

=item B<ix>

- inherit execute

=item B<pix>

- discrete profile execute with inherit fallback

=item B<Pix>

- discrete profile execute with inherit fallback -- scrub the environment

=item B<cix>

- transition to subprofile on execute with inherit fallback

=item B<Cix>

- transition to subprofile on execute with inherit fallback -- scrub the environment

=item B<pux>

- discrete profile execute with fallback to unconfined

=item B<PUx>

- discrete profile execute with fallback to unconfined -- scrub the environment

=item B<cux>

- transition to subprofile on execute with fallback to unconfined

=item B<CUx>

- transition to subprofile on execute with fallback to unconfined -- scrub the environment

=item B<deny x>

- disallow execute (in rules with the deny qualifier)

=item B<m>

- allow PROT_EXEC with mmap(2) calls

=item B<l>

- link

=item B<k>

- lock

=back

=head2 Access Modes Details

=over 4

=item B<r - Read mode>

Allows the program to have read access to the file or directory listing. Read access is
required for shell scripts and other interpreted content.

=item B<w - Write mode>

Allows the program to have write access to the file. Files and directories
must have this permission if they are to be unlinked (removed.)  Write mode
is not required on a directory to rename or create files within the directory.

This mode conflicts with append mode.

=item B<a - Append mode>

Allows the program to have a limited appending only write access to the file.
Append mode will prevent an application from opening the file for write unless
it passes the O_APPEND parameter flag on open.

The mode conflicts with Write mode.

=item B<ux - Unconfined execute mode>

Allows the program to execute the program without any AppArmor profile
being applied to the program.

This mode is useful when a confined program needs to be able to perform
a privileged operation, such as rebooting the machine. By placing the
privileged section in another executable and granting unconfined
execution rights, it is possible to bypass the mandatory constraints
imposed on all confined processes. For more information on what is
constrained, see the apparmor(7) man page.

B<WARNING> 'ux' should only be used in very special cases. It enables the
designated child processes to be run without any AppArmor protection.
'ux' does not scrub the environment of variables such as LD_PRELOAD;
as a result, the calling domain may have an undue amount of influence
over the callee.  Use this mode only if the child absolutely must be
run unconfined and LD_PRELOAD must be used. Any profile using this mode
provides negligible security. Use at your own risk.

Incompatible with other exec transition modes and the deny qualifier.

=item B<Ux - unconfined execute -- scrub the environment>

'Ux' allows the named program to run in 'ux' mode, but AppArmor
will invoke the Linux Kernel's B<unsafe_exec> routines to scrub
the environment, similar to setuid programs. (See ld.so(8) for some
information on setuid/setgid environment scrubbing.)

B<WARNING> 'Ux' should only be used in very special cases. It enables the
designated child processes to be run without any AppArmor protection.
Use this mode only if the child absolutely must be run unconfined. Use
at your own risk.

Incompatible with other exec transition modes and the deny qualifier.

=item B<px - Discrete Profile execute mode>

This mode requires that a discrete security profile is defined for a
program executed and forces an AppArmor domain transition. If there is
no profile defined then the access will be denied.

B<WARNING> 'px' does not scrub the environment of variables such as
LD_PRELOAD; as a result, the calling domain may have an undue amount of
influence over the callee.

Incompatible with other exec transition modes and the deny qualifier.

=item B<Px - Discrete Profile execute mode -- scrub the environment>

'Px' allows the named program to run in 'px' mode, but AppArmor
will invoke the Linux Kernel's B<unsafe_exec> routines to scrub
the environment, similar to setuid programs. (See ld.so(8) for some
information on setuid/setgid environment scrubbing.)

Incompatible with other exec transition modes and the deny qualifier.

=item B<cx - Transition to Subprofile execute mode>

This mode requires that a local security profile is defined and forces an
AppArmor domain transition to the named profile. If there is no profile
defined then the access will be denied.

B<WARNING> 'cx' does not scrub the environment of variables such as
LD_PRELOAD; as a result, the calling domain may have an undue amount of
influence over the callee.

Incompatible with other exec transition modes and the deny qualifier.

=item B<Cx - Transition to Subprofile execute mode -- scrub the environment>

'Cx' allows the named program to run in 'cx' mode, but AppArmor
will invoke the Linux Kernel's B<unsafe_exec> routines to scrub
the environment, similar to setuid programs. (See ld.so(8) for some
information on setuid/setgid environment scrubbing.)

Incompatible with other exec transition modes and the deny qualifier.

=item B<ix - Inherit execute mode>

Prevent the normal AppArmor domain transition on execve(2) when the
profiled program executes the named program. Instead, the executed resource
will inherit the current profile.

This mode is useful when a confined program needs to call another
confined program without gaining the permissions of the target's
profile, or losing the permissions of the current profile. There is no
version to scrub the environment because 'ix' executions don't change
privileges.

Incompatible with other exec transition modes and the deny qualifier.

=item B<Profile transition with inheritance fallback execute mode>

These modes attempt to perform a domain transition as specified by
the matching permission (shown below) and if that transition fails
to find the matching profile the domain transition proceeds using
the 'ix' transition mode.

  'Pix' == 'Px' with fallback to 'ix'
  'pix' == 'px' with fallback to 'ix'
  'Cix' == 'Cx' with fallback to 'ix'
  'cix' == 'cx' with fallback to 'ix'

Incompatible with other exec transition modes and the deny qualifier.

=item B<Profile transition with unconfined fallback execute mode>

These modes attempt to perform a domain transition as specified by
the matching permission (shown below) and if that transition fails
to find the matching profile the domain transition proceeds using
the 'ux' transition mode if 'pux', 'cux' or the 'Ux' transition mode
if 'PUx', 'CUx' is used.

  'PUx' == 'Px' with fallback to 'Ux'
  'pux' == 'px' with fallback to 'ux'
  'CUx' == 'Cx' with fallback to 'Ux'
  'cux' == 'cx' with fallback to 'ux'

Incompatible with other exec transition modes and the deny qualifier.

=item B<deny x - Deny execute>

For rules including the deny modifier, only 'x' is allowed to deny execute.

The 'ix', 'Px', 'px', 'Cx', 'cx' and the fallback modes conflict with the deny
modifier.

=item B<Directed profile transitions>

The directed ('px', 'Px', 'pix', 'Pix', 'pux', 'PUx') profile and
subprofile ('cx', 'Cx', 'cix', 'Cix', 'cux', 'CUx') transitions normally
determine the profile to transition to from the executable name. It
is however possible to specify the name of the profile that the transition
should use.

The name of the profile to transition to is specified using the '-E<gt>'
followed by the name of the profile to transition to. Eg.

  /bin/** px -> profile,

Incompatible with other exec transition modes.

=item B<m - Allow executable mapping>

This mode allows a file to be mapped into memory using mmap(2)'s
PROT_EXEC flag. This flag marks the pages executable; it is used on some
architectures to provide non-executable data pages, which can complicate
exploit attempts. AppArmor uses this mode to limit which files a
well-behaved program (or all programs on architectures that enforce
non-executable memory access controls) may use as libraries, to limit
the effect of invalid B<-L> flags given to ld(1) and B<LD_PRELOAD>,
B<LD_LIBRARY_PATH>, given to ld.so(8).

=item B<l - Link mode>

Allows the program to be able to create a link with this name.  When a
link is created, the new link B<MUST> have a subset of permissions as
the original file (with the exception that the destination does not have
to have link access.) If there is an 'x' rule on the new link, it must
match the original file exactly.

=item B<k - lock mode>

Allows the program to be able lock a file with this name.  This permission
covers both advisory and mandatory locking.

=item B<leading OR trailing access permissions>

File rules can be specified with the access permission either leading
or trailing the file glob. Eg.

  rw /**,		# leading permissions

  /** rw,		# trailing permissions

When leading permissions are used further rule options and context
may be allowed, Eg.

  l /foo -> /bar,	# lead 'l' link permission is equivalent to link rules

=back

=head2 Link rules

Link rules allow specifying permission to form a hard link as a link
target pair.  If the subset condition is specified then the permissions
to access the link file must be a subset of the profiles permissions
to access the target file. If there is an 'x' rule on the new link, it
must match the original file exactly.

Eg.

  /file1  r,
  /file2  rwk,
  /link*  rw,
  link subset /link* -> /**,

The link rule allows linking of /link to both /file1 or /file2 by
name however because the /link file has 'rw' permissions it is not
allowed to link to /file1 because that would grant an access path
to /file1 with more permissions than the 'r' permissions the profile
specifies.

A link of /link to /file2 would be allowed because the 'rw' permissions
of /link are a subset of the 'rwk' permissions for /file1.

The link rule is equivalent to specifying the 'l' link permission as
a leading permission with no other file access permissions. When this
is done the link rule options can be specified.

The following link rule is equivalent to the 'l' permission file rule

  link /foo -> bar,
  l /foo -> /bar,

File rules that specify the 'l' permission and don't specify the extend
link permissions map to link rules as follows.

  /foo l,
  l /foo,
  link subset /foo -> /**,

=head2 Comments

Comments start with # and may begin at any place within a line. The
comment ends when the line ends. This is the same comment style as
shell scripts.

=head2 Capabilities

The only capabilities a confined process may use may be enumerated; for
the complete list, please refer to capabilities(7). Note that granting
some capabilities renders AppArmor confinement for that domain advisory;
while open(2), read(2), write(2), etc., will still return error when
access is not granted, some capabilities allow loading kernel modules,
arbitrary access to IPC, ability to bypass discretionary access controls,
and other operations that are typically reserved for the root user.

=head2 Network Rules

AppArmor supports simple coarse grained network mediation.  The network
rule restrict all socket(2) based operations.  The mediation done is
a course grained check on whether a socket of a given type and family
can be created, read, or written.  There is no mediation based of port
number or protocol beyond tcp, udp, and raw.  Network netlink(7) rules may
only specify type 'dgram' and 'raw'.

AppArmor network rules are accumulated so that the granted network
permissions are the union of all the listed network rule permissions.

AppArmor network rules are broad and general and become more restrictive
as further information is specified.

eg.

 network,		#allow access to all networking
 network tcp,		#allow access to tcp
 network inet tcp,	#allow access to tcp only for inet4 addresses
 network inet6 tcp,	#allow access to tcp only for inet6 addresses
 network netlink raw,	#allow access to AF_NETLINK SOCK_RAW

=head2 Mount Rules

AppArmor supports mount mediation and allows specifying filesystem types and
mount flags. The syntax of mount rules in AppArmor is based on the mount(8)
command syntax. Mount rules must contain one of the mount, remount or umount
keywords, but all mount conditions are optional. Unspecified optional
conditionals are assumed to match all entries (eg, not specifying fstype means
all fstypes are matched). Due to the complexity of the mount command and how
options may be specified, AppArmor allows specifying conditionals three
different ways:

=over 4

=item 1.

If a conditional is specified using '=', then the rule only grants permission
for mounts matching the exactly specified options. For example, an AppArmor
policy with the following rule:

    mount options=ro /dev/foo -E<gt> /mnt/,

Would match:

    $ mount -o ro /dev/foo /mnt

but not either of these:

    $ mount -o ro,atime /dev/foo /mnt

    $ mount -o rw /dev/foo /mnt

=item 2.

If a conditional is specified using 'in', then the rule grants permission for
mounts matching any combination of the specified options. For example, if an
AppArmor policy has the following rule:

    mount options in (ro,atime) /dev/foo -> /mnt/,

all of these mount commands will match:

    $ mount -o ro /dev/foo /mnt

    $ mount -o ro,atime /dev/foo /mnt

    $ mount -o atime /dev/foo /mnt

but none of these will:

    $ mount -o ro,sync /dev/foo /mnt

    $ mount -o ro,atime,sync /dev/foo /mnt

    $ mount -o rw /dev/foo /mnt

    $ mount -o rw,noatime /dev/foo /mnt

    $ mount /dev/foo /mnt

=item 3.

If multiple conditionals are specified in a single mount rule, then the rule
grants permission for each set of options. This provides a shorthand when
writing mount rules which might help to logically break up a conditional. For
example, if an AppArmor policy has the following rule:

    mount options=ro options=atime

both of these mount commands will match:

    $ mount -o ro /dev/foo /mnt

    $ mount -o atime /dev/foo /mnt

but this one will not:

    $ mount -o ro,atime /dev/foo /mnt

=back

Note that separate mount rules are distinct and the options do not accumulate.
For example, these AppArmor mount rules:

    mount options=ro,

    mount options=atime,

are not equivalent to either of these mount rules:

    mount options=(ro,atime),

    mount options in (ro,atime),

To help clarify the flexibility and complexity of mount rules, here are some
example rules with accompanying matching commands:

=over 4

=item B<mount,>

the 'mount' rule without any conditionals is the most generic and allows any
mount. Equivalent to 'mount fstype=** options=** ** -E<gt> /**'.

=item B<mount /dev/foo,>

allow mounting of /dev/foo anywhere with any options. Some matching mount
commands:

    $ mount /dev/foo /mnt

    $ mount -t ext3 /dev/foo /mnt

    $ mount -t vfat /dev/foo /mnt

    $ mount -o ro,atime,noexec,nodiratime /dev/foo /srv/some/mountpoint

=item B<mount options=ro /dev/foo,>

allow mounting of /dev/foo anywhere, as read only. Some matching mount
commands:

    $ mount -o ro /dev/foo /mnt

    $ mount -o ro /dev/foo /some/where/else

=item B<mount options=(ro,atime) /dev/foo,>

allow mount of /dev/foo anywhere, as read only and using inode access times.
Some matching mount commands:

    $ mount -o ro,atime /dev/foo /mnt

    $ mount -o ro,atime /dev/foo /some/where/else

=item B<mount options in (ro,atime) /dev/foo,>

allow mount of /dev/foo anywhere using some combination of 'ro' and 'atime'
(see above). Some matching mount commands:

    $ mount -o ro /dev/foo /mnt

    $ mount -o atime /dev/foo /some/where/else

    $ mount -o ro,atime /dev/foo /some/other/place

=item B<mount options=ro /dev/foo, mount options=atime /dev/foo,>

allow mount of /dev/foo anywhere as read only, and allow mount of /dev/foo
anywhere using inode access times. Note this is expressed as two different
rules. Matches:

    $ mount -o ro /dev/foo /mnt/1

    $ mount -o atime /dev/foo /mnt/2

=item B<< mount -E<gt> /mnt/**, >>

allow mounting anything under a directory in /mnt/**. Some matching mount
commands:

    $ mount /dev/foo1 /mnt/1

    $ mount -o ro,atime,noexec,nodiratime /dev/foo2 /mnt/deep/path/foo2

=item B<< mount options=ro -E<gt> /mnt/**, >>

allow mounting anything under /mnt/**, as read only. Some matching mount
commands:

    $ mount -o ro /dev/foo1 /mnt/1

    $ mount -o ro /dev/foo2 /mnt/deep/path/foo2

=item B<< mount fstype=ext3 options=(rw,atime) /dev/sdb1 -E<gt> /mnt/stick/, >>

allow mounting an ext3 filesystem in /dev/sdb1 on /mnt/stick as read/write and
using inode access times. Matches only:

    $ mount -o rw,atime /dev/sdb1 /mnt/stick

=item B<< mount options=(ro, atime) options in (nodev, user) /dev/foo -E<gt> /mnt/, >>

allow mounting /dev/foo on /mmt/ read only and using inode access times or
allow mounting /dev/foo on /mnt/ with some combination of 'nodev' and 'user'.
Matches only:

    $ mount -o ro,atime /dev/foo /mnt

    $ mount -o nodev /dev/foo /mnt

    $ mount -o user /dev/foo /mnt

    $ mount -o nodev,user /dev/foo /mnt

=back

=head2 Pivot Root Rules

AppArmor mediates changing of the root filesystem through the pivot_root(2)
system call. The syntax of 'pivot_root' rules in AppArmor is based on the
pivot_root(2) system call parameters with the notable exception that the
ordering is reversed. The path corresponding to the put_old parameter of
pivot_root(2) is optionally specified in the 'pivot_root' rule using the
'oldroot=' prefix.

AppArmor 'pivot_root' rules can specify a profile transition to occur during
the pivot_root(2) system call. Note that AppArmor will only transition the
process calling pivot_root(2) to the new profile.

The paths specified in 'pivot_root' rules must end with '/' since they are
directories.

Here are some example 'pivot_root' rules:

    # Allow any pivot
    pivot_root,

    # Allow pivoting to any new root directory and putting the old root
    # directory at /mnt/root/old/
    pivot_root oldroot=/mnt/root/old/,

    # Allow pivoting the root directory to /mnt/root/
    pivot_root /mnt/root/,

    # Allow pivoting to /mnt/root/ and putting the old root directory at
    # /mnt/root/old/
    pivot_root oldroot=/mnt/root/old/ /mnt/root/,

    # Allow pivoting to /mnt/root/, putting the old root directory at
    # /mnt/root/old/ and transition to the /mnt/root/sbin/init profile
    pivot_root oldroot=/mnt/root/old/ /mnt/root/ -> /mnt/root/sbin/init,

=head2 PTrace rules

AppArmor supports mediation of ptrace(2). AppArmor PTrace rules are accumulated
so that the granted PTrace permissions are the union of all the listed PTrace
rule permissions.

AppArmor PTrace permissions are implied when a rule does not explicitly state
an access list. By default, all PTrace permissions are implied.

The trace and tracedby permissions govern ptrace(2) while read and readby
govern certain proc(5) filesystem accesses, kcmp(2), futexes
(get_robust_list(2)) and perf trace events.

For a ptrace operation to be allowed the profile of the tracing process and the
profile of the target task must both have the correct permissions. For example,
the profile of the process attaching to another task must have the trace
permission for the target task's profile, and the task being traced must have
the tracedby permission for the tracing process' profile.

Example AppArmor PTrace rules:

    # Allow all PTrace access
    ptrace,

    # Explicitly allow all PTrace access,
    ptrace (read, readby, trace, tracedby),

    # Explicitly deny use of ptrace(2)
    deny ptrace (trace),

    # Allow unconfined processes (eg, a debugger) to ptrace us
    ptrace (readby, tracedby) peer=unconfined,

    # Allow ptrace of a process running under the /usr/bin/foo profile
    ptrace (trace) peer=/usr/bin/foo,

=head2 Signal rules

AppArmor supports mediation of signal(7). AppArmor signal rules are accumulated
so that the granted signal permissions are the union of all the listed signal
rule permissions.

AppArmor signal permissions are implied when a rule does not explicitly state
an access list. By default, all signal permissions are implied.

For the sending of a signal to be allowed, the profile of the sending process
and the profile of the target task must both have the correct permissions. For
example, the profile of a process sending a signal to another task must have
the send permission for the target task's profile, and the task receiving the
signal must have a receive permission for the sending process' profile.

Example AppArmor signal rules:

    # Allow all signal access
    signal,

    # Explicitly deny sending the HUP and INT signals
    deny signal (send) set=(hup, int),

    # Allow unconfined processes to send us signals
    signal (receive) peer=unconfined,

    # Allow sending of signals to a process running under the /usr/bin/foo
    # profile
    signal (send) peer=/usr/bin/foo,

    # Allow checking for PID existence
    signal (receive, send) set=("exists"),

    # Allow us to signal ourselves using the built-in @{profile_name} variable
    signal peer=@{profile_name},

    # Allow two real-time signals
    signal set=(rtmin+0 rtmin+32),

=head2 DBus rules

AppArmor supports DBus mediation. The mediation is performed in conjunction
with the DBus daemon. The DBus daemon verifies that communications over the
bus are permitted by AppArmor policy.

AppArmor DBus rules are accumulated so that the granted DBus permissions are
the union of all the listed DBus rule permissions.

AppArmor DBus rules are broad and general and become more restrictive as
further information is specified. Policy may be specified down to the interface
member level (method or signal name), however the contents of messages are not
examined.

Some AppArmor DBus permissions are not compatible with all AppArmor DBus rules.
The 'bind' permission cannot be used in message rules. The 'send' and 'receive'
permissions cannot be used in service rules. The 'eavesdrop' permission cannot
be used in rules containing any conditionals outside of the 'bus' conditional.

'r' and 'read' are synonyms for 'receive'. 'w' and 'write' are synonyms for
'send'. 'rw' is a synonym for both 'send' and 'receive'.

AppArmor DBus permissions are implied when a rule does not explicitly state an
access list. By default, all DBus permissions are implied. Only message
permissions are implied for message rules and only service permissions are
implied for service rules.

Example AppArmor DBus rules:

    # Allow all DBus access
    dbus,

    # Explicitly allow all DBus access,
    dbus (send, receive, bind),

    # Deny send/receive/bind access to the session bus
    deny dbus bus=session,

    # Allow bind access for a particular name on any bus
    dbus bind name=com.example.ExampleName,

    # Allow receive access for a particular path and interface
    dbus receive path=/com/example/path interface=com.example.Interface,

    # Deny send/receive access to the system bus for a particular interface
    deny dbus bus=system interface=com.example.ExampleInterface,

    # Allow send access for a particular path, interface, member, and pair of
    # peer names:
    dbus send
         bus=session
         path=/com/example/path
         interface=com.example.Interface
         member=ExampleMethod
         peer=(name=(com.example.ExampleName1|com.example.ExampleName2)),

    # Allow receive access for all unconfined peers
    dbus receive peer=(label=unconfined),

    # Allow eavesdropping on the system bus
    dbus eavesdrop bus=system,

    # Allow and audit all eavesdropping
    audit dbus eavesdrop,

=head2 Unix socket rules

AppArmor supports fine grained mediation of unix domain abstract and
anonymous sockets. Unix domain sockets with file system paths are
mediated via file access rules.

Abstract unix domain sockets is a nonportable Linux extension of unix
domain sockets, see unix(7) for more information.

=head3 Unix socket address paths

The sun_path component (aka the socket address) of a unix domain socket is
specified by the

  addr=

conditional. If an address conditional is not specified as part of
a rule then the rule matches both abstract and anonymous sockets.

In apparmor the address of an abstract unix domain socket begins with
the I<@> character, similar to how they are reported (as paths) by
netstat -x. The address then follows and may contain pattern matching
and any characters including the null character. In apparmor null
characters must be specified by using an escape sequence I<\000> or
I<\x00>. The pattern matching is the same as is used by file path matching
so * will not match I</> even though it has no special meaning with
in an abstract socket name. Eg.

  unix addr=@*,

Anonymous unix domain sockets have no sun_path associated with the socket
address, however it can be specified with the special I<none> keyword to
indicate the rule only applies to anonymous unix domain sockets. Eg.

  unix addr=none,

If the address component of a rule is not specified then the rule applies
to both abstract and anonymous sockets.

=head3 Unix socket permissions

Unix domain socket rules are accumulated so that the granted unix
socket permissions are the union of all the listed unix rule permissions.

Unix domain socket rules are broad and general and become more restrictive
as further information is specified. Policy may be specified down to
the socket address (aka sun_path) and label level. The content of the
communication is not examined.

Unix socket rule permissions are implied when a rule does not explicitly
state an access list. By default if a rule does not have an access list
all permissions that are compatible with the specified set of local
and peer conditionals are implied.

The create, bind, listen, shutdown, getattr, setattr, getopt, and setopt
permissions are local socket permissions. They are only applied to the local
socket and can't be specified in rules that have a peer component. The accept
permission applies to the combination of a local and peer socket. The connect,
send, and receive permissions are peer socket permissions.

Only the peer socket permissions will be applied to rules that don't specify
permissions and contain a peer component.

=head3 Example Unix domain socket rules:

  # Allow all permissions to unix sockets
  unix,

  # Explicitly allow all unix permissions
  unix (create, listen, accept, connect, send, receive, getattr, setattr, setopt, getopt),

  # Explicitly deny unix socket access
  deny unix,

  # Allow create and use of abstract and anonymous sockets for profile_name
  unix peer=(label=@{profile_name}),

  # Allow receiving via unix sockets from unconfined
  unix (receive) peer=(label=unconfined),

  # Allow getattr and shutdown on anonymous sockets
  unix (getattr, shutdown) addr=none,

  # Allow SOCK_STREAM connect, receive and send on an abstract socket @bar
  # with peer running under profile '/foo'
  unix (connect, receive, send) type=stream peer=(label=/foo,addr="@bar"),

  # Allow accepting connections from and receiving from peer running under
  # profile '/bar' on abstract socket '@foo'
  unix (accept, receive) addr=@foo peer=(label=/bar),

=head3 Abstract unix domain sockets autobind

Abstract unix domain sockets can autobind to an address. The autobind
address is a unique 5 digit string of decimal numbers, eg. @00001. There
is nothing that prevents a task from manually binding to addresses with a
similar pattern so it is impossible to reliably identify autobind addresses
from a regular address.

=head3 Interaction of network rules and fine grained unix domain socket rules

The coarse grained networking rules can be used to control unix domain
sockets as well. When fine grained unix domain socket mediation is available
the coarse grained network rule is mapped into the equivalent unix socket
rule.

E.G.

    network unix,  =>  unix,

    network unix stream,   =>  unix stream,

Fine grained mediation rules however can not be losslessly converted back
to the coarse grained network rule; e.g.

   unix bind addr=@example,

Has no exact match under coarse grained network rules, the closest match is
the much wider permission rule of

   network unix,

=head2 change_profile rules

AppArmor supports self directed profile transitions via the change_profile
api. Change_profile rules control which permissions for which profiles
a confined task can transition to.  The profile name can contain apparmor
pattern matching to specify different profiles.

  change_profile -> **,

The change_profile api allows the transition to be delayed until when
a task executes another application. If an exec rule transition is
specified for the application and the change_profile api is used to
make a transition at exec time, the transition specified by the
change_profile api takes precedence.

The Change_profile permission can restrict which profiles can be transitioned
to based off of the executable name by specifying the exec condition.

  change_profile /bin/bash -> new_profile,

The restricting of the transition profile to a given executable at exec
time is only useful when then current task is allowed to make dynamic
decisions about what confinement should be, but the decision set needs
to be controlled. A list of profiles or multiple rules can be used to
specify the profiles in the set. Eg.

  change_profile /bin/bash -> {new_profile1,new_profile2,new_profile3},

An exec rule can be used to specify a transition for the executable, if
the transition should be allowed even if the change_profile api has not
been used to select a transition for those available in the change_profile
rule set.  Eg.

  /bin/bash Px -> new_profile1,
  change_profile /bin/bash -> {new_profile1,new_profile2,new_profile3},

The exec mode dictates whether or not the Linux Kernel's B<unsafe_exec>
routines should be used to scrub the environment, similar to setuid programs.
(See ld.so(8) for some information on setuid/setgid environment scrubbing.) The
B<safe> mode sets up environment scrubbing to occur when the new application is
executed and B<unsafe> mode disables AppArmor's requirement for environment
scrubbing (the kernel and/or libc may still require environment scrubbing). An
exec mode can only be specified when an exec condition is present.

  change_profile safe /bin/bash -> new_profile,

Not all kernels support B<safe> mode and the parser will downgrade rules to
B<unsafe> mode in that situation. If no exec mode is specified, the default is
B<safe> mode in kernels that support it.

=head2 rlimit rules

AppArmor can set and control the resource limits associated with a
profile as described in the setrlimit(2) man page.

The AppArmor rlimit controls allow setting of limits and restricting
changes of them and these actions can be audited. Enforcement of the
set limits is handled by the standard kernel enforcement mechanism
for rlimits and will not result in an audited apparmor message if
the limit is enforced.

If a profile does not have an rlimit rule associated with a given
rlimit then the rlimit is left alone and regular access, including
changing the limit, is allowed. However if the profile sets an rlimit
then the current limit is checked and if greater than the limit specified
in the rule it will be changed to the specified limit.

AppArmor rlimit rules control the hard limit of an application and
ensure that if the hard limit is lowered that the soft limit does not
exceed the hard limit value.

Eg.

  set rlimit data <= 100M,
  set rlimit nproc <= 10,
  set rlimit nice <= 5,

=head2 Variables

AppArmor's policy language allows embedding variables into file rules
to enable easier configuration for some common (and pervasive) setups.
Variables may have multiple values assigned, but any variable assignments
must be made before the start of the profile.

The parser will automatically expand variables to include all values
that they have been assigned; it is an error to reference a variable
without setting at least one value. You can use empty quotes ("") to
explicitly add an empty value.

At the time of this writing, the following variables are defined in the
provided AppArmor policy:

  @{HOME}
  @{HOMEDIRS}
  @{multiarch}
  @{pid}
  @{pids}
  @{PROC}
  @{securityfs}
  @{apparmorfs}
  @{sys}
  @{tid}
  @{XDG_DESKTOP_DIR}
  @{XDG_DOWNLOAD_DIR}
  @{XDG_TEMPLATES_DIR}
  @{XDG_PUBLICSHARE_DIR}
  @{XDG_DOCUMENTS_DIR}
  @{XDG_MUSIC_DIR}
  @{XDG_PICTURES_DIR}
  @{XDG_VIDEOS_DIR}

These are defined in files in F</etc/apparmor.d/tunables> and are used in many
of the abstractions described later.

You may also add files in F</etc/apparmor.d/tunables/home.d> for
site-specific customization of B<@{HOMEDIRS}>,
F</etc/apparmor.d/tunables/multiarch.d> for B<@{multiarch}> and
F</etc/apparmor.d/tunables/xdg-user-dirs.d> for B<@{XDG_*}>.

The special B<@{profile_name}> variable is set to the profile name and may be
used in all policy.

=head2 Alias rules

AppArmor also provides alias rules for remapping paths for site-specific
layouts. They are an alternative form of path rewriting to using variables,
and are done after variable resolution. Alias rules must occur within the
preamble of the profile. System-wide aliases are found in
F</etc/apparmor.d/tunables/alias>, which is included by
F</etc/apparmor.d/tunables/global>. F</etc/apparmor.d/tunables/global> is
typically included at the beginning of an AppArmor profile.

=head2 Globbing

File resources may be specified with a globbing syntax similar to that
used by popular shells, such as csh(1), bash(1), zsh(1).

=over 4

=item B<*>

can substitute for any number of characters, excepting '/'

=item B<**>

can substitute for any number of characters, including '/'

=item B<?>

can substitute for any single character excepting '/'

=item B<[abc]>

will substitute for the single character a, b, or c

=item B<[a-c]>

will substitute for the single character a, b, or c

=item B<[^a-c]>

will substitute for any single character not matching a, b or c

=item B<{ab,cd}>

will expand to one rule to match ab, one rule to match cd

=back

When AppArmor looks up a directory the pathname being looked up will
end with a slash (e.g., F</var/tmp/>); otherwise it will not end with a
slash. Only rules that match a trailing slash will match directories. Some
examples, none matching the F</tmp/> directory itself, are:

=over 4

=item B</tmp/*>

Files directly in F</tmp>.

=item B</tmp/*/>

Directories directly in F</tmp>.

=item B</tmp/**>

Files and directories anywhere underneath F</tmp>.

=item B</tmp/**/>

Directories anywhere underneath F</tmp>.

=back

=head2 Rule Qualifiers

There are several rule qualifiers that can be applied to permission rules.
Rule qualifiers can modify the rule and/or permissions within the rule.

=over 4

=item B<allow>

Specifies that permissions requests that match the rule are allowed. This
is the default value for rules and does not need to be specified. Conflicts
with the I<deny> qualifier.

=item B<audit>

Specifies that permissions requests that match the rule should be recorded
to the audit log.

=item B<deny>

Specifies that permissions requests that match the rule should be denied
without logging. Can be combined with 'audit' to enable logging. Conflicts
with the I<allow> qualifier.

=item B<owner>

Specifies that the task must have the same euid/fsuid as the object being
referenced by the permission check.

=back

=head3 Qualifier Blocks

Rule Qualifiers can be applied to multiple rules at a time by grouping the
rules into a rule block.

  audit {
     /foo r,
     network,
  }

=head2 #include mechanism

AppArmor provides an easy abstraction mechanism to group common
access requirements; this abstraction is an extremely flexible way to
grant site-specific rights and makes writing new AppArmor profiles very
simple by assembling the needed building blocks for any given program.

The use of '#include' is modelled directly after cpp(1); its use will
replace the '#include' statement with the specified file's contents.
The leading '#' is optional, and the '#include' keyword can be followed
by an option conditional 'if exists' that specifies profile compilation
should continue if the specified file or directory is not found.

B<#include "/absolute/path"> specifies that F</absolute/path> should be
used.  B<#include "relative/path"> specifies that F<relative/path> should
be used, where the path is relative to the current working directory.
B<#include E<lt>magic/pathE<gt>> is the most common usage; it will load
F<magic/path> relative to a directory specified to apparmor_parser(8).
F</etc/apparmor.d/> is the AppArmor default.

The supplied AppArmor profiles follow several conventions; the
abstractions stored in F</etc/apparmor.d/abstractions/> are some
large clusters that are used in most profiles. What follows are short
descriptions of how some of the abstractions are used.

=over 4


=item F<abstractions/audio>

Includes accesses to device files used for audio applications.

=item F<abstractions/authentication>

Includes access to files and services typically necessary for services
that perform user authentication.

=item F<abstractions/base>

Includes files that should be readable and writable in all profiles.

=item F<abstractions/bash>

Includes many files used by bash; useful for interactive shells and
programs that call system(3).

=item F<abstractions/consoles>

Includes read and write access to the device files controlling the
virtual console, sshd(8), xterm(1), etc. This abstraction is needed for
many programs that interact with users.

=item F<abstractions/fonts>

Includes access to fonts and the font libraries.

=item F<abstractions/gnome>

Includes read and write access to GNOME configuration files, as well as
read access to GNOME libraries.

=item F<abstractions/kde>

Includes read and write access to KDE configuration files, as well as
read access to KDE libraries.

=item F<abstractions/kerberosclient>

Includes file access rules needed for common kerberos clients.

=item F<abstractions/nameservice>

Includes file rules to allow DNS, LDAP, NIS, SMB, user and group password
databases, services, and protocols lookups.

=item F<abstractions/perl>

Includes read access to perl modules.

=item F<abstractions/user-download>

=item F<abstractions/user-mail>

=item F<abstractions/user-manpages>

=item F<abstractions/user-tmp>

=item F<abstractions/user-write>

Some profiles for typical "user" programs will use these include files
to describe rights that users have in the system.

=item F<abstractions/wutmp>

Includes write access to files used to maintain wtmp(5) and utmp(5)
databases, used with the w(1) and associated commands.

=item F<abstractions/X>

Includes read access to libraries, configuration files, X authentication
files, and the X socket.

=back

Some of the abstractions rely on variables that are set in files in the
F</etc/apparmor.d/tunables/> directory. These variables are currently
B<@{HOME}> and B<@{HOMEDIRS}>. Variables cannot be set in profile scope;
they can only be set before the profile. Therefore, any profiles that
use abstractions should either B<#include E<lt>tunables/globalE<gt>> or
otherwise ensure that B<@{HOME}> and B<@{HOMEDIRS}> are set before
starting the profile definition. The aa-autodep(8) and aa-genprof(8) utilities
will automatically emit B<#include E<lt>tunables/globalE<gt>> in
generated profiles.

=head1 EXAMPLE

An example AppArmor profile:

	# a variable definition in the preamble
	@{HOME} = /home/*/ /root/

	# a comment about foo.
	/usr/bin/foo {
	  /bin/mount          ux,
  	  /dev/{,u}random     r,
  	  /etc/ld.so.cache    r,
  	  /etc/foo.conf       r,
  	  /etc/foo/*          r,
  	  /lib/ld-*.so*       rmix,
  	  /lib/lib*.so*       r,
  	  /proc/[0-9]**       r,
  	  /usr/lib/**         r,
  	  /tmp/foo.pid        wr,
  	  /tmp/foo.*          lrw,
	  /@{HOME}/.foo_file  rw,
	  /usr/bin/baz        Cx -> baz,

	  # a comment about foo's hat (subprofile), bar.
  	  ^bar {
  	    /lib/ld-*.so*       rmix,
  	    /usr/bin/bar        rmix,
  	    /var/spool/*        rwl,
  	  }

	  # a comment about foo's subprofile, baz.
	  profile baz {
	    #include <abstractions/bash>
	    owner /proc/[0-9]*/stat r,
	    /bin/bash ixr,
	    /var/lib/baz/ r,
	    owner /var/lib/baz/* rw,
	  }
  	}

=head1 FILES

=over 4

=item F</etc/init.d/boot.apparmor>

=item F</etc/apparmor.d/>

=back

=head1 KNOWN BUGS

=over 4

=item *

Mount options support the use of pattern matching but mount flags are not
correctly intersected against specified patterns. Eg, 'mount options=**,'
should be equivalent to 'mount,', but it is not. (LP: #965690)

=item *

The fstype may not be matched against when certain mount command flags are
used. Specifically fstype matching currently only works when creating a new
mount and not remount, bind, etc.

=item *

Mount rules with multiple 'options' conditionals are not applied as documented
but instead merged such that 'options in (ro,nodev) options in (atime)' is
equivalent to 'options in (ro,nodev,atime)'.

=item *

When specifying mount options with the 'in' conditional, both the positive and
negative values match when specifying one or the other. Eg, 'rw' matches when
'ro' is specified and 'dev' matches when 'nodev' is specified such that
'options in (ro,nodev)' is equivalent to 'options in (rw,dev)'.

=back

=head1 SEE ALSO

apparmor(7), apparmor_parser(8), aa-complain(1),
aa-enforce(1), aa_change_hat(2), mod_apparmor(5), and
L<https://wiki.apparmor.net>.

=cut