suzanne.soy/man-pages
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
gh-pages
man-pages/man5/apparmor.d.5.html
Suzanne Soy 4c89183f2b Added man pages from my system
2021-03-31 01:06:50 +01:00

2774 lines
78 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of APPARMOR.D</TITLE>
</HEAD><BODY>
<H1>APPARMOR.D</H1>
Section: AppArmor (5)<BR>Updated: 2020-05-19<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>
apparmor.d - syntax of security profiles for AppArmor.
<A NAME="lbAC">&nbsp;</A>
<H2>DESCRIPTION</H2>
AppArmor profiles describe mandatory access rights granted to given
programs and are fed to the AppArmor policy enforcement module using
<B><A HREF="/cgi-bin/man/man2html?8+apparmor_parser">apparmor_parser</A></B>(8). This man page describes the format of the AppArmor
configuration files; see <B><A HREF="/cgi-bin/man/man2html?7+apparmor">apparmor</A></B>(7) for an overview of AppArmor.
<A NAME="lbAD">&nbsp;</A>
<H2>FORMAT</H2>
The following is a BNF-style description of AppArmor policy
configuration files; see below for an example AppArmor policy file.
AppArmor configuration files are line-oriented; <B>#</B> introduces a
comment, similar to shell scripting languages. The exception to this
rule is that <B>#include</B> will <I>include</I> the contents of a file inline
to the policy; this behaviour is modelled after <B><A HREF="/cgi-bin/man/man2html?1+cpp">cpp</A></B>(1).
<P>
<DL COMPACT><DT id="1"><DD>
<B></B><FONT SIZE="-1"><B>PROFILE FILE</B></FONT><B></B> = ( [ <I></I><FONT SIZE="-1"><I>PREAMBLE</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>PROFILE</I></FONT><I></I> ] )*
<P>
<B></B><FONT SIZE="-1"><B>PREAMBLE</B></FONT><B></B> = ( <I></I><FONT SIZE="-1"><I>COMMENT</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>VARIABLE ASSIGNMENT</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>ALIAS RULE</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>INCLUDE</I></FONT><I></I> )*
<BR>&nbsp;&nbsp;Variable&nbsp;assignment&nbsp;and&nbsp;alias&nbsp;rules&nbsp;must&nbsp;come&nbsp;before&nbsp;the&nbsp;profile.
<P>
<B></B><FONT SIZE="-1"><B>VARIABLE ASSIGNMENT</B></FONT><B></B> = <I></I><FONT SIZE="-1"><I>VARIABLE</I></FONT><I></I> ('=' | '+=') (space separated values)
<P>
<B></B><FONT SIZE="-1"><B>VARIABLE</B></FONT><B></B> = '@{' <I></I><FONT SIZE="-1"><I>ALPHA</I></FONT><I></I> [ ( <I></I><FONT SIZE="-1"><I>ALPHANUMERIC</I></FONT><I></I> | '_' ) ... ] '}'
<P>
<B></B><FONT SIZE="-1"><B>ALIAS RULE</B></FONT><B></B> = 'alias' <I></I><FONT SIZE="-1"><I>ABS PATH</I></FONT><I></I> '-&gt;' <I></I><FONT SIZE="-1"><I>REWRITTEN ABS PATH</I></FONT><I></I> ','
<P>
<B></B><FONT SIZE="-1"><B>INCLUDE</B></FONT><B></B> = ( '#include' | 'include' ) [ 'if exists' ] ( <I></I><FONT SIZE="-1"><I>ABS PATH</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>MAGIC PATH</I></FONT><I></I> )
<P>
<B></B><FONT SIZE="-1"><B>ABS PATH</B></FONT><B></B> = '``' path '''' (the path is passed to <B><A HREF="/cgi-bin/man/man2html?2+open">open</A></B>(2))
<P>
<B></B><FONT SIZE="-1"><B>MAGIC PATH</B></FONT><B></B> = '&lt;' relative path '&gt;'
<BR>&nbsp;&nbsp;The&nbsp;path&nbsp;is&nbsp;relative&nbsp;to&nbsp;<I>/etc/apparmor.d/</I>.
<P>
<B></B><FONT SIZE="-1"><B>COMMENT</B></FONT><B></B> = '#' <I></I><FONT SIZE="-1"><I>TEXT</I></FONT><I></I> [ '\r' ] '\n'
<P>
<B></B><FONT SIZE="-1"><B>TEXT</B></FONT><B></B> = any characters
<P>
<B></B><FONT SIZE="-1"><B>PROFILE</B></FONT><B></B> = ( <I></I><FONT SIZE="-1"><I>PROFILE HEAD</I></FONT><I></I> ) [ <I></I><FONT SIZE="-1"><I>ATTACHMENT SPECIFICATION</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>PROFILE FLAG CONDS</I></FONT><I></I> ] '{' ( <I></I><FONT SIZE="-1"><I>RULES</I></FONT><I></I> )* '}'
<P>
<B></B><FONT SIZE="-1"><B>PROFILE HEAD</B></FONT><B></B> = [ 'profile' ] <I></I><FONT SIZE="-1"><I>FILEGLOB</I></FONT><I></I> | 'profile' <I></I><FONT SIZE="-1"><I>PROFILE NAME</I></FONT><I></I>
<P>
<B></B><FONT SIZE="-1"><B>PROFILE NAME</B></FONT><B></B> ( <I></I><FONT SIZE="-1"><I>UNQUOTED PROFILE NAME</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>QUOTED PROFILE NAME</I></FONT><I></I> )
<P>
<B></B><FONT SIZE="-1"><B>QUOTED PROFILE NAME</B></FONT><B></B> = '&quot;' <I></I><FONT SIZE="-1"><I>UNQUOTED PROFILE NAME</I></FONT><I></I> '&quot;'
<P>
<B></B><FONT SIZE="-1"><B>UNQUOTED PROFILE NAME</B></FONT><B></B> = (must start with alphanumeric character (after variable expansion), or '/' <B></B><FONT SIZE="-1"><B>AARE</B></FONT><B></B> have special meanings; see below. May include <I></I><FONT SIZE="-1"><I>VARIABLE</I></FONT><I></I>. Rules with embedded spaces or tabs must be quoted.)
<P>
<B></B><FONT SIZE="-1"><B>ATTACHMENT SPECIFICATION</B></FONT><B></B> = <I></I><FONT SIZE="-1"><I>FILEGLOB</I></FONT><I></I>
<P>
<B></B><FONT SIZE="-1"><B>PROFILE FLAG CONDS</B></FONT><B></B> = [ 'flags=' ] '(' comma or white space separated list of <I></I><FONT SIZE="-1"><I>PROFILE FLAGS</I></FONT><I></I> ')'
<P>
<B></B><FONT SIZE="-1"><B>PROFILE FLAGS</B></FONT><B></B> = 'complain' | 'audit' | 'enforce' | 'mediate_deleted' | 'attach_disconnected' | 'chroot_relative'
<P>
<B></B><FONT SIZE="-1"><B>RULES</B></FONT><B></B> = [ ( <I></I><FONT SIZE="-1"><I>LINE RULES</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>COMMA RULES</I></FONT><I></I> ',' | <I></I><FONT SIZE="-1"><I>BLOCK RULES</I></FONT><I></I> )
<P>
<B></B><FONT SIZE="-1"><B>LINE RULES</B></FONT><B></B> = ( <I></I><FONT SIZE="-1"><I>COMMENT</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>INCLUDE</I></FONT><I></I> ) [ '\r' ] '\n'
<P>
<B></B><FONT SIZE="-1"><B>COMMA RULES</B></FONT><B></B> = ( <I></I><FONT SIZE="-1"><I>CAPABILITY RULE</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>NETWORK RULE</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>MOUNT RULE</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>PIVOT ROOT RULE</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>UNIX RULE</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>FILE RULE</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>LINK RULE</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>CHANGE_PROFILE RULE</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>RLIMIT RULE</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>DBUS RULE</I></FONT><I></I> )
<P>
<B></B><FONT SIZE="-1"><B>BLOCK RULES</B></FONT><B></B> = ( <I></I><FONT SIZE="-1"><I>SUBPROFILE</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>HAT</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>QUALIFIER BLOCK</I></FONT><I></I> )
<P>
<B></B><FONT SIZE="-1"><B>SUBPROFILE</B></FONT><B></B> = 'profile' <I></I><FONT SIZE="-1"><I>PROFILE NAME</I></FONT><I></I> [ <I></I><FONT SIZE="-1"><I>ATTACHMENT SPECIFICATION</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>PROFILE FLAG CONDS</I></FONT><I></I> ] '{' ( <I></I><FONT SIZE="-1"><I>RULES</I></FONT><I></I> )* '}'
<P>
<B></B><FONT SIZE="-1"><B>HAT</B></FONT><B></B> = ('hat' | '^') <I></I><FONT SIZE="-1"><I>HATNAME</I></FONT><I></I> [ <I></I><FONT SIZE="-1"><I>PROFILE FLAG CONDS</I></FONT><I></I> ] '{' ( <I></I><FONT SIZE="-1"><I>RULES</I></FONT><I></I> )* '}'
<P>
<B></B><FONT SIZE="-1"><B>HATNAME</B></FONT><B></B> = (must start with alphanumeric character. See <B><A HREF="/cgi-bin/man/man2html?2+aa_change_hat">aa_change_hat</A></B>(2) for a description of how this ``hat'' is used. If '^' is used to start a hat then there is no space between the '^' and <I></I><FONT SIZE="-1"><I>HATNAME</I></FONT><I></I>)
<P>
<B></B><FONT SIZE="-1"><B>QUALIFIER BLOCK</B></FONT><B></B> = <I></I><FONT SIZE="-1"><I>QUALIFIERS</I></FONT><I></I> <I></I><FONT SIZE="-1"><I>BLOCK</I></FONT><I></I>
<P>
<B></B><FONT SIZE="-1"><B>ACCESS TYPE</B></FONT><B></B> = ( 'allow' | 'deny' )
<P>
<B></B><FONT SIZE="-1"><B>QUALIFIERS</B></FONT><B></B> = [ 'audit' ] [ <I></I><FONT SIZE="-1"><I>ACCESS TYPE</I></FONT><I></I> ]
<P>
<B></B><FONT SIZE="-1"><B>CAPABILITY RULE</B></FONT><B></B> = [ <I></I><FONT SIZE="-1"><I>QUALIFIERS</I></FONT><I></I> ] 'capability' [ <I></I><FONT SIZE="-1"><I>CAPABILITY LIST</I></FONT><I></I> ]
<P>
<B></B><FONT SIZE="-1"><B>CAPABILITY LIST</B></FONT><B></B> = ( <I></I><FONT SIZE="-1"><I>CAPABILITY</I></FONT><I></I> )+
<P>
<B></B><FONT SIZE="-1"><B>CAPABILITY</B></FONT><B></B> = (lowercase capability name without '<FONT SIZE="-1">CAP_</FONT>' prefix; see
<B><A HREF="/cgi-bin/man/man2html?7+capabilities">capabilities</A></B>(7))
<P>
<B></B><FONT SIZE="-1"><B>NETWORK RULE</B></FONT><B></B> = [ <I></I><FONT SIZE="-1"><I>QUALIFIERS</I></FONT><I></I> ] 'network' [ <I></I><FONT SIZE="-1"><I>DOMAIN</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>TYPE</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>PROTOCOL</I></FONT><I></I> ]
<P>
<B></B><FONT SIZE="-1"><B>DOMAIN</B></FONT><B></B> = ( 'unix' | 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'netlink' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'rds' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'llc' | 'ib' | 'mpls' | 'can' | 'tipc' | 'bluetooth' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'kcm' | 'qipcrtr' | 'smc' | 'xdp' ) ','
<P>
<B></B><FONT SIZE="-1"><B>TYPE</B></FONT><B></B> = ( 'stream' | 'dgram' | 'seqpacket' | 'rdm' | 'raw' | 'packet' )
<P>
<B></B><FONT SIZE="-1"><B>PROTOCOL</B></FONT><B></B> = ( 'tcp' | 'udp' | 'icmp' )
<P>
<B></B><FONT SIZE="-1"><B>MOUNT RULE</B></FONT><B></B> = ( <I></I><FONT SIZE="-1"><I>MOUNT</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>REMOUNT</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>UMOUNT</I></FONT><I></I> )
<P>
<B></B><FONT SIZE="-1"><B>MOUNT</B></FONT><B></B> = [ <I></I><FONT SIZE="-1"><I>QUALIFIERS</I></FONT><I></I> ] 'mount' [ <I></I><FONT SIZE="-1"><I>MOUNT CONDITIONS</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>SOURCE FILEGLOB</I></FONT><I></I> ] [ '-&gt;' [ <I></I><FONT SIZE="-1"><I>MOUNTPOINT FILEGLOB</I></FONT><I></I> ]
<P>
<B></B><FONT SIZE="-1"><B>REMOUNT</B></FONT><B></B> = [ <I></I><FONT SIZE="-1"><I>QUALIFIERS</I></FONT><I></I> ] 'remount' [ <I></I><FONT SIZE="-1"><I>MOUNT CONDITIONS</I></FONT><I></I> ] <I></I><FONT SIZE="-1"><I>MOUNTPOINT FILEGLOB</I></FONT><I></I>
<P>
<B></B><FONT SIZE="-1"><B>UMOUNT</B></FONT><B></B> = [ <I></I><FONT SIZE="-1"><I>QUALIFIERS</I></FONT><I></I> ] 'umount' [ <I></I><FONT SIZE="-1"><I>MOUNT CONDITIONS</I></FONT><I></I> ] <I></I><FONT SIZE="-1"><I>MOUNTPOINT FILEGLOB</I></FONT><I></I>
<P>
<B></B><FONT SIZE="-1"><B>MOUNT CONDITIONS</B></FONT><B></B> = [ ( 'fstype' | 'vfstype' ) ( '=' | 'in' ) <I></I><FONT SIZE="-1"><I>MOUNT FSTYPE EXPRESSION</I></FONT><I></I> ] [ 'options' ( '=' | 'in' ) <I></I><FONT SIZE="-1"><I>MOUNT FLAGS EXPRESSION</I></FONT><I></I> ]
<P>
<B></B><FONT SIZE="-1"><B>MOUNT FSTYPE EXPRESSION</B></FONT><B></B> = ( <I></I><FONT SIZE="-1"><I>MOUNT FSTYPE LIST</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>MOUNT EXPRESSION</I></FONT><I></I> )
<P>
<B></B><FONT SIZE="-1"><B>MOUNT FSTYPE LIST</B></FONT><B></B> = Comma separated list of valid filesystem and virtual filesystem types (eg ext4, debugfs, devfs, etc)
<P>
<B></B><FONT SIZE="-1"><B>MOUNT FLAGS EXPRESSION</B></FONT><B></B> = ( <I></I><FONT SIZE="-1"><I>MOUNT FLAGS LIST</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>MOUNT EXPRESSION</I></FONT><I></I> )
<P>
<B></B><FONT SIZE="-1"><B>MOUNT FLAGS LIST</B></FONT><B></B> = Comma separated list of <I></I><FONT SIZE="-1"><I>MOUNT FLAGS</I></FONT><I></I>.
<P>
<B></B><FONT SIZE="-1"><B>MOUNT FLAGS</B></FONT><B></B> = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' | 'noexec' | 'exec' | 'sync' | 'async' | 'remount' | 'mand' | 'nomand' | 'dirsync' | 'noatime' | 'atime' | 'nodiratime' | 'diratime' | 'bind' | 'rbind' | 'move' | 'verbose' | 'silent' | 'loud' | 'acl' | 'noacl' | 'unbindable' | 'runbindable' | 'private' | 'rprivate' | 'slave' | 'rslave' | 'shared' | 'rshared' | 'relatime' | 'norelatime' | 'iversion' | 'noiversion' | 'strictatime' | 'nouser' | 'user' )
<P>
<B></B><FONT SIZE="-1"><B>MOUNT EXPRESSION</B></FONT><B></B> = ( <I></I><FONT SIZE="-1"><I>ALPHANUMERIC</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> ) ...
<P>
<B></B><FONT SIZE="-1"><B>PIVOT ROOT RULE</B></FONT><B></B> = [ <I></I><FONT SIZE="-1"><I>QUALIFIERS</I></FONT><I></I> ] pivot_root [ oldroot=<I></I><FONT SIZE="-1"><I>OLD PUT FILEGLOB</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>NEW ROOT FILEGLOB</I></FONT><I></I> ] [ '-&gt;' <I></I><FONT SIZE="-1"><I>PROFILE NAME</I></FONT><I></I> ]
<P>
<B></B><FONT SIZE="-1"><B>SOURCE FILEGLOB</B></FONT><B></B> = <I></I><FONT SIZE="-1"><I>FILEGLOB</I></FONT><I></I>
<P>
<B></B><FONT SIZE="-1"><B>MOUNTPOINT FILEGLOB</B></FONT><B></B> = <I></I><FONT SIZE="-1"><I>FILEGLOB</I></FONT><I></I>
<P>
<B></B><FONT SIZE="-1"><B>OLD PUT FILEGLOB</B></FONT><B></B> = <I></I><FONT SIZE="-1"><I>FILEGLOB</I></FONT><I></I>
<P>
<B></B><FONT SIZE="-1"><B>PTRACE_RULE</B></FONT><B></B> = [ <I></I><FONT SIZE="-1"><I>QUALIFIERS</I></FONT><I></I> ] 'ptrace' [ <I></I><FONT SIZE="-1"><I>PTRACE ACCESS PERMISSIONS</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>PTRACE PEER</I></FONT><I></I> ]
<P>
<B></B><FONT SIZE="-1"><B>PTRACE ACCESS PERMISSIONS</B></FONT><B></B> = <I></I><FONT SIZE="-1"><I>PTRACE ACCESS</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>PTRACE ACCESS LIST</I></FONT><I></I>
<P>
<B></B><FONT SIZE="-1"><B>PTRACE ACCESS LIST</B></FONT><B></B> = '(' Comma or space separated list of <I></I><FONT SIZE="-1"><I>PTRACE ACCESS</I></FONT><I></I> ')'
<P>
<B></B><FONT SIZE="-1"><B>PTRACE ACCESS</B></FONT><B></B> = ( 'r' | 'w' | 'rw' | 'read' | 'readby' | 'trace' | 'tracedby' )
<P>
<B></B><FONT SIZE="-1"><B>PTRACE PEER</B></FONT><B></B> = 'peer' '=' <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I>
<P>
<B></B><FONT SIZE="-1"><B>SIGNAL_RULE</B></FONT><B></B> = [ <I></I><FONT SIZE="-1"><I>QUALIFIERS</I></FONT><I></I> ] 'signal' [ <I></I><FONT SIZE="-1"><I>SIGNAL ACCESS PERMISSIONS</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>SIGNAL SET</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>SIGNAL PEER</I></FONT><I></I> ]
<P>
<B></B><FONT SIZE="-1"><B>SIGNAL ACCESS PERMISSIONS</B></FONT><B></B> = <I></I><FONT SIZE="-1"><I>SIGNAL ACCESS</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>SIGNAL ACCESS LIST</I></FONT><I></I>
<P>
<B></B><FONT SIZE="-1"><B>SIGNAL ACCESS LIST</B></FONT><B></B> = '(' Comma or space separated list of <I></I><FONT SIZE="-1"><I>SIGNAL ACCESS</I></FONT><I></I> ')'
<P>
<B></B><FONT SIZE="-1"><B>SIGNAL ACCESS</B></FONT><B></B> = ( 'r' | 'w' | 'rw' | 'read' | 'write' | 'send' | 'receive' )
<P>
<B></B><FONT SIZE="-1"><B>SIGNAL SET</B></FONT><B></B> = 'set' '=' '(' <I></I><FONT SIZE="-1"><I>SIGNAL LIST</I></FONT><I></I> ')'
<P>
<B></B><FONT SIZE="-1"><B>SIGNAL LIST</B></FONT><B></B> = Comma or space separated list of <I></I><FONT SIZE="-1"><I>SIGNALS</I></FONT><I></I>
<P>
<B></B><FONT SIZE="-1"><B>SIGNALS</B></FONT><B></B> = ( 'hup' | 'int' | 'quit' | 'ill' | 'trap' | 'abrt' | 'bus' | 'fpe' | 'kill' | 'usr1' | 'segv' | 'usr2' | 'pipe' | 'alrm' | 'term' | 'stkflt' | 'chld' | 'cont' | 'stop' | 'stp' | 'ttin' | 'ttou' | 'urg' | 'xcpu' | 'xfsz' | 'vtalrm' | 'prof' | 'winch' | 'io' | 'pwr' | 'sys' | 'emt' | 'exists' | 'rtmin+0' ... 'rtmin+32' )
<P>
<B></B><FONT SIZE="-1"><B>SIGNAL PEER</B></FONT><B></B> = 'peer' '=' <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I>
<P>
<B></B><FONT SIZE="-1"><B>DBUS RULE</B></FONT><B></B> = ( <I></I><FONT SIZE="-1"><I>DBUS MESSAGE RULE</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>DBUS SERVICE RULE</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>DBUS EAVESDROP RULE</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>DBUS COMBINED RULE</I></FONT><I></I> )
<P>
<B></B><FONT SIZE="-1"><B>DBUS MESSAGE RULE</B></FONT><B></B> = [ <I></I><FONT SIZE="-1"><I>QUALIFIERS</I></FONT><I></I> ] 'dbus' [ <I></I><FONT SIZE="-1"><I>DBUS ACCESS EXPRESSION</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>DBUS BUS</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>DBUS PATH</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>DBUS INTERFACE</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>DBUS MEMBER</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>DBUS PEER</I></FONT><I></I> ]
<P>
<B></B><FONT SIZE="-1"><B>DBUS SERVICE RULE</B></FONT><B></B> = [ <I></I><FONT SIZE="-1"><I>QUALIFIERS</I></FONT><I></I> ] 'dbus' [ <I></I><FONT SIZE="-1"><I>DBUS ACCESS EXPRESSION</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>DBUS BUS</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>DBUS NAME</I></FONT><I></I> ]
<P>
<B></B><FONT SIZE="-1"><B>DBUS EAVESDROP RULE</B></FONT><B></B> = [ <I></I><FONT SIZE="-1"><I>QUALIFIERS</I></FONT><I></I> ] 'dbus' [ <I></I><FONT SIZE="-1"><I>DBUS ACCESS EXPRESSION</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>DBUS BUS</I></FONT><I></I> ]
<P>
<B></B><FONT SIZE="-1"><B>DBUS COMBINED RULE</B></FONT><B></B> = [ <I></I><FONT SIZE="-1"><I>QUALIFIERS</I></FONT><I></I> ] 'dbus' [ <I></I><FONT SIZE="-1"><I>DBUS ACCESS EXPRESSION</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>DBUS BUS</I></FONT><I></I> ]
<P>
<B></B><FONT SIZE="-1"><B>DBUS ACCESS EXPRESSION</B></FONT><B></B> = ( <I></I><FONT SIZE="-1"><I>DBUS ACCESS</I></FONT><I></I> | '(' <I></I><FONT SIZE="-1"><I>DBUS ACCESS LIST</I></FONT><I></I> ')' )
<P>
<B></B><FONT SIZE="-1"><B>DBUS BUS</B></FONT><B></B> = 'bus' '=' '(' 'system' | 'session' | '&quot;' <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> '&quot;' | <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> ')'
<P>
<B></B><FONT SIZE="-1"><B>DBUS PATH</B></FONT><B></B> = 'path' '=' '(' '&quot;' <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> '&quot;' | <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> ')'
<P>
<B></B><FONT SIZE="-1"><B>DBUS INTERFACE</B></FONT><B></B> = 'interface' '=' '(' '&quot;' <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> '&quot;' | <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> ')'
<P>
<B></B><FONT SIZE="-1"><B>DBUS MEMBER</B></FONT><B></B> = 'member' '=' '(' '&quot;' <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> '&quot;' | <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> ')'
<P>
<B></B><FONT SIZE="-1"><B>DBUS PEER</B></FONT><B></B> = 'peer' '=' '(' [ <I></I><FONT SIZE="-1"><I>DBUS NAME</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>DBUS LABEL</I></FONT><I></I> ] ')'
<P>
<B></B><FONT SIZE="-1"><B>DBUS NAME</B></FONT><B></B> = 'name' '=' '(' '&quot;' <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> '&quot;' | <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> ')'
<P>
<B></B><FONT SIZE="-1"><B>DBUS LABEL</B></FONT><B></B> = 'label' '=' '(' '&quot;' <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> '&quot;' | <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> ')'
<P>
<B></B><FONT SIZE="-1"><B>DBUS ACCESS LIST</B></FONT><B></B> = Comma separated list of <I></I><FONT SIZE="-1"><I>DBUS ACCESS</I></FONT><I></I>
<P>
<B></B><FONT SIZE="-1"><B>DBUS ACCESS</B></FONT><B></B> = ( 'send' | 'receive' | 'bind' | 'eavesdrop' | 'r' | 'read' | 'w' | 'write' | 'rw' )
<BR>&nbsp;&nbsp;Some&nbsp;accesses&nbsp;are&nbsp;incompatible&nbsp;with&nbsp;some&nbsp;rules;&nbsp;see&nbsp;below.
<P>
<B></B><FONT SIZE="-1"><B>AARE</B></FONT><B></B> = <B>?*[]{}^</B>
<BR>&nbsp;&nbsp;See&nbsp;below&nbsp;for&nbsp;meanings.
<P>
<B></B><FONT SIZE="-1"><B>UNIX RULE</B></FONT><B></B> = [ <I></I><FONT SIZE="-1"><I>QUALIFIERS</I></FONT><I></I> ] 'unix' [ <I></I><FONT SIZE="-1"><I>UNIX ACCESS EXPR</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>UNIX RULE CONDS</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>UNIX LOCAL EXPR</I></FONT><I></I> ] [ <I></I><FONT SIZE="-1"><I>UNIX PEER EXPR</I></FONT><I></I> ]
<P>
<B></B><FONT SIZE="-1"><B>UNIX ACCESS EXPR</B></FONT><B></B> = ( <I></I><FONT SIZE="-1"><I>UNIX ACCESS</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>UNIX ACCESS LIST</I></FONT><I></I> )
<P>
<B></B><FONT SIZE="-1"><B>UNIX ACCESS</B></FONT><B></B> = ( 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' )
<BR>&nbsp;&nbsp;Some&nbsp;access&nbsp;modes&nbsp;are&nbsp;incompatible&nbsp;with&nbsp;some&nbsp;rules&nbsp;or&nbsp;require&nbsp;additional&nbsp;parameters.
<P>
<B></B><FONT SIZE="-1"><B>UNIX ACCESS LIST</B></FONT><B></B> = '(' <I></I><FONT SIZE="-1"><I>UNIX ACCESS</I></FONT><I></I> ( [','] <I></I><FONT SIZE="-1"><I>UNIX ACCESS</I></FONT><I></I> )* ')'
<P>
<B></B><FONT SIZE="-1"><B>UNIX RULE CONDS</B></FONT><B></B> = ( <I></I><FONT SIZE="-1"><I>TYPE COND</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>PROTO COND</I></FONT><I></I> )
<BR>&nbsp;&nbsp;Each&nbsp;cond&nbsp;can&nbsp;appear&nbsp;at&nbsp;most&nbsp;once.
<P>
<B></B><FONT SIZE="-1"><B>TYPE COND</B></FONT><B></B> = 'type' '=' ( <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> | '(' ( '&quot;' <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> '&quot;' | <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> )+ ')' )
<P>
<B></B><FONT SIZE="-1"><B>PROTO COND</B></FONT><B></B> = 'protocol' '=' ( <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> | '(' ( '&quot;' <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> '&quot;' | <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> )+ ')' )
<P>
<B></B><FONT SIZE="-1"><B>UNIX LOCAL EXPR</B></FONT><B></B> = ( <I></I><FONT SIZE="-1"><I>UNIX ADDRESS COND</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>UNIX LABEL COND</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>UNIX ATTR COND</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>UNIX OPT COND</I></FONT><I></I> )*
<BR>&nbsp;&nbsp;Each&nbsp;cond&nbsp;can&nbsp;appear&nbsp;at&nbsp;most&nbsp;once.
<P>
<B></B><FONT SIZE="-1"><B>UNIX PEER EXPR</B></FONT><B></B> = 'peer' '=' ( <I></I><FONT SIZE="-1"><I>UNIX ADDRESS COND</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>UNIX LABEL COND</I></FONT><I></I> )+
<BR>&nbsp;&nbsp;Each&nbsp;cond&nbsp;can&nbsp;appear&nbsp;at&nbsp;most&nbsp;once.
<P>
<B></B><FONT SIZE="-1"><B>UNIX ADDRESS COND</B></FONT><B></B> 'addr' '=' ( <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> | '(' '&quot;' <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> '&quot;' | <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> ')' )
<P>
<B></B><FONT SIZE="-1"><B>UNIX LABEL COND</B></FONT><B></B> 'label' '=' ( <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> | '(' '&quot;' <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> '&quot;' | <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> ')' )
<P>
<B></B><FONT SIZE="-1"><B>UNIX ATTR COND</B></FONT><B></B> 'attr' '=' ( <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> | '(' '&quot;' <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> '&quot;' | <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> ')' )
<P>
<B></B><FONT SIZE="-1"><B>UNIX OPT COND</B></FONT><B></B> 'opt' '=' ( <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> | '(' '&quot;' <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> '&quot;' | <I></I><FONT SIZE="-1"><I>AARE</I></FONT><I></I> ')' )
<P>
<B></B><FONT SIZE="-1"><B>RLIMIT RULE</B></FONT><B></B> = 'set' 'rlimit' [<I></I><FONT SIZE="-1"><I>RLIMIT</I></FONT><I></I> '&lt;=' <I></I><FONT SIZE="-1"><I>RLIMIT VALUE</I></FONT><I></I> ]
<P>
<B></B><FONT SIZE="-1"><B>RLIMIT</B></FONT><B></B> = ( 'cpu' | 'fsize' | 'data' | 'stack' | 'core' | 'rss' | 'nofile' | 'ofile' | 'as' | 'nproc' | 'memlock' | 'locks' | 'sigpending' | 'msgqueue' | 'nice' | 'rtprio' | 'rttime' )
<P>
<B></B><FONT SIZE="-1"><B>RLIMIT VALUE</B></FONT><B></B> = ( <I></I><FONT SIZE="-1"><I>RLIMIT SIZE</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>RLIMIT NUMBER</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>RLIMIT TIME</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>RLIMIT NICE</I></FONT><I></I> )
<P>
<B></B><FONT SIZE="-1"><B>RLIMIT SIZE</B></FONT><B></B> = <I></I><FONT SIZE="-1"><I>NUMBER</I></FONT><I></I> ( 'K' | 'M' | 'G' )
<BR>&nbsp;&nbsp;Only&nbsp;applies&nbsp;to&nbsp;<FONT SIZE="-1">RLIMIT</FONT>&nbsp;of&nbsp;'fsize',&nbsp;'data',&nbsp;'stack',&nbsp;'core',&nbsp;'rss',&nbsp;'as',&nbsp;'memlock',&nbsp;'msgqueue'.
<P>
<B></B><FONT SIZE="-1"><B>RLIMIT NUMBER</B></FONT><B></B> = number from 0 to max rlimit value.
<BR>&nbsp;&nbsp;Only&nbsp;applies&nbsp;to&nbsp;<FONT SIZE="-1">RLIMIT</FONT>&nbsp;of&nbsp;'ofile',&nbsp;'nofile',&nbsp;'locks',&nbsp;'sigpending',&nbsp;'nproc',&nbsp;'rtprio'.
<P>
<B></B><FONT SIZE="-1"><B>RLIMIT TIME</B></FONT><B></B> = <I></I><FONT SIZE="-1"><I>NUMBER</I></FONT><I></I> ( 'us' | 'microsecond' | 'microseconds' | 'ms' | 'millisecond' | 'milliseconds' | 's' | 'sec' | 'second' | 'seconds' | 'min' | 'minute' | 'minutes' | 'h' | 'hour' | 'hours' | 'd' | 'day' | 'days' | 'week' | 'weeks' )
<BR>&nbsp;&nbsp;Only&nbsp;applies&nbsp;to&nbsp;<FONT SIZE="-1">RLIMIT</FONT>&nbsp;of&nbsp;'cpu'&nbsp;and&nbsp;'rttime'.&nbsp;<FONT SIZE="-1">RLIMIT</FONT>&nbsp;'cpu'&nbsp;only&nbsp;allows&nbsp;units&nbsp;&gt;=&nbsp;'seconds'.
<P>
<B></B><FONT SIZE="-1"><B>RLIMIT NICE</B></FONT><B></B> = a number between -20 and 19.
<BR>&nbsp;&nbsp;Only&nbsp;applies&nbsp;to&nbsp;<FONT SIZE="-1">RLIMIT</FONT>&nbsp;of&nbsp;'nice'.
<P>
<B></B><FONT SIZE="-1"><B>FILE RULE</B></FONT><B></B> = [ <I></I><FONT SIZE="-1"><I>QUALIFIERS</I></FONT><I></I> ] [ 'owner' ] ( 'file' | [ 'file' ] ( <I></I><FONT SIZE="-1"><I>FILEGLOB</I></FONT><I></I> <I></I><FONT SIZE="-1"><I>ACCESS</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>ACCESS</I></FONT><I></I> <I></I><FONT SIZE="-1"><I>FILEGLOB</I></FONT><I></I> ) [ '-&gt;' <I></I><FONT SIZE="-1"><I>EXEC TARGET</I></FONT><I></I> ] )
<P>
<B></B><FONT SIZE="-1"><B>FILEGLOB</B></FONT><B></B> = ( <I></I><FONT SIZE="-1"><I>QUOTED FILEGLOB</I></FONT><I></I> | <I></I><FONT SIZE="-1"><I>UNQUOTED FILEGLOB</I></FONT><I></I> )
<P>
<B></B><FONT SIZE="-1"><B>QUOTED FILEGLOB</B></FONT><B></B> = '&quot;' <I></I><FONT SIZE="-1"><I>UNQUOTED FILEGLOB</I></FONT><I></I> '&quot;'
<P>
<B></B><FONT SIZE="-1"><B>UNQUOTED FILEGLOB</B></FONT><B></B> = (must start with '/' (after variable expansion), <B></B><FONT SIZE="-1"><B>AARE</B></FONT><B></B> have special meanings; see below. May include <I></I><FONT SIZE="-1"><I>VARIABLE</I></FONT><I></I>. Rules with embedded spaces or tabs must be quoted. Rules must end with '/' to apply to directories.)
<P>
<B></B><FONT SIZE="-1"><B>ACCESS</B></FONT><B></B> = ( 'r' | 'w' | 'a' | 'l' | 'k' | 'm' | <I></I><FONT SIZE="-1"><I>EXEC TRANSITION</I></FONT><I></I> )+ (not all combinations are allowed; see below.)
<P>
<B></B><FONT SIZE="-1"><B>EXEC TRANSITION</B></FONT><B></B> = ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' | 'Pix' | 'cix' | 'Cix' | 'pux' | 'PUx' | 'cux' | 'CUx' | 'x' )
<BR>&nbsp;&nbsp;A&nbsp;bare&nbsp;'x'&nbsp;is&nbsp;only&nbsp;allowed&nbsp;in&nbsp;rules&nbsp;with&nbsp;the&nbsp;deny&nbsp;qualifier,&nbsp;everything&nbsp;else&nbsp;only&nbsp;without&nbsp;the&nbsp;deny&nbsp;qualifier.
<P>
<B></B><FONT SIZE="-1"><B>EXEC TARGET</B></FONT><B></B> = name
<BR>&nbsp;&nbsp;Requires&nbsp;<I></I><FONT SIZE="-1"><I>EXEC&nbsp;TRANSITION</I></FONT><I></I>&nbsp;specified.
<P>
<B></B><FONT SIZE="-1"><B>LINK RULE</B></FONT><B></B> = <I></I><FONT SIZE="-1"><I>QUALIFIERS</I></FONT><I></I> [ 'owner' ] 'link' [ 'subset' ] <I></I><FONT SIZE="-1"><I>FILEGLOB</I></FONT><I></I> '-&gt;' <I></I><FONT SIZE="-1"><I>FILEGLOB</I></FONT><I></I>
<P>
<B></B><FONT SIZE="-1"><B>ALPHA</B></FONT><B></B> = ('a', 'b', 'c', ... 'z', 'A', 'B', ... 'Z')
<P>
<B></B><FONT SIZE="-1"><B>ALPHANUMERIC</B></FONT><B></B> = ('0', '1', '2', ... '9', 'a', 'b', 'c', ... 'z', 'A', 'B', ... 'Z')
<P>
<B></B><FONT SIZE="-1"><B>CHANGE_PROFILE RULE</B></FONT><B></B> = 'change_profile' [ [ <I></I><FONT SIZE="-1"><I>EXEC MODE</I></FONT><I></I> ] <I></I><FONT SIZE="-1"><I>EXEC COND</I></FONT><I></I> ] [ '-&gt;' <I></I><FONT SIZE="-1"><I>PROFILE NAME</I></FONT><I></I> ]
<P>
<B></B><FONT SIZE="-1"><B>EXEC_MODE</B></FONT><B></B> = ( 'safe' | 'unsafe' )
<P>
<B></B><FONT SIZE="-1"><B>EXEC COND</B></FONT><B></B> = <I></I><FONT SIZE="-1"><I>FILEGLOB</I></FONT><I></I>
</DL>
<P>
All resources and programs need a full path. There may be any number of
subprofiles (aka child profiles) in a profile, limited only by kernel
memory. Subprofile names are limited to 974 characters. Child profiles can
be used to confine an application in a special way, or when you want the
child to be unconfined on the system, but confined when called from the
parent. Hats are a special child profile that can be used with the
<B><A HREF="/cgi-bin/man/man2html?2+aa_change_hat">aa_change_hat</A></B>(2) <FONT SIZE="-1">API</FONT> call. Applications written or modified to use
<B><A HREF="/cgi-bin/man/man2html?2+aa_change_hat">aa_change_hat</A></B>(2) can take advantage of subprofiles to run under different
confinements, dependent on program logic. Several <B><A HREF="/cgi-bin/man/man2html?2+aa_change_hat">aa_change_hat</A></B>(2)-aware
applications exist, including an Apache module, <B><A HREF="/cgi-bin/man/man2html?5+mod_apparmor">mod_apparmor</A></B>(5); a <FONT SIZE="-1">PAM</FONT>
module, pam_apparmor; and a Tomcat valve, tomcat_apparmor. Applications
written or modified to use <B><A HREF="/cgi-bin/man/man2html?2+change_profile">change_profile</A></B>(2) transition permanently to the
specified profile. libvirt is one such application.
<A NAME="lbAE">&nbsp;</A>
<H3>Access Modes</H3>
File permission access modes consists of combinations of the following
modes:
<DL COMPACT>
<DT id="2"><B>r</B><DD>
- read
<DT id="3"><B>w</B><DD>
- write --- conflicts with append
<DT id="4"><B>a</B><DD>
- append --- conflicts with write
<DT id="5"><B>ux</B><DD>
- unconfined execute
<DT id="6"><B>Ux</B><DD>
- unconfined execute --- scrub the environment
<DT id="7"><B>px</B><DD>
- discrete profile execute
<DT id="8"><B>Px</B><DD>
- discrete profile execute --- scrub the environment
<DT id="9"><B>cx</B><DD>
- transition to subprofile on execute
<DT id="10"><B>Cx</B><DD>
- transition to subprofile on execute --- scrub the environment
<DT id="11"><B>ix</B><DD>
- inherit execute
<DT id="12"><B>pix</B><DD>
- discrete profile execute with inherit fallback
<DT id="13"><B>Pix</B><DD>
- discrete profile execute with inherit fallback --- scrub the environment
<DT id="14"><B>cix</B><DD>
- transition to subprofile on execute with inherit fallback
<DT id="15"><B>Cix</B><DD>
- transition to subprofile on execute with inherit fallback --- scrub the environment
<DT id="16"><B>pux</B><DD>
- discrete profile execute with fallback to unconfined
<DT id="17"><B>PUx</B><DD>
- discrete profile execute with fallback to unconfined --- scrub the environment
<DT id="18"><B>cux</B><DD>
- transition to subprofile on execute with fallback to unconfined
<DT id="19"><B>CUx</B><DD>
- transition to subprofile on execute with fallback to unconfined --- scrub the environment
<DT id="20"><B>deny x</B><DD>
- disallow execute (in rules with the deny qualifier)
<DT id="21"><B>m</B><DD>
- allow <FONT SIZE="-1">PROT_EXEC</FONT> with <B><A HREF="/cgi-bin/man/man2html?2+mmap">mmap</A></B>(2) calls
<DT id="22"><B>l</B><DD>
- link
<DT id="23"><B>k</B><DD>
- lock
</DL>
<A NAME="lbAF">&nbsp;</A>
<H3>Access Modes Details</H3>
<DL COMPACT>
<DT id="24"><B>r - Read mode</B><DD>
Allows the program to have read access to the file or directory listing. Read access is
required for shell scripts and other interpreted content.
<DT id="25"><B>w - Write mode</B><DD>
Allows the program to have write access to the file. Files and directories
must have this permission if they are to be unlinked (removed.) Write mode
is not required on a directory to rename or create files within the directory.
<P>
This mode conflicts with append mode.
<DT id="26"><B>a - Append mode</B><DD>
Allows the program to have a limited appending only write access to the file.
Append mode will prevent an application from opening the file for write unless
it passes the O_APPEND parameter flag on open.
<P>
The mode conflicts with Write mode.
<DT id="27"><B>ux - Unconfined execute mode</B><DD>
Allows the program to execute the program without any AppArmor profile
being applied to the program.
<P>
This mode is useful when a confined program needs to be able to perform
a privileged operation, such as rebooting the machine. By placing the
privileged section in another executable and granting unconfined
execution rights, it is possible to bypass the mandatory constraints
imposed on all confined processes. For more information on what is
constrained, see the <B><A HREF="/cgi-bin/man/man2html?7+apparmor">apparmor</A></B>(7) man page.
<P>
<B></B><FONT SIZE="-1"><B>WARNING</B></FONT><B></B> 'ux' should only be used in very special cases. It enables the
designated child processes to be run without any AppArmor protection.
'ux' does not scrub the environment of variables such as <FONT SIZE="-1">LD_PRELOAD</FONT>;
as a result, the calling domain may have an undue amount of influence
over the callee. Use this mode only if the child absolutely must be
run unconfined and <FONT SIZE="-1">LD_PRELOAD</FONT> must be used. Any profile using this mode
provides negligible security. Use at your own risk.
<P>
Incompatible with other exec transition modes and the deny qualifier.
<DT id="28"><B>Ux - unconfined execute --- scrub the environment</B><DD>
'Ux' allows the named program to run in 'ux' mode, but AppArmor
will invoke the Linux Kernel's <B>unsafe_exec</B> routines to scrub
the environment, similar to setuid programs. (See <B><A HREF="/cgi-bin/man/man2html?8+ld.so">ld.so</A></B>(8) for some
information on setuid/setgid environment scrubbing.)
<P>
<B></B><FONT SIZE="-1"><B>WARNING</B></FONT><B></B> 'Ux' should only be used in very special cases. It enables the
designated child processes to be run without any AppArmor protection.
Use this mode only if the child absolutely must be run unconfined. Use
at your own risk.
<P>
Incompatible with other exec transition modes and the deny qualifier.
<DT id="29"><B>px - Discrete Profile execute mode</B><DD>
This mode requires that a discrete security profile is defined for a
program executed and forces an AppArmor domain transition. If there is
no profile defined then the access will be denied.
<P>
<B></B><FONT SIZE="-1"><B>WARNING</B></FONT><B></B> 'px' does not scrub the environment of variables such as
<FONT SIZE="-1">LD_PRELOAD</FONT>; as a result, the calling domain may have an undue amount of
influence over the callee.
<P>
Incompatible with other exec transition modes and the deny qualifier.
<DT id="30"><B>Px - Discrete Profile execute mode --- scrub the environment</B><DD>
'Px' allows the named program to run in 'px' mode, but AppArmor
will invoke the Linux Kernel's <B>unsafe_exec</B> routines to scrub
the environment, similar to setuid programs. (See <B><A HREF="/cgi-bin/man/man2html?8+ld.so">ld.so</A></B>(8) for some
information on setuid/setgid environment scrubbing.)
<P>
Incompatible with other exec transition modes and the deny qualifier.
<DT id="31"><B>cx - Transition to Subprofile execute mode</B><DD>
This mode requires that a local security profile is defined and forces an
AppArmor domain transition to the named profile. If there is no profile
defined then the access will be denied.
<P>
<B></B><FONT SIZE="-1"><B>WARNING</B></FONT><B></B> 'cx' does not scrub the environment of variables such as
<FONT SIZE="-1">LD_PRELOAD</FONT>; as a result, the calling domain may have an undue amount of
influence over the callee.
<P>
Incompatible with other exec transition modes and the deny qualifier.
<DT id="32"><B>Cx - Transition to Subprofile execute mode --- scrub the environment</B><DD>
'Cx' allows the named program to run in 'cx' mode, but AppArmor
will invoke the Linux Kernel's <B>unsafe_exec</B> routines to scrub
the environment, similar to setuid programs. (See <B><A HREF="/cgi-bin/man/man2html?8+ld.so">ld.so</A></B>(8) for some
information on setuid/setgid environment scrubbing.)
<P>
Incompatible with other exec transition modes and the deny qualifier.
<DT id="33"><B>ix - Inherit execute mode</B><DD>
Prevent the normal AppArmor domain transition on <B><A HREF="/cgi-bin/man/man2html?2+execve">execve</A></B>(2) when the
profiled program executes the named program. Instead, the executed resource
will inherit the current profile.
<P>
This mode is useful when a confined program needs to call another
confined program without gaining the permissions of the target's
profile, or losing the permissions of the current profile. There is no
version to scrub the environment because 'ix' executions don't change
privileges.
<P>
Incompatible with other exec transition modes and the deny qualifier.
<DT id="34"><B>Profile transition with inheritance fallback execute mode</B><DD>
These modes attempt to perform a domain transition as specified by
the matching permission (shown below) and if that transition fails
to find the matching profile the domain transition proceeds using
the 'ix' transition mode.
<P>
<PRE>
'Pix' == 'Px' with fallback to 'ix'
'pix' == 'px' with fallback to 'ix'
'Cix' == 'Cx' with fallback to 'ix'
'cix' == 'cx' with fallback to 'ix'
</PRE>
<P>
Incompatible with other exec transition modes and the deny qualifier.
<DT id="35"><B>Profile transition with unconfined fallback execute mode</B><DD>
These modes attempt to perform a domain transition as specified by
the matching permission (shown below) and if that transition fails
to find the matching profile the domain transition proceeds using
the 'ux' transition mode if 'pux', 'cux' or the 'Ux' transition mode
if 'PUx', 'CUx' is used.
<P>
<PRE>
'PUx' == 'Px' with fallback to 'Ux'
'pux' == 'px' with fallback to 'ux'
'CUx' == 'Cx' with fallback to 'Ux'
'cux' == 'cx' with fallback to 'ux'
</PRE>
<P>
Incompatible with other exec transition modes and the deny qualifier.
<DT id="36"><B>deny x - Deny execute</B><DD>
For rules including the deny modifier, only 'x' is allowed to deny execute.
<P>
The 'ix', 'Px', 'px', 'Cx', 'cx' and the fallback modes conflict with the deny
modifier.
<DT id="37"><B>Directed profile transitions</B><DD>
The directed ('px', 'Px', 'pix', 'Pix', 'pux', 'PUx') profile and
subprofile ('cx', 'Cx', 'cix', 'Cix', 'cux', 'CUx') transitions normally
determine the profile to transition to from the executable name. It
is however possible to specify the name of the profile that the transition
should use.
<P>
The name of the profile to transition to is specified using the '-&gt;'
followed by the name of the profile to transition to. Eg.
<P>
<PRE>
/bin/** px -&gt; profile,
</PRE>
<P>
Incompatible with other exec transition modes.
<DT id="38"><B>m - Allow executable mapping</B><DD>
This mode allows a file to be mapped into memory using <B><A HREF="/cgi-bin/man/man2html?2+mmap">mmap</A></B>(2)'s
<FONT SIZE="-1">PROT_EXEC</FONT> flag. This flag marks the pages executable; it is used on some
architectures to provide non-executable data pages, which can complicate
exploit attempts. AppArmor uses this mode to limit which files a
well-behaved program (or all programs on architectures that enforce
non-executable memory access controls) may use as libraries, to limit
the effect of invalid <B>-L</B> flags given to <B><A HREF="/cgi-bin/man/man2html?1+ld">ld</A></B>(1) and <B></B><FONT SIZE="-1"><B>LD_PRELOAD</B></FONT><B></B>,
<B></B><FONT SIZE="-1"><B>LD_LIBRARY_PATH</B></FONT><B></B>, given to <B><A HREF="/cgi-bin/man/man2html?8+ld.so">ld.so</A></B>(8).
<DT id="39"><B>l - Link mode</B><DD>
Allows the program to be able to create a link with this name. When a
link is created, the new link <B></B><FONT SIZE="-1"><B>MUST</B></FONT><B></B> have a subset of permissions as
the original file (with the exception that the destination does not have
to have link access.) If there is an 'x' rule on the new link, it must
match the original file exactly.
<DT id="40"><B>k - lock mode</B><DD>
Allows the program to be able lock a file with this name. This permission
covers both advisory and mandatory locking.
<DT id="41"><B>leading </B><FONT SIZE="-1"><B>OR</B></FONT><B> trailing access permissions</B><DD>
File rules can be specified with the access permission either leading
or trailing the file glob. Eg.
<P>
<PRE>
rw /**, # leading permissions
/** rw, # trailing permissions
</PRE>
<P>
When leading permissions are used further rule options and context
may be allowed, Eg.
<P>
<PRE>
l /foo -&gt; /bar, # lead 'l' link permission is equivalent to link rules
</PRE>
</DL>
<A NAME="lbAG">&nbsp;</A>
<H3>Link rules</H3>
Link rules allow specifying permission to form a hard link as a link
target pair. If the subset condition is specified then the permissions
to access the link file must be a subset of the profiles permissions
to access the target file. If there is an 'x' rule on the new link, it
must match the original file exactly.
<P>
Eg.
<P>
<PRE>
/file1 r,
/file2 rwk,
/link* rw,
link subset /link* -&gt; /**,
</PRE>
<P>
The link rule allows linking of /link to both /file1 or /file2 by
name however because the /link file has 'rw' permissions it is not
allowed to link to /file1 because that would grant an access path
to /file1 with more permissions than the 'r' permissions the profile
specifies.
<P>
A link of /link to /file2 would be allowed because the 'rw' permissions
of /link are a subset of the 'rwk' permissions for /file1.
<P>
The link rule is equivalent to specifying the 'l' link permission as
a leading permission with no other file access permissions. When this
is done the link rule options can be specified.
<P>
The following link rule is equivalent to the 'l' permission file rule
<P>
<PRE>
link /foo -&gt; bar,
l /foo -&gt; /bar,
</PRE>
<P>
File rules that specify the 'l' permission and don't specify the extend
link permissions map to link rules as follows.
<P>
<PRE>
/foo l,
l /foo,
link subset /foo -&gt; /**,
</PRE>
<A NAME="lbAH">&nbsp;</A>
<H3>Comments</H3>
Comments start with # and may begin at any place within a line. The
comment ends when the line ends. This is the same comment style as
shell scripts.
<A NAME="lbAI">&nbsp;</A>
<H3>Capabilities</H3>
The only capabilities a confined process may use may be enumerated; for
the complete list, please refer to <B><A HREF="/cgi-bin/man/man2html?7+capabilities">capabilities</A></B>(7). Note that granting
some capabilities renders AppArmor confinement for that domain advisory;
while <B><A HREF="/cgi-bin/man/man2html?2+open">open</A></B>(2), <B><A HREF="/cgi-bin/man/man2html?2+read">read</A></B>(2), <B><A HREF="/cgi-bin/man/man2html?2+write">write</A></B>(2), etc., will still return error when
access is not granted, some capabilities allow loading kernel modules,
arbitrary access to <FONT SIZE="-1">IPC,</FONT> ability to bypass discretionary access controls,
and other operations that are typically reserved for the root user.
<A NAME="lbAJ">&nbsp;</A>
<H3>Network Rules</H3>
AppArmor supports simple coarse grained network mediation. The network
rule restrict all <B><A HREF="/cgi-bin/man/man2html?2+socket">socket</A></B>(2) based operations. The mediation done is
a course grained check on whether a socket of a given type and family
can be created, read, or written. There is no mediation based of port
number or protocol beyond tcp, udp, and raw. Network <B><A HREF="/cgi-bin/man/man2html?7+netlink">netlink</A></B>(7) rules may
only specify type 'dgram' and 'raw'.
<P>
AppArmor network rules are accumulated so that the granted network
permissions are the union of all the listed network rule permissions.
<P>
AppArmor network rules are broad and general and become more restrictive
as further information is specified.
<P>
eg.
<P>
<PRE>
network, #allow access to all networking
network tcp, #allow access to tcp
network inet tcp, #allow access to tcp only for inet4 addresses
network inet6 tcp, #allow access to tcp only for inet6 addresses
network netlink raw, #allow access to AF_NETLINK SOCK_RAW
</PRE>
<A NAME="lbAK">&nbsp;</A>
<H3>Mount Rules</H3>
AppArmor supports mount mediation and allows specifying filesystem types and
mount flags. The syntax of mount rules in AppArmor is based on the <B><A HREF="/cgi-bin/man/man2html?8+mount">mount</A></B>(8)
command syntax. Mount rules must contain one of the mount, remount or umount
keywords, but all mount conditions are optional. Unspecified optional
conditionals are assumed to match all entries (eg, not specifying fstype means
all fstypes are matched). Due to the complexity of the mount command and how
options may be specified, AppArmor allows specifying conditionals three
different ways:
<DL COMPACT>
<DT id="42">1.<DD>
If a conditional is specified using '=', then the rule only grants permission
for mounts matching the exactly specified options. For example, an AppArmor
policy with the following rule:
<P>
<PRE>
mount options=ro /dev/foo -E&lt;gt&gt; /mnt/,
</PRE>
<P>
Would match:
<P>
<PRE>
$ mount -o ro /dev/foo /mnt
</PRE>
<P>
but not either of these:
<P>
<PRE>
$ mount -o ro,atime /dev/foo /mnt
$ mount -o rw /dev/foo /mnt
</PRE>
<DT id="43">2.<DD>
If a conditional is specified using 'in', then the rule grants permission for
mounts matching any combination of the specified options. For example, if an
AppArmor policy has the following rule:
<P>
<PRE>
mount options in (ro,atime) /dev/foo -&gt; /mnt/,
</PRE>
<P>
all of these mount commands will match:
<P>
<PRE>
$ mount -o ro /dev/foo /mnt
$ mount -o ro,atime /dev/foo /mnt
$ mount -o atime /dev/foo /mnt
</PRE>
<P>
but none of these will:
<P>
<PRE>
$ mount -o ro,sync /dev/foo /mnt
$ mount -o ro,atime,sync /dev/foo /mnt
$ mount -o rw /dev/foo /mnt
$ mount -o rw,noatime /dev/foo /mnt
$ mount /dev/foo /mnt
</PRE>
<DT id="44">3.<DD>
If multiple conditionals are specified in a single mount rule, then the rule
grants permission for each set of options. This provides a shorthand when
writing mount rules which might help to logically break up a conditional. For
example, if an AppArmor policy has the following rule:
<P>
<PRE>
mount options=ro options=atime
</PRE>
<P>
both of these mount commands will match:
<P>
<PRE>
$ mount -o ro /dev/foo /mnt
$ mount -o atime /dev/foo /mnt
</PRE>
<P>
but this one will not:
<P>
<PRE>
$ mount -o ro,atime /dev/foo /mnt
</PRE>
</DL>
<P>
Note that separate mount rules are distinct and the options do not accumulate.
For example, these AppArmor mount rules:
<P>
<PRE>
mount options=ro,
mount options=atime,
</PRE>
<P>
are not equivalent to either of these mount rules:
<P>
<PRE>
mount options=(ro,atime),
mount options in (ro,atime),
</PRE>
<P>
To help clarify the flexibility and complexity of mount rules, here are some
example rules with accompanying matching commands:
<DL COMPACT>
<DT id="45"><B>mount,</B><DD>
the 'mount' rule without any conditionals is the most generic and allows any
mount. Equivalent to 'mount fstype=** options=** ** -&gt; /**'.
<DT id="46"><B>mount /dev/foo,</B><DD>
allow mounting of /dev/foo anywhere with any options. Some matching mount
commands:
<P>
<PRE>
$ mount /dev/foo /mnt
$ mount -t ext3 /dev/foo /mnt
$ mount -t vfat /dev/foo /mnt
$ mount -o ro,atime,noexec,nodiratime /dev/foo /srv/some/mountpoint
</PRE>
<DT id="47"><B>mount options=ro /dev/foo,</B><DD>
allow mounting of /dev/foo anywhere, as read only. Some matching mount
commands:
<P>
<PRE>
$ mount -o ro /dev/foo /mnt
$ mount -o ro /dev/foo /some/where/else
</PRE>
<DT id="48"><B>mount options=(ro,atime) /dev/foo,</B><DD>
allow mount of /dev/foo anywhere, as read only and using inode access times.
Some matching mount commands:
<P>
<PRE>
$ mount -o ro,atime /dev/foo /mnt
$ mount -o ro,atime /dev/foo /some/where/else
</PRE>
<DT id="49"><B>mount options in (ro,atime) /dev/foo,</B><DD>
allow mount of /dev/foo anywhere using some combination of 'ro' and 'atime'
(see above). Some matching mount commands:
<P>
<PRE>
$ mount -o ro /dev/foo /mnt
$ mount -o atime /dev/foo /some/where/else
$ mount -o ro,atime /dev/foo /some/other/place
</PRE>
<DT id="50"><B>mount options=ro /dev/foo, mount options=atime /dev/foo,</B><DD>
allow mount of /dev/foo anywhere as read only, and allow mount of /dev/foo
anywhere using inode access times. Note this is expressed as two different
rules. Matches:
<P>
<PRE>
$ mount -o ro /dev/foo /mnt/1
$ mount -o atime /dev/foo /mnt/2
</PRE>
<DT id="51"><B>mount -&gt; /mnt/**,</B><DD>
allow mounting anything under a directory in /mnt/**. Some matching mount
commands:
<P>
<PRE>
$ mount /dev/foo1 /mnt/1
$ mount -o ro,atime,noexec,nodiratime /dev/foo2 /mnt/deep/path/foo2
</PRE>
<DT id="52"><B>mount options=ro -&gt; /mnt/**,</B><DD>
allow mounting anything under /mnt/**, as read only. Some matching mount
commands:
<P>
<PRE>
$ mount -o ro /dev/foo1 /mnt/1
$ mount -o ro /dev/foo2 /mnt/deep/path/foo2
</PRE>
<DT id="53"><B>mount fstype=ext3 options=(rw,atime) /dev/sdb1 -&gt; /mnt/stick/,</B><DD>
allow mounting an ext3 filesystem in /dev/sdb1 on /mnt/stick as read/write and
using inode access times. Matches only:
<P>
<PRE>
$ mount -o rw,atime /dev/sdb1 /mnt/stick
</PRE>
<DT id="54"><B>mount options=(ro, atime) options in (nodev, user) /dev/foo -&gt; /mnt/,</B><DD>
allow mounting /dev/foo on /mmt/ read only and using inode access times or
allow mounting /dev/foo on /mnt/ with some combination of 'nodev' and 'user'.
Matches only:
<P>
<PRE>
$ mount -o ro,atime /dev/foo /mnt
$ mount -o nodev /dev/foo /mnt
$ mount -o user /dev/foo /mnt
$ mount -o nodev,user /dev/foo /mnt
</PRE>
</DL>
<A NAME="lbAL">&nbsp;</A>
<H3>Pivot Root Rules</H3>
AppArmor mediates changing of the root filesystem through the <B><A HREF="/cgi-bin/man/man2html?2+pivot_root">pivot_root</A></B>(2)
system call. The syntax of 'pivot_root' rules in AppArmor is based on the
<B><A HREF="/cgi-bin/man/man2html?2+pivot_root">pivot_root</A></B>(2) system call parameters with the notable exception that the
ordering is reversed. The path corresponding to the put_old parameter of
<B><A HREF="/cgi-bin/man/man2html?2+pivot_root">pivot_root</A></B>(2) is optionally specified in the 'pivot_root' rule using the
'oldroot=' prefix.
<P>
AppArmor 'pivot_root' rules can specify a profile transition to occur during
the <B><A HREF="/cgi-bin/man/man2html?2+pivot_root">pivot_root</A></B>(2) system call. Note that AppArmor will only transition the
process calling <B><A HREF="/cgi-bin/man/man2html?2+pivot_root">pivot_root</A></B>(2) to the new profile.
<P>
The paths specified in 'pivot_root' rules must end with '/' since they are
directories.
<P>
Here are some example 'pivot_root' rules:
<P>
<PRE>
# Allow any pivot
pivot_root,
# Allow pivoting to any new root directory and putting the old root
# directory at /mnt/root/old/
pivot_root oldroot=/mnt/root/old/,
# Allow pivoting the root directory to /mnt/root/
pivot_root /mnt/root/,
# Allow pivoting to /mnt/root/ and putting the old root directory at
# /mnt/root/old/
pivot_root oldroot=/mnt/root/old/ /mnt/root/,
# Allow pivoting to /mnt/root/, putting the old root directory at
# /mnt/root/old/ and transition to the /mnt/root/sbin/init profile
pivot_root oldroot=/mnt/root/old/ /mnt/root/ -&gt; /mnt/root/sbin/init,
</PRE>
<A NAME="lbAM">&nbsp;</A>
<H3>PTrace rules</H3>
AppArmor supports mediation of <B><A HREF="/cgi-bin/man/man2html?2+ptrace">ptrace</A></B>(2). AppArmor PTrace rules are accumulated
so that the granted PTrace permissions are the union of all the listed PTrace
rule permissions.
<P>
AppArmor PTrace permissions are implied when a rule does not explicitly state
an access list. By default, all PTrace permissions are implied.
<P>
The trace and tracedby permissions govern <B><A HREF="/cgi-bin/man/man2html?2+ptrace">ptrace</A></B>(2) while read and readby
govern certain <B><A HREF="/cgi-bin/man/man2html?5+proc">proc</A></B>(5) filesystem accesses, <B><A HREF="/cgi-bin/man/man2html?2+kcmp">kcmp</A></B>(2), futexes
(<B><A HREF="/cgi-bin/man/man2html?2+get_robust_list">get_robust_list</A></B>(2)) and perf trace events.
<P>
For a ptrace operation to be allowed the profile of the tracing process and the
profile of the target task must both have the correct permissions. For example,
the profile of the process attaching to another task must have the trace
permission for the target task's profile, and the task being traced must have
the tracedby permission for the tracing process' profile.
<P>
Example AppArmor PTrace rules:
<P>
<PRE>
# Allow all PTrace access
ptrace,
# Explicitly allow all PTrace access,
ptrace (read, readby, trace, tracedby),
# Explicitly deny use of <A HREF="/cgi-bin/man/man2html?2+ptrace">ptrace</A>(2)
deny ptrace (trace),
# Allow unconfined processes (eg, a debugger) to ptrace us
ptrace (readby, tracedby) peer=unconfined,
# Allow ptrace of a process running under the /usr/bin/foo profile
ptrace (trace) peer=/usr/bin/foo,
</PRE>
<A NAME="lbAN">&nbsp;</A>
<H3>Signal rules</H3>
AppArmor supports mediation of <B><A HREF="/cgi-bin/man/man2html?7+signal">signal</A></B>(7). AppArmor signal rules are accumulated
so that the granted signal permissions are the union of all the listed signal
rule permissions.
<P>
AppArmor signal permissions are implied when a rule does not explicitly state
an access list. By default, all signal permissions are implied.
<P>
For the sending of a signal to be allowed, the profile of the sending process
and the profile of the target task must both have the correct permissions. For
example, the profile of a process sending a signal to another task must have
the send permission for the target task's profile, and the task receiving the
signal must have a receive permission for the sending process' profile.
<P>
Example AppArmor signal rules:
<P>
<PRE>
# Allow all signal access
signal,
# Explicitly deny sending the HUP and INT signals
deny signal (send) set=(hup, int),
# Allow unconfined processes to send us signals
signal (receive) peer=unconfined,
# Allow sending of signals to a process running under the /usr/bin/foo
# profile
signal (send) peer=/usr/bin/foo,
# Allow checking for PID existence
signal (receive, send) set=(&quot;exists&quot;),
# Allow us to signal ourselves using the built-in @{profile_name} variable
signal peer=@{profile_name},
# Allow two real-time signals
signal set=(rtmin+0 rtmin+32),
</PRE>
<A NAME="lbAO">&nbsp;</A>
<H3>DBus rules</H3>
AppArmor supports DBus mediation. The mediation is performed in conjunction
with the DBus daemon. The DBus daemon verifies that communications over the
bus are permitted by AppArmor policy.
<P>
AppArmor DBus rules are accumulated so that the granted DBus permissions are
the union of all the listed DBus rule permissions.
<P>
AppArmor DBus rules are broad and general and become more restrictive as
further information is specified. Policy may be specified down to the interface
member level (method or signal name), however the contents of messages are not
examined.
<P>
Some AppArmor DBus permissions are not compatible with all AppArmor DBus rules.
The 'bind' permission cannot be used in message rules. The 'send' and 'receive'
permissions cannot be used in service rules. The 'eavesdrop' permission cannot
be used in rules containing any conditionals outside of the 'bus' conditional.
<P>
'r' and 'read' are synonyms for 'receive'. 'w' and 'write' are synonyms for
'send'. 'rw' is a synonym for both 'send' and 'receive'.
<P>
AppArmor DBus permissions are implied when a rule does not explicitly state an
access list. By default, all DBus permissions are implied. Only message
permissions are implied for message rules and only service permissions are
implied for service rules.
<P>
Example AppArmor DBus rules:
<P>
<PRE>
# Allow all DBus access
dbus,
# Explicitly allow all DBus access,
dbus (send, receive, bind),
# Deny send/receive/bind access to the session bus
deny dbus bus=session,
# Allow bind access for a particular name on any bus
dbus bind name=com.example.ExampleName,
# Allow receive access for a particular path and interface
dbus receive path=/com/example/path interface=com.example.Interface,
# Deny send/receive access to the system bus for a particular interface
deny dbus bus=system interface=com.example.ExampleInterface,
# Allow send access for a particular path, interface, member, and pair of
# peer names:
dbus send
bus=session
path=/com/example/path
interface=com.example.Interface
member=ExampleMethod
peer=(name=(com.example.ExampleName1|com.example.ExampleName2)),
# Allow receive access for all unconfined peers
dbus receive peer=(label=unconfined)),
# Allow eavesdropping on the system bus
dbus eavesdrop bus=system,
# Allow and audit all eavesdropping
audit dbus eavesdrop,
</PRE>
<A NAME="lbAP">&nbsp;</A>
<H3>Unix socket rules</H3>
AppArmor supports fine grained mediation of unix domain abstract and
anonymous sockets. Unix domain sockets with file system paths are
mediated via file access rules.
<P>
Abstract unix domain sockets is a nonportable Linux extension of unix
domain sockets, see <B><A HREF="/cgi-bin/man/man2html?7+unix">unix</A></B>(7) for more information.
<P>
<I>Unix socket address paths</I>
<P>
The sun_path component (aka the socket address) of a unix domain socket is
specified by the
<P>
<PRE>
addr=
</PRE>
<P>
conditional. If an address conditional is not specified as part of
a rule then the rule matches both abstract and anonymous sockets.
<P>
In apparmor the address of an abstract unix domain socket begins with
the <I>@</I> character, similar to how they are reported (as paths) by
netstat -x. The address then follows and may contain pattern matching
and any characters including the null character. In apparmor null
characters must be specified by using an escape sequence <I>\000</I> or
<I>\x00</I>. The pattern matching is the same as is used by file path matching
so * will not match <I>/</I> even though it has no special meaning with
in an abstract socket name. Eg.
<P>
<PRE>
unix addr=@*,
</PRE>
<P>
Anonymous unix domain sockets have no sun_path associated with the socket
address, however it can be specified with the special <I>none</I> keyword to
indicate the rule only applies to anonymous unix domain sockets. Eg.
<P>
<PRE>
unix addr=none,
</PRE>
<P>
If the address component of a rule is not specified then the rule applies
to both abstract and anonymous sockets.
<P>
<I>Unix socket permissions</I>
<P>
Unix domain socket rules are accumulated so that the granted unix
socket permissions are the union of all the listed unix rule permissions.
<P>
Unix domain socket rules are broad and general and become more restrictive
as further information is specified. Policy may be specified down to
the socket address (aka sun_path) and label level. The content of the
communication is not examined.
<P>
Unix socket rule permissions are implied when a rule does not explicitly
state an access list. By default if a rule does not have an access list
all permissions that are compatible with the specified set of local
and peer conditionals are implied.
<P>
The create, bind, listen, shutdown, getattr, setattr, getopt, and setopt
permissions are local socket permissions. They are only applied to the local
socket and can't be specified in rules that have a peer component. The accept
permission applies to the combination of a local and peer socket. The connect,
send, and receive permissions are peer socket permissions.
<P>
Only the peer socket permissions will be applied to rules that don't specify
permissions and contain a peer component.
<P>
<I>Example Unix domain socket rules:</I>
<P>
<PRE>
# Allow all permissions to unix sockets
unix,
# Explicitly allow all unix permissions
unix (create, listen, accept, connect, send, receive, getattr, setattr, setopt, getopt),
# Explicitly deny unix socket access
deny unix,
# Allow create and use of abstract and anonymous sockets for profile_name
unix peer=(label=@{profile_name}),
# Allow receiving via unix sockets from unconfined
unix (receive) peer=(label=unconfined),
# Allow getattr and shutdown on anonymous sockets
unix (getattr, shutdown) addr=none,
# Allow SOCK_STREAM connect, receive and send on an abstract socket @bar
# with peer running under profile '/foo'
unix (connect, receive, send) type=stream peer=(label=/foo,addr=&quot;@bar&quot;),
# Allow accepting connections from and receiving from peer running under
# profile '/bar' on abstract socket '@foo'
unix (accept, receive) addr=@foo peer=(label=/bar),
</PRE>
<P>
<I>Abstract unix domain sockets autobind</I>
<P>
Abstract unix domain sockets can autobind to an address. The autobind
address is a unique 5 digit string of decimal numbers, eg. <TT>@00001</TT>. There
is nothing that prevents a task from manually binding to addresses with a
similar pattern so it is impossible to reliably identify autobind addresses
from a regular address.
<P>
<I>Interaction of network rules and fine grained unix domain socket rules</I>
<P>
The coarse grained networking rules can be used to control unix domain
sockets as well. When fine grained unix domain socket mediation is available
the coarse grained network rule is mapped into the equivalent unix socket
rule.
<P>
E.G.
<P>
<PRE>
network unix, =&gt; unix,
network unix stream, =&gt; unix stream,
</PRE>
<P>
Fine grained mediation rules however can not be lossly converted back
to the coarse grained network rule; e.g.
<P>
<PRE>
unix bind addr=@example,
</PRE>
<P>
Has no exact match under coarse grained network rules, the closest match is
the much wider permission rule of
<P>
<PRE>
network unix,
</PRE>
<A NAME="lbAQ">&nbsp;</A>
<H3>change_profile rules</H3>
AppArmor supports self directed profile transitions via the change_profile
api. Change_profile rules control which permissions for which profiles
a confined task can transition to. The profile name can contain apparmor
pattern matching to specify different profiles.
<P>
<PRE>
change_profile -&gt; **,
</PRE>
<P>
The change_profile api allows the transition to be delayed until when
a task executes another application. If an exec rule transition is
specified for the application and the change_profile api is used to
make a transition at exec time, the transition specified by the
change_profile api takes precedence.
<P>
The Change_profile permission can restrict which profiles can be transitioned
to based off of the executable name by specifying the exec condition.
<P>
<PRE>
change_profile /bin/bash -&gt; new_profile,
</PRE>
<P>
The restricting of the transition profile to a given executable at exec
time is only useful when then current task is allowed to make dynamic
decisions about what confinement should be, but the decision set needs
to be controlled. A list of profiles or multiple rules can be used to
specify the profiles in the set. Eg.
<P>
<PRE>
change_profile /bin/bash -&gt; {new_profile1,new_profile2,new_profile3},
</PRE>
<P>
An exec rule can be used to specify a transition for the executable, if
the transition should be allowed even if the change_profile api has not
been used to select a transition for those available in the change_profile
rule set. Eg.
<P>
<PRE>
/bin/bash Px -&gt; new_profile1,
change_profile /bin/bash -&gt; {new_profile1,new_profile2,new_profile3},
</PRE>
<P>
The exec mode dictates whether or not the Linux Kernel's <B>unsafe_exec</B>
routines should be used to scrub the environment, similar to setuid programs.
(See <B><A HREF="/cgi-bin/man/man2html?8+ld.so">ld.so</A></B>(8) for some information on setuid/setgid environment scrubbing.) The
<B>safe</B> mode sets up environment scrubbing to occur when the new application is
executed and <B>unsafe</B> mode disables AppArmor's requirement for environment
scrubbing (the kernel and/or libc may still require environment scrubbing). An
exec mode can only be specified when an exec condition is present.
<P>
<PRE>
change_profile safe /bin/bash -&gt; new_profile,
</PRE>
<P>
Not all kernels support <B>safe</B> mode and the parser will downgrade rules to
<B>unsafe</B> mode in that situation. If no exec mode is specified, the default is
<B>safe</B> mode in kernels that support it.
<A NAME="lbAR">&nbsp;</A>
<H3>rlimit rules</H3>
AppArmor can set and control the resource limits associated with a
profile as described in the <B><A HREF="/cgi-bin/man/man2html?2+setrlimit">setrlimit</A></B>(2) man page.
<P>
The AppArmor rlimit controls allow setting of limits and restricting
changes of them and these actions can be audited. Enforcement of the
set limits is handled by the standard kernel enforcement mechanism
for rlimits and will not result in an audited apparmor message if
the limit is enforced.
<P>
If a profile does not have an rlimit rule associated with a given
rlimit then the rlimit is left alone and regular access, including
changing the limit, is allowed. However if the profile sets an rlimit
then the current limit is checked and if greater than the limit specified
in the rule it will be changed to the specified limit.
<P>
AppArmor rlimit rules control the hard limit of an application and
ensure that if the hard limit is lowered that the soft limit does not
exceed the hard limit value.
<P>
Eg.
<P>
<PRE>
set rlimit data &lt;= 100M,
set rlimit nproc &lt;= 10,
set rlimit nice &lt;= 5,
</PRE>
<A NAME="lbAS">&nbsp;</A>
<H3>Variables</H3>
AppArmor's policy language allows embedding variables into file rules
to enable easier configuration for some common (and pervasive) setups.
Variables may have multiple values assigned, but any variable assignments
must be made before the start of the profile.
<P>
The parser will automatically expand variables to include all values
that they have been assigned; it is an error to reference a variable
without setting at least one value. You can use empty quotes (&quot;&quot;) to
explicitly add an empty value.
<P>
At the time of this writing, the following variables are defined in the
provided AppArmor policy:
<P>
<PRE>
@{HOME}
@{HOMEDIRS}
@{multiarch}
@{pid}
@{pids}
@{PROC}
@{securityfs}
@{apparmorfs}
@{sys}
@{tid}
@{XDG_DESKTOP_DIR}
@{XDG_DOWNLOAD_DIR}
@{XDG_TEMPLATES_DIR}
@{XDG_PUBLICSHARE_DIR}
@{XDG_DOCUMENTS_DIR}
@{XDG_MUSIC_DIR}
@{XDG_PICTURES_DIR}
@{XDG_VIDEOS_DIR}
</PRE>
<P>
These are defined in files in <I>/etc/apparmor.d/tunables</I> and are used in many
of the abstractions described later.
<P>
You may also add files in <I>/etc/apparmor.d/tunables/home.d</I> for
site-specific customization of <B>@{</B><FONT SIZE="-1"><B>HOMEDIRS</B></FONT><B>}</B>,
<I>/etc/apparmor.d/tunables/multiarch.d</I> for <B>@{multiarch}</B> and
<I>/etc/apparmor.d/tunables/xdg-user-dirs.d</I> for <B>@{XDG_*}</B>.
<P>
The special <B>@{profile_name}</B> variable is set to the profile name and may be
used in all policy.
<A NAME="lbAT">&nbsp;</A>
<H3>Alias rules</H3>
AppArmor also provides alias rules for remapping paths for site-specific
layouts. They are an alternative form of path rewriting to using variables,
and are done after variable resolution. Alias rules must occur within the
preamble of the profile. System-wide aliases are found in
<I>/etc/apparmor.d/tunables/alias</I>, which is included by
<I>/etc/apparmor.d/tunables/global</I>. <I>/etc/apparmor.d/tunables/global</I> is
typically included at the beginning of an AppArmor profile.
<A NAME="lbAU">&nbsp;</A>
<H3>Globbing</H3>
File resources may be specified with a globbing syntax similar to that
used by popular shells, such as <B><A HREF="/cgi-bin/man/man2html?1+csh">csh</A></B>(1), <B><A HREF="/cgi-bin/man/man2html?1+bash">bash</A></B>(1), <B><A HREF="/cgi-bin/man/man2html?1+zsh">zsh</A></B>(1).
<DL COMPACT>
<DT id="55"><B>*</B><DD>
can substitute for any number of characters, excepting '/'
<DT id="56"><B>**</B><DD>
can substitute for any number of characters, including '/'
<DT id="57"><B>?</B><DD>
can substitute for any single character excepting '/'
<DT id="58"><B>[abc]</B><DD>
will substitute for the single character a, b, or c
<DT id="59"><B>[a-c]</B><DD>
will substitute for the single character a, b, or c
<DT id="60"><B>[^a-c]</B><DD>
will substitute for any single character not matching a, b or c
<DT id="61"><B>{ab,cd}</B><DD>
will expand to one rule to match ab, one rule to match cd
</DL>
<P>
When AppArmor looks up a directory the pathname being looked up will
end with a slash (e.g., <I>/var/tmp/</I>); otherwise it will not end with a
slash. Only rules that match a trailing slash will match directories. Some
examples, none matching the <I>/tmp/</I> directory itself, are:
<DL COMPACT>
<DT id="62"><B>/tmp/*</B><DD>
Files directly in <I>/tmp</I>.
<DT id="63"><B>/tmp/*/</B><DD>
Directories directly in <I>/tmp</I>.
<DT id="64"><B>/tmp/**</B><DD>
Files and directories anywhere underneath <I>/tmp</I>.
<DT id="65"><B>/tmp/**/</B><DD>
Directories anywhere underneath <I>/tmp</I>.
</DL>
<A NAME="lbAV">&nbsp;</A>
<H3>Rule Qualifiers</H3>
There are several rule qualifiers that can be applied to permission rules.
Rule qualifiers can modify the rule and/or permissions within the rule.
<DL COMPACT>
<DT id="66"><B>allow</B><DD>
Specifies that permissions requests that match the rule are allowed. This
is the default value for rules and does not need to be specified. Conflicts
with the <I>deny</I> qualifier.
<DT id="67"><B>audit</B><DD>
Specifies that permissions requests that match the rule should be recorded
to the audit log.
<DT id="68"><B>deny</B><DD>
Specifies that permissions requests that match the rule should be denied
without logging. Can be combined with 'audit' to enable logging. Conflicts
with the <I>allow</I> qualifier.
<DT id="69"><B>owner</B><DD>
Specifies that the task must have the same euid/fsuid as the object being
referenced by the permission check.
</DL>
<P>
<I>Qualifier Blocks</I>
<P>
Rule Qualifiers can be applied to multiple rules at a time by grouping the
rules into a rule block.
<P>
<PRE>
audit {
/foo r,
network,
}
</PRE>
<A NAME="lbAW">&nbsp;</A>
<H3>#include mechanism</H3>
AppArmor provides an easy abstraction mechanism to group common
access requirements; this abstraction is an extremely flexible way to
grant site-specific rights and makes writing new AppArmor profiles very
simple by assembling the needed building blocks for any given program.
<P>
The use of '#include' is modelled directly after <B><A HREF="/cgi-bin/man/man2html?1+cpp">cpp</A></B>(1); its use will
replace the '#include' statement with the specified file's contents.
The leading '#' is optional, and the '#include' keyword can be followed
by an option conditional 'if exists' that specifies profile compilation
should continue if the specified file or directory is not found.
<P>
<B>#include ``/absolute/path''</B> specifies that <I>/absolute/path</I> should be
used. <B>#include ``relative/path''</B> specifies that <I>relative/path</I> should
be used, where the path is relative to the current working directory.
<B>#include &lt;magic/path&gt;</B> is the most common usage; it will load
<I>magic/path</I> relative to a directory specified to <B><A HREF="/cgi-bin/man/man2html?8+apparmor_parser">apparmor_parser</A></B>(8).
<I>/etc/apparmor.d/</I> is the AppArmor default.
<P>
The supplied AppArmor profiles follow several conventions; the
abstractions stored in <I>/etc/apparmor.d/abstractions/</I> are some
large clusters that are used in most profiles. What follows are short
descriptions of how some of the abstractions are used.
<DL COMPACT>
<DT id="70"><I>abstractions/audio</I><DD>
Includes accesses to device files used for audio applications.
<DT id="71"><I>abstractions/authentication</I><DD>
Includes access to files and services typically necessary for services
that perform user authentication.
<DT id="72"><I>abstractions/base</I><DD>
Includes files that should be readable and writable in all profiles.
<DT id="73"><I>abstractions/bash</I><DD>
Includes many files used by bash; useful for interactive shells and
programs that call <B><A HREF="/cgi-bin/man/man2html?3+system">system</A></B>(3).
<DT id="74"><I>abstractions/consoles</I><DD>
Includes read and write access to the device files controlling the
virtual console, <B><A HREF="/cgi-bin/man/man2html?8+sshd">sshd</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?1+xterm">xterm</A></B>(1), etc. This abstraction is needed for
many programs that interact with users.
<DT id="75"><I>abstractions/fonts</I><DD>
Includes access to fonts and the font libraries.
<DT id="76"><I>abstractions/gnome</I><DD>
Includes read and write access to <FONT SIZE="-1">GNOME</FONT> configuration files, as well as
read access to <FONT SIZE="-1">GNOME</FONT> libraries.
<DT id="77"><I>abstractions/kde</I><DD>
Includes read and write access to <FONT SIZE="-1">KDE</FONT> configuration files, as well as
read access to <FONT SIZE="-1">KDE</FONT> libraries.
<DT id="78"><I>abstractions/kerberosclient</I><DD>
Includes file access rules needed for common kerberos clients.
<DT id="79"><I>abstractions/nameservice</I><DD>
Includes file rules to allow <FONT SIZE="-1">DNS, LDAP, NIS, SMB,</FONT> user and group password
databases, services, and protocols lookups.
<DT id="80"><I>abstractions/perl</I><DD>
Includes read access to perl modules.
<DT id="81"><I>abstractions/user-download</I><DD>
<DT id="82"><I>abstractions/user-mail</I><DD>
<DT id="83"><I>abstractions/user-manpages</I><DD>
<DT id="84"><I>abstractions/user-tmp</I><DD>
<DT id="85"><I>abstractions/user-write</I><DD>
Some profiles for typical ``user'' programs will use these include files
to describe rights that users have in the system.
<DT id="86"><I>abstractions/wutmp</I><DD>
Includes write access to files used to maintain <B><A HREF="/cgi-bin/man/man2html?5+wtmp">wtmp</A></B>(5) and <B><A HREF="/cgi-bin/man/man2html?5+utmp">utmp</A></B>(5)
databases, used with the <A HREF="/cgi-bin/man/man2html?1+w">w</A>(1) and associated commands.
<DT id="87"><I>abstractions/X</I><DD>
Includes read access to libraries, configuration files, X authentication
files, and the X socket.
</DL>
<P>
Some of the abstractions rely on variables that are set in files in the
<I>/etc/apparmor.d/tunables/</I> directory. These variables are currently
<B>@{</B><FONT SIZE="-1"><B>HOME</B></FONT><B>}</B> and <B>@{</B><FONT SIZE="-1"><B>HOMEDIRS</B></FONT><B>}</B>. Variables cannot be set in profile scope;
they can only be set before the profile. Therefore, any profiles that
use abstractions should either <B>#include &lt;tunables/global&gt;</B> or
otherwise ensure that <B>@{</B><FONT SIZE="-1"><B>HOME</B></FONT><B>}</B> and <B>@{</B><FONT SIZE="-1"><B>HOMEDIRS</B></FONT><B>}</B> are set before
starting the profile definition. The <B><A HREF="/cgi-bin/man/man2html?8+aa-autodep">aa-autodep</A></B>(8) and <B><A HREF="/cgi-bin/man/man2html?8+aa-genprof">aa-genprof</A></B>(8) utilities
will automatically emit <B>#include &lt;tunables/global&gt;</B> in
generated profiles.
<A NAME="lbAX">&nbsp;</A>
<H2>EXAMPLE</H2>
An example AppArmor profile:
<P>
<PRE>
# a variable definition in the preamble
@{HOME} = /home/*/ /root/
# a comment about foo.
/usr/bin/foo {
/bin/mount ux,
/dev/{,u}random r,
/etc/ld.so.cache r,
/etc/foo.conf r,
/etc/foo/* r,
/lib/ld-*.so* rmix,
/lib/lib*.so* r,
/proc/[0-9]** r,
/usr/lib/** r,
/tmp/foo.pid wr,
/tmp/foo.* lrw,
/@{HOME}/.foo_file rw,
/usr/bin/baz Cx -&gt; baz,
# a comment about foo's hat (subprofile), bar.
^bar {
/lib/ld-*.so* rmix,
/usr/bin/bar rmix,
/var/spool/* rwl,
}
# a comment about foo's subprofile, baz.
profile baz {
#include &lt;abstractions/bash&gt;
owner /proc/[0-9]*/stat r,
/bin/bash ixr,
/var/lib/baz/ r,
owner /var/lib/baz/* rw,
}
}
</PRE>
<A NAME="lbAY">&nbsp;</A>
<H2>FILES</H2>
<DL COMPACT>
<DT id="88"><I>/etc/init.d/boot.apparmor</I><DD>
<DT id="89"><I>/etc/apparmor.d/</I><DD>
</DL>
<A NAME="lbAZ">&nbsp;</A>
<H2>KNOWN BUGS</H2>
<DL COMPACT>
<DT id="90">&bull;<DD>
Mount options support the use of pattern matching but mount flags are not
correctly intersected against specified patterns. Eg, 'mount options=**,'
should be equivalent to 'mount,', but it is not. (<FONT SIZE="-1">LP:</FONT> #965690)
<DT id="91">&bull;<DD>
The fstype may not be matched against when certain mount command flags are
used. Specifically fstype matching currently only works when creating a new
mount and not remount, bind, etc.
<DT id="92">&bull;<DD>
Mount rules with multiple 'options' conditionals are not applied as documented
but instead merged such that 'options in (ro,nodev) options in (atime)' is
equivalent to 'options in (ro,nodev,atime)'.
<DT id="93">&bull;<DD>
When specifying mount options with the 'in' conditional, both the positive and
negative values match when specifying one or the other. Eg, 'rw' matches when
'ro' is specified and 'dev' matches when 'nodev' is specified such that
'options in (ro,nodev)' is equivalent to 'options in (rw,dev)'.
</DL>
<A NAME="lbBA">&nbsp;</A>
<H2>SEE ALSO</H2>
<B><A HREF="/cgi-bin/man/man2html?7+apparmor">apparmor</A></B>(7), <B><A HREF="/cgi-bin/man/man2html?8+apparmor_parser">apparmor_parser</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?1+aa-complain">aa-complain</A></B>(1),
<B><A HREF="/cgi-bin/man/man2html?1+aa-enforce">aa-enforce</A></B>(1), <B><A HREF="/cgi-bin/man/man2html?2+aa_change_hat">aa_change_hat</A></B>(2), <B><A HREF="/cgi-bin/man/man2html?5+mod_apparmor">mod_apparmor</A></B>(5), and
&lt;<A HREF="https://wiki.apparmor.net">https://wiki.apparmor.net</A>&gt;.
<P>
<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="94"><A HREF="#lbAB">NAME</A><DD>
<DT id="95"><A HREF="#lbAC">DESCRIPTION</A><DD>
<DT id="96"><A HREF="#lbAD">FORMAT</A><DD>
<DL>
<DT id="97"><A HREF="#lbAE">Access Modes</A><DD>
<DT id="98"><A HREF="#lbAF">Access Modes Details</A><DD>
<DT id="99"><A HREF="#lbAG">Link rules</A><DD>
<DT id="100"><A HREF="#lbAH">Comments</A><DD>
<DT id="101"><A HREF="#lbAI">Capabilities</A><DD>
<DT id="102"><A HREF="#lbAJ">Network Rules</A><DD>
<DT id="103"><A HREF="#lbAK">Mount Rules</A><DD>
<DT id="104"><A HREF="#lbAL">Pivot Root Rules</A><DD>
<DT id="105"><A HREF="#lbAM">PTrace rules</A><DD>
<DT id="106"><A HREF="#lbAN">Signal rules</A><DD>
<DT id="107"><A HREF="#lbAO">DBus rules</A><DD>
<DT id="108"><A HREF="#lbAP">Unix socket rules</A><DD>
<DT id="109"><A HREF="#lbAQ">change_profile rules</A><DD>
<DT id="110"><A HREF="#lbAR">rlimit rules</A><DD>
<DT id="111"><A HREF="#lbAS">Variables</A><DD>
<DT id="112"><A HREF="#lbAT">Alias rules</A><DD>
<DT id="113"><A HREF="#lbAU">Globbing</A><DD>
<DT id="114"><A HREF="#lbAV">Rule Qualifiers</A><DD>
<DT id="115"><A HREF="#lbAW">#include mechanism</A><DD>
</DL>
<DT id="116"><A HREF="#lbAX">EXAMPLE</A><DD>
<DT id="117"><A HREF="#lbAY">FILES</A><DD>
<DT id="118"><A HREF="#lbAZ">KNOWN BUGS</A><DD>
<DT id="119"><A HREF="#lbBA">SEE ALSO</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:02 GMT, March 31, 2021
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink