Ah Thanks I get it now
On Wed, Jun 26, 2013 at 8:35 AM, John Johansen <[email protected]> wrote: > On 06/25/2013 05:21 PM, Seth Arnold wrote: >> On Wed, Jun 26, 2013 at 07:54:46AM +0800, Aaron Lewis wrote: >>> Hi, >>> >>> Looks like I can use rwmc altogether, am I wrong? >>> >>> owner @{HOME}/.config/google-googletalkplugin/{**,} rwmc, >> >> I can't see 'c' support in our current parser source code, not can I get >> this to work in a test profile: >> > c is not supported as an independent permission. We have cx for child profile > transitions. > > The audit logs do unfortunately report c for the the create permission as > the kernel does have the permission set broken down finer than what is > currently exposed in the language. > > currently the w permission implies c, > > http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#File_permissions > > has a guide (reproduced below) of how the letter permissions map to the wider > set of permissions > > Short form permissions map to > r - read, meta-read, mmap_r > w - create, delete, trunc, write, meta-write, chmod, chown, mmap_w, mprot_wx, > partial rename (where it implies partial source rename permissions and full > destination renamed permission) > a - append, create > l - link (may be combined with other permissions to determine if allowed) > k - lock (combines with ???write to determine if exclusive lock is allowed) > m - mmap_x, mprot_wx > x - exec, (if ix then also mmap_x) > > >> $ echo "/t { / rwmc, }" | apparmor_parser -Q -d >> Warning from stdin (line 1): apparmor_parser: cannot use or update cache, >> disable, or force-complain via stdin >> AppArmor parser error, in stdin line 1: syntax error, unexpected TOK_ID, >> expecting TOK_MODE >> >> But removing the 'c': >> >> $ echo "/t { / rwm, }" | apparmor_parser -Q -d >> Warning from stdin (line 1): apparmor_parser: cannot use or update cache, >> disable, or force-complain via stdin >> ----- Debugging built structures ----- >> Name: /t >> Profile Mode: Enforce >> --- Entries --- >> Mode: rwam:rwam Name: (/) >> >> $ >> >> When the kernel logs a denied mode of 'c', it is indeed a process trying >> to create the file, but there is currently no way to give _only_ this >> privilege to a process. 'w' will also grant this permission. >> >> All you need is 'rwm'. >> >> Thanks >> >> >> > > > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor -- Best Regards, Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com ) Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
