Mention, in the apparmor.d man page, that pivot_root arguments must end with a '/' character since they are directories.
The parser currently allows pivot_root arguments that do not end in '/', but those rules will always fail to match. Signed-off-by: Tyler Hicks <[email protected]> Cc: Jamie Strandboge <[email protected]> --- Jamie asked for a mention in the man page that pivot_root arguments must end in '/'. (see https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1305244/comments/7) Additionally, Jamie mentioned that the variable expansion issue (see https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1305244/comments/3) should possibly be documented in the pivot_root section. I didn't add anything about variable expansion in this patch because, AFAIU, it isn't specific to pivot_root rules. This is a variable expansion bug that affects all rule types and should simply be fixed. parser/apparmor.d.pod | 3 +++ 1 file changed, 3 insertions(+) diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod index dd1e6ff..141db36 100644 --- a/parser/apparmor.d.pod +++ b/parser/apparmor.d.pod @@ -668,6 +668,9 @@ AppArmor 'pivot_root' rules can specify a profile transition to occur during the pivot_root(2) system call. Note that AppArmor will only transition the process calling pivot_root(2) to the new profile. +The paths specified in 'pivot_root' rules must end with '/' since they are +directories. + Here are some example 'pivot_root' rules: # Allow any pivot -- 1.9.1 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
