This makes some of the references to functions in the aa_query_label(2) manpage more consistent and fixes a couple of grammar issues. It also tries to make the qualifying statements in apparmor.d(5) more distinct, and also fixes some typos there as well.
Signed-off-by: Steve Beattie <[email protected]> --- libraries/libapparmor/doc/aa_query_label.pod | 16 +++++----- parser/apparmor.d.pod | 40 ++++++++++++++++----------- 2 files changed, 33 insertions(+), 23 deletions(-) Index: b/libraries/libapparmor/doc/aa_query_label.pod =================================================================== --- a/libraries/libapparmor/doc/aa_query_label.pod +++ b/libraries/libapparmor/doc/aa_query_label.pod @@ -47,22 +47,22 @@ Link with B<-lapparmor> when compiling. =head1 DESCRIPTION -The aa_query_label function fetches the current permissions granted by the +The B<aa_query_label> function fetches the current permissions granted by the specified I<label> in the I<query> string. The query is a raw binary formatted query, containing the label and permission query to make. The returned I<allowed> and I<audited> values are -interpreted boolean values, simple stating whether the query is allowed and +interpreted boolean values, simply stating whether the query is allowed and if it is audited. The mask of the query string is a bit mask of permissions to query and is -class type dependent (see AA_CLASS_xxx) entries in I<sys/apparmor.h>. +class type dependent (see B<AA_CLASS_xxx> entries in I<sys/apparmor.h>). The format of the query string is also dependent on the B<AA_CLASS> and as -such the the aa_query_xxx helper functions should usually be used instead -of directly using I<aa_query_label>. If directly using the interface the +such the aa_query_xxx helper functions should usually be used instead +of directly using B<aa_query_label>. If directly using the interface the I<query> string is required to have a header of B<AA_QUERY_CMD_LABEL_SIZE> -that will be used by I<aa_query_label>. +that will be used by B<aa_query_label>. The B<aa_query_file_path> and B<aa_query_file_path_len> functions are helper function that assemble a properly formatted file path query for the @@ -92,9 +92,9 @@ error, -1 is returned, and errno(3) is s The requested I<mask> is empty. -The I<size> of the query is E<lt> the query B<AA_QUER?Y_CMD_LABEL_SIZE> +The I<size> of the query is less than the query B<AA_QUERY_CMD_LABEL_SIZE> -The apparmor kernel module is not loaded or the he kernel interface access +The apparmor kernel module is not loaded or the kernel interface access interface is not available =item B<ENOMEM> Index: b/parser/apparmor.d.pod =================================================================== --- a/parser/apparmor.d.pod +++ b/parser/apparmor.d.pod @@ -46,13 +46,15 @@ to the policy; this behaviour is modelle B<PROFILE FILE> = ( [ I<PREAMBLE> ] [ I<PROFILE> ] )* -B<PREAMBLE> = ( I<COMMENT> | I<VARIABLE ASSIGNMENT> | I<INCLUDE> )* (variable assignment must come before the profile) +B<PREAMBLE> = ( I<COMMENT> | I<VARIABLE ASSIGNMENT> | I<INCLUDE> )* + Variable assignment must come before the profile. B<INCLUDE> = '#include' ( I<ABS PATH> | I<MAGIC PATH> ) B<ABS PATH> = '"' path '"' (the path is passed to open(2)) -B<MAGIC PATH> = 'E<lt>' relative path 'E<gt>' (the path is relative to F</etc/apparmor.d/>) +B<MAGIC PATH> = 'E<lt>' relative path 'E<gt>' + The path is relative to F</etc/apparmor.d/>. B<COMMENT> = '#' I<TEXT> [ '\r' ] '\n' @@ -86,7 +88,7 @@ B<SUBPROFILE> = 'profile' I<PROFILE NAME B<HAT> = ('hat' | '^') I<HATNAME> [ I<PROFILE FLAG CONDS> ] '{' ( I<RULES> )* '}' -B<HATNAME> = ( must start with alphanumeric character. see aa_change_hat(2) for a description of how this "hat" is used. IF '^' is used to start a hat then there is no space between the '^' and I<HATNAME>) +B<HATNAME> = (must start with alphanumeric character. See aa_change_hat(2) for a description of how this "hat" is used. If '^' is used to start a hat then there is no space between the '^' and I<HATNAME>) B<QUALIFIER BLOCK> = I<QUALIFIERS> I<BLOCK> @@ -193,31 +195,33 @@ B<DBUS LABEL> = 'label' '=' '(' '"' I<AA B<DBUS ACCESS LIST> = Comma separated list of I<DBUS ACCESS> -B<DBUS ACCESS> = ( 'send' | 'receive' | 'bind' | 'eavesdrop' ) (some accesses are incompatible with some rules; see below.) +B<DBUS ACCESS> = ( 'send' | 'receive' | 'bind' | 'eavesdrop' ) + Some accesses are incompatible with some rules; see below. -B<AARE> = B<?*[]{}^> (see below for meanings) +B<AARE> = B<?*[]{}^> + See below for meanings. B<UNIX RULE> = [ I<QUALIFIERS> ] 'unix' [ I<UNIX ACCESS EXPR> ] [ I<UNIX RULE CONDS> ] [ I<UNIX LOCAL EXPR> ] [ I<UNIX PEER EXPR> ] B<UNIX ACCESS EXPR> = ( I<UNIX ACCESS> | I<UNIX ACCESS LIST> ) B<UNIX ACCESS> = ( 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) - (some access modes are incompatible with some rules or require additional parameters) + Some access modes are incompatible with some rules or require additional parameters. B<UNIX ACCESS LIST> = '(' I<UNIX ACCESS> ( [','] I<UNIX ACCESS> )* ')' B<UNIX RULE CONDS> = ( I<TYPE COND> | I<PROTO COND> ) - each cond can appear at most once + Each cond can appear at most once. B<TYPE COND> = 'type' '=' ( I<AARE> | '(' ( '"' I<AARE> '"' | I<AARE> )+ ')' ) B<PROTO COND> = 'protocol' '=' ( I<AARE> | '(' ( '"' I<AARE> '"' | I<AARE> )+ ')' ) B<UNIX LOCAL EXPR> = ( I<UNIX ADDRESS COND> | I<UNIX LABEL COND> | I<UNIX ATTR COND> | I<UNIX OPT COND> )* - each cond can appear at most once + Each cond can appear at most once. B<UNIX PEER EXPR> = 'peer' '=' ( I<UNIX ADDRESS COND> | I<UNIX LABEL COND> )+ - each cond can appear at most once + Each cond can appear at most once. B<UNIX ADDRESS COND> 'addr' '=' ( I<AARE> | '(' '"' I<AARE> '"' | I<AARE> ')' ) @@ -233,13 +237,17 @@ B<RLIMIT> = ( 'cpu' | 'fsize' | 'data' | B<RLIMIT VALUE> = ( I<RLIMIT SIZE> | I<RLIMIT NUMBER> | I<RLIMIT TIME> | I<RLIMIT NICE> ) -B<RLIMIT SIZE> = I<NUMBER> ( 'K' | 'M' | 'G' ) Only applies to RLIMIT of 'fsize', 'data', 'stack', 'core', 'rss', 'as', 'memlock', 'msgqueue'. +B<RLIMIT SIZE> = I<NUMBER> ( 'K' | 'M' | 'G' ) + Only applies to RLIMIT of 'fsize', 'data', 'stack', 'core', 'rss', 'as', 'memlock', 'msgqueue'. -B<RLIMIT NUMBER> = number from 0 to max rlimit value. Only applies ot RLIMIT of 'ofile', 'nofile', 'locks', 'sigpending', 'nproc', 'rtprio' +B<RLIMIT NUMBER> = number from 0 to max rlimit value. + Only applies to RLIMIT of 'ofile', 'nofile', 'locks', 'sigpending', 'nproc', 'rtprio'. -B<RLIMIT TIME> = I<NUMBER> ( 'us' | 'microsecond' | 'microseconds' | 'ms' | 'millisecond' | 'milliseconds' | 's' | 'sec' | 'second' | 'seconds' | 'min' | 'minute' | 'minutes' | 'h' | 'hour' | 'hours' | 'd' | 'day' | 'days' | 'week' | 'weeks' ) Only applies to RLIMIT of 'cpu', 'rttime'. RLIMIT 'cpu' only allows units >= 'seconds'. +B<RLIMIT TIME> = I<NUMBER> ( 'us' | 'microsecond' | 'microseconds' | 'ms' | 'millisecond' | 'milliseconds' | 's' | 'sec' | 'second' | 'seconds' | 'min' | 'minute' | 'minutes' | 'h' | 'hour' | 'hours' | 'd' | 'day' | 'days' | 'week' | 'weeks' ) + Only applies to RLIMIT of 'cpu' and 'rttime'. RLIMIT 'cpu' only allows units E<gt>= 'seconds'. -B<RLIMIT NICE> = a number between -20 and 19. Only applies to RLIMIT of 'nice' +B<RLIMIT NICE> = a number between -20 and 19. + Only applies to RLIMIT of 'nice'. B<FILE RULE> = [ I<QUALIFIERS> ] [ 'owner' ] ( 'file' | [ 'file' ] ( I<FILEGLOB> I<ACCESS> | I<ACCESS> I<FILEGLOB> ) [ '-E<gt>' I<EXEC TARGET> ] ) @@ -251,9 +259,11 @@ B<UNQUOTED FILEGLOB> = (must start with B<ACCESS> = ( 'r' | 'w' | 'a' | 'l' | 'k' | 'm' | I<EXEC TRANSITION> )+ (not all combinations are allowed; see below.) -B<EXEC TRANSITION> = ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' | 'Pix' | 'cix' | 'Cix' | 'pux' | 'PUx' | 'cux' | 'CUx' | 'x' ) ('x' is only allowed in rules with the deny qualifier, everything else only without the deny qualifier) +B<EXEC TRANSITION> = ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' | 'Pix' | 'cix' | 'Cix' | 'pux' | 'PUx' | 'cux' | 'CUx' | 'x' ) + A bare 'x' is only allowed in rules with the deny qualifier, everything else only without the deny qualifier. -B<EXEC TARGET> = name (requires I<EXEC TRANSITION> specified) +B<EXEC TARGET> = name + Requires I<EXEC TRANSITION> specified. B<LINK RULE> = I<QUALIFIERS> [ 'owner' ] 'link' [ 'subset' ] I<FILEGLOB> ( 'to' | '-E<gt>' ) I<FILEGLOB> -- Steve Beattie <[email protected]> http://NxNW.org/~steve/
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
