On 05/25/2016 01:59 PM, Tyler Hicks wrote: > Signed-off-by: Tyler Hicks <[email protected]>
Acked-by: John Johansen <[email protected]> > --- > parser/apparmor.d.pod | 18 +++++++++++++++++- > 1 file changed, 17 insertions(+), 1 deletion(-) > > diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod > index 96d8ec4..fff471b 100644 > --- a/parser/apparmor.d.pod > +++ b/parser/apparmor.d.pod > @@ -277,7 +277,9 @@ B<ALPHA> = ('a', 'b', 'c', ... 'z', 'A', 'B', ... 'Z') > > B<ALPHANUMERIC> = ('0', '1', '2', ... '9', 'a', 'b', 'c', ... 'z', 'A', 'B', > ... 'Z') > > -B<CHANGE_PROFILE RULE> = 'change_profile' [ I<EXEC COND> ] [ '-E<gt>' > I<PROFILE NAME> ] > +B<CHANGE_PROFILE RULE> = 'change_profile' [ [ I<EXEC MODE> ] I<EXEC COND> ] > [ '-E<gt>' I<PROFILE NAME> ] > + > +B<EXEC_MODE> = ( 'safe' | 'unsafe' ) > > B<EXEC COND> = I<FILEGLOB> > > @@ -1208,6 +1210,20 @@ rule set. Eg. > /bin/bash Px -> new_profile1, > change_profile /bin/bash -> {new_profile1,new_profile2,new_profile3}, > > +The exec mode dictates whether or not the Linux Kernel's B<unsafe_exec> > +routines should be used to scrub the environment, similar to setuid programs. > +(See ld.so(8) for some information on setuid/setgid environment scrubbing.) > The > +B<safe> mode sets up environment scrubbing to occur when the new application > is > +executed and B<unsafe> mode disables AppArmor's requirement for environment > +scrubbing (the kernel and/or libc may still require environment scrubbing). > An > +exec mode can only be specified when an exec condition is present. > + > + change_profile safe /bin/bash -> new_profile, > + > +Not all kernels support B<safe> mode and the parser will downgrade rules to > +B<unsafe> mode in that situation. If no exec mode is specified, the default > is > +B<safe> mode in kernels that support it. > + > =head2 rlimit rules > > AppArmor can set and control the resource limits associated with a > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
