U s e r ' s G u i d e
The easiest way of explaining what a profile is comprised of and how to
create one is to show the details of a sample profile. Consider, for
example, the following profile for the program, /sbin/klogd:
# profile to confine klogd
/sbin/klogd
{
#include <abstractions/base>
capability sys_admin,
/boot/* r,
/proc/kmsg r,
/sbin/klogd r,
/var/run/klogd.pid lw,
}
The first line: The first line is a comment.
The second line: The second line indicates the absolute path of the
program to be confined. In this example, whenever a program named
/sbin/klogd executes, it will be confined by this profile.
Subsequent lines within the brackets {}: The rest of the lines take
one of several forms:
• #include directives that pull in components of Novell AppArmor
profiles to simplify profiles.
• Capability Entries statements that enable each of the 32
POSIX.1e capabilities.
• Path Entries in which the first part specifies the absolute path of a
file (possibly including regular expression globbing), and the second
part indicates permissible access modes (r: read, w: write, and x:
execute).
Spaces or Tabs: A white space of any kind (spaces or tabs) can pre-
cede path names or separate the path name from the access modes.
White space between the access mode and the trailing comma is
optional.
18