Read Mode; Write Mode; Discrete Profile Execute Mode; Unconstrained Execute Mode - Novell APPARMOR Admin Manual

U s e r ' s G u i d e

Read Mode

Allows the program to have read access to the resource. Read access
is required for shell scripts and other interpreted content, and deter-
mines if an executing process can core dump or be attached to with
ptrace(2). (ptrace(2) is used by utilities such as strace(1), ltrace(1), and
gdb(1).)

Write Mode

Allows the program to have write access to the resource. Files must
have this permission if they are to be unlinked (removed).

Discrete Profile Execute Mode

This mode requires that a discrete security profile is defined for a
resource executed at a Novell AppArmor domain transition. If there is
no profile defined then the access will be denied. Incompatible with
Inherit and Unconstrained execute entries.

Unconstrained Execute Mode

Allows the program to execute the resource without any Novell AppAr-
mor profile being applied to the executed resource. Requires listing
execute mode as well. Incompatible with Inherit and Discrete Profile
execute entries.
This mode is useful when a confined program needs to be able to per-
form a privileged operation, such as rebooting the machine. By placing
the privileged section in another executable and granting uncon-
strained execution rights, it is possible to bypass the mandatory con-
straints imposed on all confined processes. For more information on
what is constrained, see the subdomain(7) man page.

Inherit Execute Mode

Prevent the normal Novell AppArmor domain transition on execve(2)
when the profiled program executes the resource. Instead, the exe-
cuted resource will inherit the current profile. Incompatible with Uncon-
strained and Discrete Profile execute entries. This mode is useful when
a confined program needs to call another confined program without
gaining the permissions of the target's profile, or losing the permis-
70