link /etc/sysconfig/foo -> /etc/foo.conf,
/bin/mount
/dev/{,u} random
/etc/ld.so.cache
/etc/foo/*
/lib/ld-*.so*
/lib/lib*.so*
/proc/[0-9]**
/usr/lib/**
/tmp/
/tmp/foo.pid
/tmp/foo.*
/@{HOME} /.foo_file
/@{HOME}/.foo_lock
owner
/shared/foo/** rw,
11
/usr/bin/foobar
/bin/**
# a comment about foo's local (children)profile for /usr/bin/foobar.
profile /usr/bin/foobar
/bin/bash
/bin/cat
/bin/more
/var/log/foobar*
/etc/foobar
}
# foo's hat, bar.
^bar
{
15
/lib/ld-*.so*
/usr/bin/bar
/var/spool/*
}
}
This loads a file containing variable definitions.
The normalized path to the program that is confined.
The curly braces ({}) serve as a container for include statements, subprofiles,
path entries, capability entries, and network entries.
This directive pulls in components of AppArmor profiles to simplify profiles.
Capability entry statements enable each of the 29 POSIX.1e draft capabilities.
A directive determining the kind of network access allowed to the application.
For details, refer to
ux,
r,
r,
r,
mr,
mr,
r,
mr,
r,
wr,
lrw,
rw,
kw,
cx,
12
px -> bin_generic,
{
14
rmix,
rmix,
rmix,
rwl,
r,
mr,
px,
rwl,
Section 21.5, "Network Access Control"
13
(page 205).
Profile Components and Syntax
199