Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 222

As the append permission is just a subset of the permissions associated with the write
mode, the w and a permission flags cannot be used together and are mutually exclusive.
21.7.4 File Locking Mode (k)
The application can take file locks. Former versions of AppArmor allowed files to be
locked if an application had access to them. By using a separate file locking mode,
AppArmor makes sure locking is restricted only to those files which need file locking
and tightens security as locking can be used in several denial of service attack scenarios.
21.7.5 Link Mode (l)
The link mode mediates access to hard links. When a link is created, the target file must
have the same access permissions as the link created (with the exception that the desti-
nation does not need link access).
21.7.6 Link Pair
The link mode grants permission to create links to arbitrary files, provided the link has
a subset of the permissions granted by the target (subset permission test). By specifying
origin and destination, the link pair rule provides greater control over how hard links
are created. Link pair rules by default do not enforce the link subset permission test
that the standard rules link permission requires. To force the rule to require the test the
subset keyword is used. The following rules are equivalent:
/link
link subset /link -> /**,
NOTE
Currently link pair rules are not supported by YaST and the command line tools.
Manually edit your profiles to use them. Updating such profiles using the tools
is safe, because the link pair entries will not be touched.
210 Security Guide
l,