Skip to content

System

apparmorfs

@{apparmorfs}

@{apparmorfs}=@{securityfs}/apparmor/

etc

@{etc_ro} contains a space-separated list of the system configuration directories. Traditionally this means /etc/, but when using a read-only / filesystem and/or with the goal of having only user-modified config files in /etc/, directories like /usr/etc/ get introduced for storing the default config.

@{etc_ro}

@{etc_ro} contains directories with configuration files, including read-only directories. Do not use @{etc_ro} in rules that allow write access.

@{etc_ro}=/etc/ /usr/etc/

@{etc_rw}

@{etc_rw} contains directories where writing to configuration files is allowed. @{etc_rw} should always be a subset of @{etc_ro}.

Only use @{etc_rw} if the profile allows writing to a configuration file. For rules that only allows read access, use @{etc_ro}.

@{etc_rw}=/etc/

kernelvars

This file should contain declarations to kernel vars or variables that will become kernel vars at some point

@{pid}

until kernel vars are implemented and until the parser supports nested groupings like use

@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}

@{tid}

same pattern as @{pid} for now

@{tid}=@{pid}

@{pids}

A pattern for pids that can appear

@{pids}=@{pid}

@{uid}

Placeholder for user id until kernel var is implemented to match current user of the confined application. Values are 0...4,294,967,295 (32-bit unsigned, 10 digits).

@{uid}={[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}

@{uids}

same pattern as @{uid} for now

@{uids}=@{uid}

@{sys}

until kernel var is implemented

@{sys}=/sys/

multiarch

@{multiarch}

@{multiarch} is the set of patterns matching multi-arch library install prefixes.

@{multiarch}=*-linux-gnu*

proc

@{PROC}

@{PROC} is the location where procfs is mounted.

@{PROC}=/proc/

run

@{run}

@{run}=/run/ /var/run/

securityfs

@{securityfs}

@{securityfs} is the location where securityfs is mounted.

@{securityfs}=@{sys}/kernel/security/