System
apparmorfs¶
@{apparmorfs}¶
etc¶
@{etc_ro} contains a space-separated list of the system configuration directories. Traditionally this means /etc/, but when using a read-only / filesystem and/or with the goal of having only user-modified config files in /etc/, directories like /usr/etc/ get introduced for storing the default config.
@{etc_ro}¶
@{etc_ro} contains directories with configuration files, including read-only directories. Do not use @{etc_ro} in rules that allow write access.
@{etc_rw}¶
@{etc_rw} contains directories where writing to configuration files is allowed. @{etc_rw} should always be a subset of @{etc_ro}.
Only use @{etc_rw} if the profile allows writing to a configuration file. For rules that only allows read access, use @{etc_ro}.
kernelvars¶
This file should contain declarations to kernel vars or variables that will become kernel vars at some point
@{pid}¶
until kernel vars are implemented and until the parser supports nested groupings like use
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
@{tid}¶
same pattern as @{pid} for now
@{pids}¶
A pattern for pids that can appear
@{uid}¶
Placeholder for user id until kernel var is implemented to match current user of the confined application. Values are 0...4,294,967,295 (32-bit unsigned, 10 digits).
@{uid}={[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}
@{uids}¶
same pattern as @{uid} for now
@{sys}¶
until kernel var is implemented
multiarch¶
@{multiarch}¶
@{multiarch} is the set of patterns matching multi-arch library install prefixes.
proc¶
@{PROC}¶
@{PROC} is the location where procfs is mounted.
run¶
@{run}¶
securityfs¶
@{securityfs}¶
@{securityfs} is the location where securityfs is mounted.