So just a little more explanation of the mount rules weirdness.
On the backend we are are given a bit mask, with one bit per flag and some
flags are the inverse of the other, eg. ro is set, rw when the bit is cleared.
The backend apparmor rule match a trianary. Set, clear, or don't care (either
value set).
No to the front end, it actually tracks the positive and negative sets
separately
so at the front end we could say
options in (ro,nodev)
is only {ro, nodev}, {ro}, {nodev} but there is no point because we can't
distinguish in the backend so options in basically becomes a list of flags that
are don't cares (can be set or clear).
Yes it is a mess, and confusing but I don't see a way to fix this
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
