On 04/11/2012 09:32 AM, Steve Beattie wrote: > On Wed, Apr 11, 2012 at 11:22:20AM -0500, Jamie Strandboge wrote: >> On Wed, 2012-04-11 at 07:50 -0700, Steve Beattie wrote: >>> On Tue, Apr 10, 2012 at 05:06:59PM -0500, Jamie Strandboge wrote: >> >>>> +=item B<mount options=ro, mount options=atime /dev/foo,> >>> >>> Doesn't the first part need to be 'mount options=ro /dev/foo,' in order >>> for it to allow the mount of only /dev/foo anywhere? >> >> I'd like for John to comment here, but based on the wiki[1], no. Eg: >> >> "When both = and in conditional operators are used the options within >> each condition type can be combined and split interchangeably. >> >> mount options=(ro, acl) options in (nodev, user)" > > Right, except your example has two rules, no? > > mount options=ro, > mount options=atime /dev/foo, > > if it were > > mount options=ro options=atime /dev/foo, > > then it would do what you want, I think. At least, based on my > understanding of how the rules work. > yep, the first rule allows mounting anything as long as the options set = ro
the second is allowing /dev/foo to be mounted anywhere. So for the >> "When both = and in conditional operators are used the options within >> each condition type can be combined and split interchangeably." is for within a single rule that is to say mount options=ro options=atime /dev/foo, is equivalent to mount options=(ro, atime) /dev/foo, not mount options=ro /dev/foo, mount options=atime /dev/foo, though now thinking about it, this last interpretation might be better. It is not to late to change this, so I would like opions -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
