Signed-off-by: John Johansen <john.johan...@canonical.com>
---
parser/apparmor.d.pod | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
index d44fe33..1cfbe72 100644
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -195,7 +195,7 @@ B<UNIX ATTR COND> 'attr' '=' ( I<AARE> | '(' '"' I<AARE>
'"' | I<AARE> ')' )
B<UNIX OPT COND> 'opt' '=' ( I<AARE> | '(' '"' I<AARE> '"' | I<AARE> ')' )
-B<FILE RULE> = I<FILE QUALIFIERS> ( '"' I<FILEGLOB> '"' | I<FILEGLOB> )
I<ACCESS> [ -E<gt> <EXEC TARGET> ] ','
+B<FILE RULE> = I<FILE QUALIFIERS> ( ( '"' I<FILEGLOB> '"' | I<FILEGLOB> )
I<ACCESS> | [I<ACCESS> ( '"' I<FILEGLOB> '"' | I<FILEGLOB> ) ) [ -E<gt> <EXEC
TARGET> ] ','
B<FILE QUALIFIERS> = [ I<QUALIFIERS> ] [ 'owner' ] [ 'file' ]
@@ -515,6 +515,19 @@ on the new link, it must match the original file exactly.
Allows the program to be able lock a file with this name. This permission
covers both advisory and mandatory locking.
+=item B<leading OR trailing access permissions>
+
+File rules can be specified with the access permission either leading
+or trailing the file glob. Eg.
+
+ rw /**, # leading permissions
+
+ /** rw, # trailing permissions
+
+When a leading permissions is used further rule options and context
+may be allowed, Eg.
+ l /foo -> /bar, # lead 'l' link permission is equivalent to link rules
+
=back
=head2 Comments
--
2.1.4
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
