76
76
B<PROGRAMCHILD> = I<SUBPROFILE> name
78
B<MOUNT RULE> = ( I<MOUNT> | I<REMOUNT> | I<UMOUNT> | I<PIVOT ROOT> )
80
B<MOUNT> = [ 'audit' ] [ 'deny' ] 'mount' [ I<MOUNT CONDITIONS> ] [ I<SOURCE FILEGLOB> ] [ -> [ I<MOUNTPOINT FILEGLOB> ]
82
B<REMOUNT> = [ 'audit' ] [ 'deny' ] 'remount' [ I<MOUNT CONDITIONS> ] I<MOUNTPOINT FILEGLOB>
84
B<UMOUNT> = [ 'audit' ] [ 'deny' ] 'umount' [ I<MOUNT CONDITIONS> ] I<MOUNTPOINT FILEGLOB>
86
B<PIVOT ROOT> = [ 'audit' ] [ 'deny' ] pivot_root [ I<OLD ABS PATH> ] [ I<MOUNTPOINT ABS PATH> ] [ -> I<PROGRAMCHILD> ]
88
B<MOUNT CONDITIONS> = [ ( 'fstype' | 'vfstype' ) ( '=' | 'in' ) I<MOUNT FSTYPE EXPRESSION> ] [ 'options' ( '=' | 'in' ) I<MOUNT FLAGS EXPRESSION> ]
90
B<MOUNT FSTYPE EXPRESSION> = ( I<MOUNT FSTYPE LIST> | I<MOUNT EXPRESSION> )
92
B<MOUNT FSTYPE LIST> = Comma separated list of valid filesystem and virtual filesystem types (eg ext4, debugfs, devfs, etc)
94
B<MOUNT FLAGS EXPRESSION> = ( I<MOUNT FLAGS LIST> | I<MOUNT EXPRESSION> )
96
B<MOUNT FLAGS LIST> = Comma separated list of I<MOUNT FLAGS>.
98
B<MOUNT FLAGS> = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' | 'noexec' | 'exec' | 'sync' | 'async' | 'remount' | 'mand' | 'nomand' | 'dirsync' | 'nodirsync' | 'noatime' | 'atime' | 'nodiratime' | 'diratime' | 'bind' | 'move' | 'rec' | 'verbose' | 'silent' | 'load' | 'acl' | 'noacl' | 'unbindable' | 'private' | 'slave' | 'shared' | 'relative' | 'norelative' | 'iversion' | 'noiversion' | 'strictatime' | 'nouser' | 'user' )
100
B<MOUNT EXPRESSION> = ( I<ALPHANUMERIC> | I<AARE> ) ...
102
B<AARE> = B<?*[]{}^> (see below for meanings)
78
104
B<FILE RULE> = I<RULE QUALIFIER> ( '"' I<FILEGLOB> '"' | I<FILEGLOB> ) I<ACCESS> ','
80
106
B<RULE QUALIFIER> = [ 'audit' ] [ 'deny' ] [ 'owner' ]
82
B<FILEGLOB> = (must start with '/' (after variable expansion), B<?*[]{}^> have special meanings; see below. May include I<VARIABLE>. Rules with embedded spaces or tabs must be quoted. Rules must end with '/' to apply to directories.)
108
B<FILEGLOB> = (must start with '/' (after variable expansion), B<AARE> have special meanings; see below. May include I<VARIABLE>. Rules with embedded spaces or tabs must be quoted. Rules must end with '/' to apply to directories.)
84
110
B<ACCESS> = ( 'r' | 'w' | 'l' | 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx -> ' I<PROGRAMCHILD> | 'Cx -> ' I<PROGRAMCHILD> | 'm' ) [ I<ACCESS> ... ] (not all combinations are allowed; see below.)
328
350
network inet tcp, #allow access to tcp only for inet4 addresses
329
351
network inet6 tcp, #allow access to tcp only for inet6 addresses
355
AppArmor supports mount mediation and allows specifying filesystem types and
356
mount flags. The syntax of mount rules in AppArmor is based on the mount(8)
357
command syntax. Mount rules must contain one of the mount, remount, umount or
358
pivot_root keywords, but all mount conditions are optional. Unspecified
359
optional conditionals are assumed to match all entries (eg, not specifying
360
fstype means all fstypes are matched). Due to the complexity of the mount
361
command and how options may be specified, AppArmor allows specifying
362
conditionals three different ways:
368
If a conditional is specified using '=', then the rule only grants permission
369
for mounts matching the exactly specified options. For example, an AppArmor
370
policy with the following rule:
374
mount options=ro /dev/foo -> /mnt/,
382
$ mount -o ro /dev/foo /mnt
386
but not either of these:
390
$ mount -o ro,atime /dev/foo /mnt
392
$ mount -o rw /dev/foo /mnt
398
If a conditional is specified using 'in', then the rule grants permission for
399
mounts matching any combination of the specified options. For example, if an
400
AppArmor policy has the following rule:
404
mount options in (ro,atime) /dev/foo -> /mnt/,
408
all of these mount commands will match:
412
$ mount -o ro /dev/foo /mnt
414
$ mount -o ro,atime /dev/foo /mnt
416
$ mount -o atime /dev/foo /mnt
420
but none of these will:
424
$ mount -o ro,sync /dev/foo /mnt
426
$ mount -o ro,atime,sync /dev/foo /mnt
428
$ mount -o rw /dev/foo /mnt
430
$ mount -o rw,noatime /dev/foo /mnt
432
$ mount /dev/foo /mnt
438
If multiple conditionals are specified in a single mount rule, then the rule
439
grants permission for each set of options. This provides a shorthand when
440
writing mount rules which might help to logically break up a conditional. For
441
example, if an AppArmor policy has the following rule:
445
mount options=ro options=atime
449
both of these mount commands will match:
453
$ mount -o ro /dev/foo /mnt
455
$ mount -o atime /dev/foo /mnt
459
but this one will not:
463
$ mount -o ro,atime /dev/foo /mnt
469
Note that separate mount rules are distinct and the options do not accumulate.
470
For example, these AppArmor mount rules:
479
are not equivalent to either of these mount rules:
483
mount options=(ro,atime),
485
mount options in (ro,atime),
489
To help clarify the flexibility and complexity of mount rules, here are some
490
example rules with accompanying matching commands:
496
the 'mount' rule without any conditionals is the most generic and allows any
497
mount. Equivalent to 'mount fstype=** options=** ** -> /**'.
499
=item B<mount /dev/foo,>
501
allow mounting of /dev/foo anywhere with any options. Some matching mount
506
$ mount /dev/foo /mnt
508
$ mount -t ext3 /dev/foo /mnt
510
$ mount -t vfat /dev/foo /mnt
512
$ mount -o ro,atime,noexec,nodiratime /dev/foo /srv/some/mountpoint
516
=item B<mount options=ro /dev/foo,>
518
allow mounting of /dev/foo anywhere, as read only. Some matching mount
523
$ mount -o ro /dev/foo /mnt
525
$ mount -o ro /dev/foo /some/where/else
529
=item B<mount options=(ro,atime) /dev/foo,>
531
allow mount of /dev/foo anywhere, as read only and using inode access times.
532
Some matching mount commands:
536
$ mount -o ro,atime /dev/foo /mnt
538
$ mount -o ro,atime /dev/foo /some/where/else
542
=item B<mount options in (ro,atime) /dev/foo,>
544
allow mount of /dev/foo anywhere using some combination of 'ro' and 'atime'
545
(see above). Some matching mount commands:
549
$ mount -o ro /dev/foo /mnt
551
$ mount -o atime /dev/foo /some/where/else
553
$ mount -o ro,atime /dev/foo /some/other/place
557
=item B<mount options=ro /dev/foo, mount options=atime /dev/foo,>
559
allow mount of /dev/foo anywhere as read only, and allow mount of /dev/foo
560
anywhere using inode access times. Note this is expressed as two different
565
$ mount -o ro /dev/foo /mnt/1
567
$ mount -o atime /dev/foo /mnt/2
571
=item B<< mount -> /mnt/**, >>
573
allow mounting anything under a directory in /mnt/**. Some matching mount
578
$ mount /dev/foo1 /mnt/1
580
$ mount -o ro,atime,noexec,nodiratime /dev/foo2 /mnt/deep/path/foo2
584
=item B<< mount options=ro -> /mnt/**, >>
586
allow mounting anything under /mnt/**, as read only. Some matching mount
591
$ mount -o ro /dev/foo1 /mnt/1
593
$ mount -o ro /dev/foo2 /mnt/deep/path/foo2
597
=item B<< mount fstype=ext3 options=(rw,atime) /dev/sdb1 -> /mnt/stick/, >>
599
allow mounting an ext3 filesystem in /dev/sdb1 on /mnt/stick as read/write and
600
using inode access times. Matches only:
604
$ mount -o rw,atime /dev/sdb1 /mnt/stick
608
=item B<< mount options=(ro, atime) options in (nodev, user) /dev/foo -> /mnt/, >>
610
allow mounting /dev/foo on /mmt/ read only and using inode access times or
611
allow mounting /dev/foo on /mnt/ with some combination of 'nodev' and 'user'.
616
$ mount -o ro,atime /dev/foo /mnt
618
$ mount -o nodev /dev/foo /mnt
620
$ mount -o user /dev/foo /mnt
622
$ mount -o nodev,user /dev/foo /mnt
333
630
AppArmor's policy language allows embedding variables into file rules
909
Mount options support the use of pattern matching but mount flags are not
910
correctly intersected against specified patterns. Eg, 'mount options=**,'
911
should be equivalent to 'mount,', but it is not. (LP: #965690)
913
The fstype may not be matched against when certain mount command flags are
914
used. Specifically fstype matching currently only works when creating a new
915
mount and not remount, bind, etc.
917
Mount rules with multiple 'options' conditionals are not applied as documented
918
but instead merged such that 'options in (ro,nodev) options in (atime)' is
919
equivalent to 'options in (ro,nodev,atime)'.
921
When specifying mount options with the 'in' conditional, both the positive and
922
negative values match when specifying one or the other. Eg, 'rw' matches when
923
'ro' is specified and 'dev' matches when 'nodev' is specified such that
924
'options in (ro,nodev)' is equivalent to 'options in (rw,dev)'.
610
930
apparmor(7), apparmor_parser(8), aa-complain(1),