• NAME
• SYNOPSIS
• DESCRIPTION
• OPTIONS
• BUGS
• SEE ALSO

NAME

subdomain_parser - loads AppArmor profiles into the kernel

SYNOPSIS

subdomain_parser [--add] [--debug] [--help] [--replace] [--remove] [--version] [--preprocess] [--Complain] [--Include n] [--base n] [--stdout]

DESCRIPTION

subdomain_parser imports new subdomain.conf(5) profiles into the Linux kernel. The profiles restrict the operations available to processes as indicated by executable name.

The profiles are loaded into the Linux kernel by the subdomain_parser program, which takes its input from standard input. The input supplied to subdomain_parser should be in the format described in subdomain.conf(5).

The following are two ways you can use the subdomain parser. The first can be used to replace mutliple profiles at once. *cat /etc/subdomain.d/usr.bin.foo | subdomain_parser -r *subdomain_parser -r < /etc/subdomain.d/usr.bin.foo

Note: -r performs the same action as -a, if the profile does not already exist.

Removing and adding a profile has a different effect than does replacing one because when you replace a profile the processes that were attached to the profile

The diffferences between the following two commands should be noted:

*subdomain_parser -r < /etc/subdomain.d/usr.bin.foo When you replace a profile, the processes the original profile was attached to are protected.

*subdomain_parser -R < /etc/subdomain.d/usr.bin.foo and then subdomain_parser subdomain_parser -a < /etc/subdomain.d/usr.bin.foo When you remove, then add a profile, the processes that the original profile was attached to are no longer protected.

OPTIONS

-a, --add

Inserts user-provided SubDomain definitions into the kernel. This is the default action. It will produce an error message if a SubDomain definition by the same name already exists in the kernel, or if the parser doesn't understand its input. It reports when an addition succeeded.

-h, --help

Provides a quick reference guide for the options used in subdomain_parser.

-r, --replace

Use this flag if a SubDomain definition by the same name already exists in the kernel, and you would like replace the existing definition the kernel with the definition given in standard input.

-R, --remove

This flag is used to remove a SubDomain definition already in the kernel. Note that it still requires a complete SubDomain definition as described in subdomain.conf(5) even though the contents of the definition aren't used. =item -v, --version

Prints the version number and exit.

-p, --preprocess

Parses the profile(s) and incorporates any files referenced by #include directives, placing them inline into the profile so the profile becomes a large, flat file.

-C, --Complain

Loads the profile in complain mode, regardless of whether complain or enforce mode is specified in the profile. /subdomain must be mounted.

-I n, --Include n

Add element n to the search path when resolving #include directives defined as an absolute path.

-b n, --base n

Set the base directory for resolving #include directives defined as relative paths.

BUGS

None known. If you find any, please report them to bugzilla at http://bugs.wirex.com.

SEE ALSO

subdomain(7), subdomain.d(5), subdomain.conf(5), and change_hat(2).