subdomain_parser - loads AppArmor profiles into the kernel
#name
NAME
#synopsis
SYNOPSIS
#description
DESCRIPTION
#options
OPTIONS
#bugs
BUGS
#see_also
SEE ALSO
NAME
subdomain_parser - loads AppArmor profiles into the kernel
SYNOPSIS
subdomain_parser [--add] [--debug] [--help] [--replace] [--remove]
[--version] [--preprocess] [--Complain] [--Include n] [--base n]
[--stdout]
DESCRIPTION
subdomain_parser
imports new subdomain.conf(5) profiles
into the Linux kernel. The profiles restrict the operations available
to processes as indicated by executable name.
The profiles are loaded into the Linux kernel by the
subdomain_parser
program, which takes its input from standard input. The input supplied to
subdomain_parser
should be in the format described in subdomain.conf(5).
The following are two ways you can use the subdomain parser. The first can be used to replace mutliple profiles at once.
*cat /etc/subdomain.d/usr.bin.foo | subdomain_parser -r
*subdomain_parser -r < /etc/subdomain.d/usr.bin.foo
Note: -r performs the same action as -a, if the profile does not already exist.
Removing and adding a profile has a different effect than does replacing one because
when you replace a profile the processes that were attached to the profile
The diffferences between the following two commands should be noted:
*subdomain_parser -r < /etc/subdomain.d/usr.bin.foo
When you replace a profile, the processes the original profile was attached to are protected.
*subdomain_parser -R < /etc/subdomain.d/usr.bin.foo and then subdomain_parser
subdomain_parser -a < /etc/subdomain.d/usr.bin.foo
When you remove, then add a profile, the processes that the original profile was
attached to are no longer protected.
OPTIONS
-a, --add
Inserts user-provided SubDomain definitions into the kernel. This is the
default action. It will produce an error message if a SubDomain definition
by the same name already exists in the kernel, or if the parser doesn't
understand its input. It reports when an addition succeeded.
-h, --help
Provides a quick reference guide for the options used in subdomain_parser.
-r, --replace
Use this flag if a SubDomain definition by the same name already
exists in the kernel, and you would like replace the existing definition
the kernel with the definition given in standard input.
-R, --remove
This flag is used to remove a SubDomain definition already in the kernel.
Note that it still requires a complete SubDomain definition as described
in subdomain.conf(5) even though the contents of the definition aren't
used.
=item -v, --version
Prints the version number and exit.
-p, --preprocess
Parses the
profile(s)
and incorporates any files referenced by #include directives, placing them inline into the profile so the profile becomes a large, flat file.
-C, --Complain
Loads the profile in complain mode, regardless of whether complain or enforce mode is
specified in the profile. /subdomain must be mounted.
-I n, --Include n
Add element n to the search path when resolving #include directives
defined as an absolute path.
-b n, --base n
Set the base directory for resolving #include directives
defined as relative paths.
BUGS
None known. If you find any, please report them to bugzilla at
http://bugs.wirex.com
http://bugs.wirex.com
.
SEE ALSO
subdomain(7), subdomain.d(5), subdomain.conf(5), and change_hat(2).
subdomain_parser - loads AppArmor profiles into the kernel
