|
734.
|
|
|
<application>AppArmor</application> profiles are simple text files located in <filename>/etc/apparmor.d/</filename>. The files are named after the full path to the executable they profile replacing the "/" with ".". For example <filename>/etc/apparmor.d/bin.ping</filename> is the AppArmor profile for the <filename>/bin/ping</filename> command.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/security.xml:1061(para)
|
|
735.
|
|
|
There are two main type of rules used in profiles:
|
|
|
|
在配置文件中,主要有两种类型的规则
|
|
Translated and reviewed by
Wylmer Wang
|
|
|
|
Located in
serverguide/C/security.xml:1067(para)
|
|
736.
|
|
|
<emphasis>Path entries:</emphasis> which detail which files an application can access in the file system.
|
|
|
|
<emphasis>路径 项:</emphasis> 仔细指出文件系统中哪些文件是一个应用程序可以访问的。
|
|
Translated and reviewed by
Hugh SH
|
In upstream: |
|
<emphasis>路径 项:</emphasis> 指定文件系统中哪些文件是一个应用程序可以访问的。
|
|
|
Suggested by
Wylmer Wang
|
|
|
|
Located in
serverguide/C/security.xml:1072(para)
|
|
737.
|
|
|
<emphasis>Capability entries:</emphasis> determine what privileges a confined process is allowed to use.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/security.xml:1077(para)
|
|
738.
|
|
|
As an example take a look at <filename>/etc/apparmor.d/bin.ping</filename>:
|
|
|
|
作为一个例子,看一下<filename>/etc/apparmor.d/bin.ping</filename>:
|
|
Translated and reviewed by
Hugh SH
|
In upstream: |
|
作为一个例子来看看<filename>/etc/apparmor.d/bin.ping</filename>:
|
|
|
Suggested by
Hugh SH
|
|
|
|
Located in
serverguide/C/security.xml:1082(para)
|
|
739.
|
|
|
#include <tunables/global>
/bin/ping flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability net_raw,
capability setuid,
network inet raw,
/bin/ping mixr,
/etc/modules.conf r,
}
|
|
|
represents a line break.
Start a new line in the equivalent position in the translation.
|
|
|
represents a space character.
Enter a space in the equivalent position in the translation.
|
|
|
|
#include <tunables/global>
/bin/ping flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability net_raw,
capability setuid,
network inet raw,
/bin/ping mixr,
/etc/modules.conf r,
}
|
|
Translated and reviewed by
Hugh SH
|
|
|
|
Located in
serverguide/C/security.xml:1085(programlisting)
|
|
740.
|
|
|
<emphasis>#include <tunables/global>:</emphasis> include statements from other files. This allows statements pertaining to multiple applications to be placed in a common file.
|
|
|
|
<emphasis>#include <tunables/global>:</emphasis>包含了来自另外文件的声明。这样做使得来自不同应用程序的相关声明都被放置在同一个文件中。
|
|
Translated by
maxim(Feng Liu)
|
|
Reviewed by
Hugh SH
|
|
|
|
Located in
serverguide/C/security.xml:1102(para)
|
|
741.
|
|
|
<emphasis>/bin/ping flags=(complain):</emphasis> path to the profiled program, also setting the mode to <emphasis>complain</emphasis>.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/security.xml:1108(para)
|
|
742.
|
|
|
<emphasis>capability net_raw,:</emphasis> allows the application access to the CAP_NET_RAW Posix.1e capability.
|
|
|
|
<emphasis>capability net_raw,:</emphasis> 允许程序拥有连接 CAP_NET_RAW Posix.1e 的能力。
|
|
Translated and reviewed by
Hugh SH
|
|
|
|
Located in
serverguide/C/security.xml:1114(para)
|
|
743.
|
|
|
<emphasis>/bin/ping mixr,:</emphasis> allows the application read and execute access to the file.
|
|
|
|
<emphasis>/bin/ping mixr,:</emphasis> 允许应用程序读取和执行该文件。
|
|
Translated and reviewed by
Yiding He
|
|
|
|
Located in
serverguide/C/security.xml:1119(para)
|