3.7 File Permission Access Modes

File permission access modes consist of combinations of the following six modes:


read mode


write mode


discrete profile execute mode


unconstrained execute mode


inherit execute mode


link mode

3.7.1 Read Mode

Allows the program to have read access to the resource. Read access is required for shell scripts and other interpreted content and determines if an executing process can core dump or be attached to with ptrace(2) (ptrace(2) is used by utilities such as strace(1), ltrace(1), and gdb(1)).

3.7.2 Write Mode

Allows the program to have write access to the resource. Files must have this permission if they are to be unlinked (removed).

3.7.3 Discrete Profile Execute Mode

This mode requires that a discrete security profile is defined for a resource executed at a Novell AppArmor domain transition. If there is no profile defined, the access is denied. Incompatible with inherit and unconstrained execute entries.

3.7.4 Unconstrained Execute Mode

Allows the program to execute the resource without any Novell AppArmor profile being applied to the executed resource. Requires listing execute mode as well. Incompatible with inherit and discrete profile execute entries.

This mode is useful when a confined program needs to be able to perform a privileged operation, such as rebooting the machine. By placing the privileged section in another executable and granting unconstrained execution rights, it is possible to bypass the mandatory constraints imposed on all confined processes. For more information about what is constrained, see the subdomain(7) man page.

3.7.5 Inherit Execute Mode

Prevents the normal Novell AppArmor domain transition on execve(2) when the profiled program executes the resource. Instead, the executed resource inherits the current profile. Incompatible with unconstrained and discrete profile execute entries. This mode is useful when a confined program needs to call another confined program without gaining the permissions of the target’s profile or losing the permissions of the current profile. This mode is infrequently used.

3.7.6 Link Mode

The link mode mediates access to symlinks and hardlinks and the privilege to unlink (or delete) files. When a link is created, the file that is linked to must have the same access permissions as the link created (with the exception that the destination does not have to have link access).