[apparmor] [PATCH] 2/6: man page updates

John Johansen john.johansen at canonical.com
Mon Dec 20 18:39:31 GMT 2010

On 12/20/2010 06:02 AM, Jamie Strandboge wrote:
> On Sun, 2010-12-19 at 14:08 -0800, John Johansen wrote:
>>> Am Sonntag, 19. Dezember 2010 schrieb Jamie Strandboge:
>>>> On Sun, 2010-12-19 at 07:50 -0600, Jamie Strandboge wrote:
>>>>> 0002-add-inverted-character.patch: parser/apparmor.d.pod: add [^]
>>>> +=item B<[^d-z]>
>>>> +
>>>> +will substitute for the single character a, b, or c
>>> Not really correct *) - it allows _everything except_ d, e, ... y, z. 
>>> Yes, this includes a, b and c, but it also includes digits, -, _, A...Z 
>>> etc.
>>> *) at least if it follows normal RegEx or file glob syntax - I don't 
>>> have a system with 2.5.x to verify it. If it is based on RegEx, then it 
>>> even allows a "/".
>> it is everything except what is explicitly listed, and in the case of
>> pathnames I believe we are adding an implicit [^\000] (and if we are not
>> we should be) just as we do for globs. eg. * == [^/\000].
>> The caveat is that the parser is responsible for converting the character
>> set matching and it is done in 8 bit lc_local encoding, which is a long
>> outstanding bug.  We should be taking the actual encoding setting and
>> converting characters to the internal format.
> pfft, of course you guys are right (duh). I'd be happy to update that.
> How about:
> "=item B<[^a-c]>
> will substitute for any single character not matching a, b or c"
> I think I'll leave out the [^\000] for now, since we don't mention it
> with '*' either.
Sounds good.  And I think I would leave out the [^\000] to as its a
technicality since \000 isn't a valid for a filesystem name in

We do that because we take advantage of the \000 character in policy
as the separator between paired up paths (eg link pairs).

More information about the AppArmor mailing list