[apparmor] Deprecation of #include

John Johansen john.johansen at canonical.com
Sat Mar 26 23:59:41 UTC 2011


On 03/26/2011 03:07 PM, Christian Boltz wrote:
> Hello,
> 
> Am Samstag, 26. März 2011 schrieb John Johansen:
>> I would like to deprecate #include in favor of using include.
>>
>> Eg.
>>   #include <foo>
>> becomes
>>   include <foo>
> 
> I don't really care ("include" without "#" not looking like a comment 
> might be an argument), but...
> 
>> Further more we may want to consider removing #include altogether
>> for v3 of the profile language.
> 
> ... please don't do that. It will break old/existing profiles without a 
> real need.
> 
well the problem is v3 will already break profiles because of semantic
changes. For example mount will require both cap mac_admin and a mount rule.

So the current plan is that v3 profile will need a tag so that the tools
can distinguish between them, because it will still be possible to say
have a v3 profile with cap mac_admin but not the mount rule,

Of course nothing about v3 is set in stone yet, we are more than willing
to listen to ideas about how to extend the profile language and allow
for tighter confinement that is backwards compatible and not kludgey.



More information about the AppArmor mailing list