[apparmor] Deprecation of #include

Christian Boltz apparmor at cboltz.de
Sun Mar 27 12:33:12 UTC 2011 

Hello,

Am Sonntag, 27. März 2011 schrieb John Johansen:
> On 03/26/2011 03:07 PM, Christian Boltz wrote:
> > Am Samstag, 26. März 2011 schrieb John Johansen:
> >> I would like to deprecate #include in favor of using include.

> >> Further more we may want to consider removing #include altogether
> >> for v3 of the profile language.
> > 
> > ... please don't do that. It will break old/existing profiles
> > without a real need.
> 
> well the problem is v3 will already break profiles because of
> semantic changes. For example mount will require both cap mac_admin
> and a mount rule.

What's the reason for this?
My first thought is that the mount rule should be enough, and that it 
doesn't really make sense to require two rules for one permission. 
However I'm quite sure you have some good reasons for this change - so 
please tell me what I'm overlooking ;-)

That said: There's nothing wrong with changes in the profile syntax if 
it brings some advantages.

I'm just saying that you should avoid changes that only bring 
disadvantages, and removing #include is something I would put into this 
category.

> So the current plan is that v3 profile will need a tag so that the
> tools can distinguish between them, 

Yes, version tagging is a very good idea. I would already have loved it 
when directory rules started requiring the / at the end... ;-)
(A migration tool that changes the profiles to the new version would 
have been another option.)

BTW: I probably won't/can't honor the version tag in apparmor.vim which 
means that I'll silently allow new rules in old-version profiles, and 
that I will not mark #include as error for a long time.

> Of course nothing about v3 is set in stone yet, we are more than
> willing to listen to ideas about how to extend the profile language
> and allow for tighter confinement that is backwards compatible and
> not kludgey.

Is there a list of all planned changes somewhere (except in your 
head ;-) and the parts that were posted here)?


Regards,

Christian Boltz
-- 
[Fontlinge für Linux 0.0.2] Warte nur ab, die 0.0.3 funktioniert sogar, 
wenn man nicht "ratti" heisst. ;-)                              [Ratti]

More information about the AppArmor mailing list