[apparmor] Skippable files
Seth Arnold
seth.arnold at gmail.com
Mon May 28 21:13:24 UTC 2012
John, separating the compiling and matching into two libraries makes a ton of sense, the whole C++ runtime is pretty heavy. But having both easily available as libraries could provide a great many neat little utilities for us and potentially awesome tools for many other systems.
I guess count this as a vote for splitting, despite the extra work.
Thanks!
------Original Message------
From: John Johansen
To: Seth Arnold
Cc: Nicolas Valcárcel
Cc: apparmor at lists.ubuntu.com
Subject: Re: [apparmor] Skippable files
Sent: May 28, 2012 1:07 PM
On 05/28/2012 10:53 AM, Seth Arnold wrote:
> I'd love to see the tools and parser using the exact same code to figure out which files to skip. Is there an exported library call that could be used in the tools to replace this function?
>
Not yet but soon. The chfa match code is going to become part of the library.
At that point we can add a match fn, and provide it with a precompiled
expression (something compiled during the build).
Precompiled because we aren't currently planning on putting the full aare
code into libapparmor (C++ and all its deps), but we will make it available
as a second library. Well that is the current plan anyway, it is possible
we might collapse down to one (libapparmor) or could split into 3 libapparmor,
libaare_match, libaare.
The reason for wanting the split is that the match code is lightweight and
pure C, while the code to compile an expression is C++ and quite heavy.
The match code will uses without being able to compile an expression, as
we will be able to hand it precompiled expressions (policy exported from
kernel, etc). Of course its possible that the split isn't worth doing,
we need to look at it more.
More information about the AppArmor
mailing list