[apparmor] [PATCH 3/9] add optional allow prefix to the language
John Johansen
john.johansen at canonical.com
Wed Nov 7 23:25:01 UTC 2012
On 11/07/2012 02:44 PM, Christian Boltz wrote:
> Hello,
>
> Am Mittwoch, 7. November 2012 schrieb John Johansen:
>> let allow be used as a prefix in place of deny. Allow is the default
>> and is implicit so it is not needed but some user keep tripping over
>> it, and it makes the language more symmetric
>
> In other words: the "allow" keyword is purely cosmetics?
> I tend to say it's superfluous and useless - why should we add it? ;-)
>
atm yes, though it will pick up meaning for some rules like the environment
variable rules that are coming and have allow, deny, unset
> What about making "allow" more a "don't deny" with the ability to
> override an earlier or less specific deny rule? This might be useful for
> local/ sniplets or to override a deny from an abstraction.
>
I am very hesitant to allow anything to over ride an explicit deny. Also
I don't think I would use 'allow' for that as I keep running into people
who are trying to use it in just the basic allow sense, as the current
patch does.
> BTW: does your patch detect conflicting rules like
> allow deny /foo rw,
> as an error?
>
yes though I should add that to the test suit
>
> Regards,
>
> Christian Boltz
>
More information about the AppArmor
mailing list