[apparmor] [patch 09/12] parser: more dbus variable testcases (v2)

Seth Arnold seth.arnold at canonical.com
Tue Dec 10 06:42:42 UTC 2013 

On Tue, Dec 03, 2013 at 12:12:25PM -0800, Steve Beattie wrote:
> This patch adds more testcases around variables used in dbus rules.
> In particular, it
> 
>   - attempts to verify that variable expansion and alternation
>     expansion results in identical DFA blobs,
>   - tests that variables can be expanded within alternations,
>   - tests that alternations can occur in variable definitions, and
>   - that having alternations inside variable declarations that are
>     used inside alternations results in parsing success
> 
> Note that vars/vars_dbus_9.sd veers into stress test land, as the
> combinatoric expansion results in over 1000 dbus rule entries being
> generated, which means that DFA reduction on all the fields takes
> noticeable amounts of time (around 1s on my i5 ivy-core laptop).
> 
> Patch history:
>   v1: initial version
>   v2: based on feedback:
>       - add more alternation tests for cases where only part of the
>         alternation is defined within a variable
>       - mark test with nested alternations as being successful now that
> 	the patch that implements it was accepted
> 
> Signed-off-by: Steve Beattie <steve at nxnw.org>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

These are incredibly useful; the last few point out a feature that
I hadn't considered: variables can contain some of the higher-level
aspects of regular expressions.

These first two felt like they ought to be syntax errors on my first read:

> +#=DESCRIPTION variable w/part of an alternation included
> +#=EXRESULT PASS
> +
> +@{BAR}={bar,baz,blort
> +
> +/does/not/exist {
> +  /does/not/@{BAR},exist,notexist} r,
> +}

> +#=DESCRIPTION variable w/part of an alternation included
> +#=EXRESULT PASS
> +
> +@{BAR}=bar,baz,blort}
> +
> +/does/not/exist {
> +  /does/not/{exist,notexist@{BAR}/meep r,
> +}

The next one is less annoying probably because there are no unbalanced
braces :) but its meaning still required more concentration: existbar
baz blortnotexist

> +#=DESCRIPTION variable w/part of an alternation included
> +#=EXRESULT PASS
> +
> +@{BAR}=bar,baz,blort
> +
> +/does/not/exist {
> +  /does/not/{exist@{BAR}notexist}/meep r,
> +}

Probably the merits of allowing "boundary crossing" (for lack of a better
term) outweigh trying to forbid it:

- Forbidding it would require extra, unpretty, code.
- "Hiding" some of the more complicated aare / pcre aspects in mixed-type
  rules in a variable is probably going to turn out to be very useful.

Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20131209/f5bbe5ca/attachment.pgp>

More information about the AppArmor mailing list