[apparmor] [patch 4/9] profiles - fix apparmor_api abstractions

John Johansen john.johansen at canonical.com
Thu Jan 3 01:51:38 UTC 2013

On 01/02/2013 02:52 PM, Steve Beattie wrote:
> On Tue, Dec 18, 2012 at 02:39:55PM -0800, John Johansen wrote:
>> On 12/18/2012 06:17 AM, Steve Beattie wrote:
>>> The apparmor_api abstractions make the mistake of including tunables
>>> directly, which is a no-no since the variable definitions in tunables
>>> need to occur in the preamble of a profile, not embedded within it.
>>> This patch removes those includes, and replaces them documentation of
>>> tunables are necessary, as some of the expected ones are not part of
>>> tunables/global.
>>> It also adjust the kernelvars tunable's definition of the @{pid}
>>> regex, as the current parser does not support nesting of {} groupings,
>>> which breaks any profile that attempts to use the tunable.
>> So I'll ack it if you don't object to me reverting it when I fix the
>> parser :)
> I won't strongly object, but frankly I found the nested alternations
> ugly in its own right, if not quite as ugly as the uber-expanded
> pattern that I did use. I'm not sure how to do it reasonably, but a
> syntax that let us express '[1-9][0-9]{0,5}' (i.e. a non-zero digit
> followed by 0 to 5 digits) would be useful.
yep, that is what I am shooting for, basically I'd like to allow an
escape sequence to enter regex mode, so something like


where \X and \Y are the yet to be determined escape characters used to
bracket the expression.

More information about the AppArmor mailing list