[apparmor] DBus rule syntax for subject and peer components

Seth Arnold seth.arnold at canonical.com
Wed Jun 19 01:29:19 UTC 2013 

On Mon, Jun 17, 2013 at 12:39:52PM -0700, Tyler Hicks wrote:
> Jamie had asked for opinions of Proposal 3 vs Proposal 4 and we didn't
> get the responses that I had hoped for. There were two votes (Jamie and
> myself) for Proposal 3 and one (Seth) for Proposal 4.

Christian? Darix? :)

> Rather than let the conversation come to a halt, I'd like to figure out
> what tweaks we'd want to make to Proposal 3. It just so happens that
> these tweaks should mostly apply to Proposal 4, as well. However, this
> email focuses on 3.

Oh my. Thank you for this. This is impressive. :)

> I think it is entirely possible to come up with a single line rule
> syntax (a la Proposal 3) that can be extended to a multiple line rule
> syntax (a la Proposal 4) in the future.

ooh :) A soupçon of hope for me yet. :)

Onto the votes:


> * Proposal 3.1 - Change subj= to subject=

+1.

> We don't abbreviate any of the other conditional names, so I think this
> is a no-brainer and I'm going to include this change in all of the
> proposals below.


> * Proposal 3.2 - Move the access to the front

+1.

> NOTE: This proposal can be combined with any of the other proposals
> 
> Move the access towards the front of the rule, just behind the "dbus"
> keyword. This may help a policy reader quickly identify what permissions
> are being granted by the rule.


> * Proposal 3.3 - Drop the equal signs for grouping

-0.5. Feels needlessly squashed. Might be miserable for parsing.

> Remove the equals sign from the subject and peer groupings.
> 
> dbus [<bus>] [subject(<subject>)] [acquire],
> dbus [<bus>] [subject(<subject>)] [peer(<peer>)] [send | receive],


> * Proposal 3.4 - Replace the equal signs with a space for grouping

+0.5.

> dbus [<bus>] [subject (<subject>)] [acquire],
> dbus [<bus>] [subject (<subject>)] [peer (<peer>)] [send | receive],


> * Proposal 3.5 - Replace the equal signs with a space and use curly
>                  braces for grouping

+1.

> dbus [<bus>] [subject {<subject>}] [acquire],
> dbus [<bus>] [subject {<subject>}] [peer {<peer>}] [send | receive],


> * Proposal 3.6 - Replace the equals signs with a space and use no
>                  characters for grouping

-1. I realize this is closest to my proposal, but dislike taking
just this part of it. Within the context of #3, doesn't feel right.

> dbus [<bus>] [subject <subject>] [acquire],
> dbus [<bus>] [subject <subject>] [peer <peer>] [send | receive],


Thanks again, this was helpful.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130618/52577ee4/attachment.pgp>

More information about the AppArmor mailing list