[apparmor] dbus/pair address rule encoding

[Seth Arnold]

On Thu, May 09, 2013 at 03:08:35PM -0700, John Johansen wrote:
> it depends how you look at it. To me it is changing the meaning of ->
> of course I am now convinced that -> is just wrong and we need different
> syntax, because -> just seems to have too many potential different
> interpretations that could cause confusion

Or, we do a bit of jujitsu and -use- the meanings of -> as people seem
to want to read it: do away with the word-based permissions.

Stick with me :)

dbus [address spec] acquire,   # unchanged
dbus [address spec] -> [address spec], # unidirectional
dbus [address spec] <- [address spec], # unidirectional
dbus [address spec] <-> [address spec], # bidirectional

This does have a downside that identical rules could actually be written
in two different ways:

dbus name=foo.org.sender -> ,
dbus <- name=foo.org sender,

-or-

dbus -> name=foo.org.receiver,
dbus name=foo.org.receiver <- ,

But if the arrows are so strongly tied to the direction information
flows, we could just use it, and .. ignore the send and receive
permissions entirely.

We'd want to keep the implicitly added "you get to receive replies to
the messages you send", of course. That's just too useful to get rid of.

So? Eh? :)

I'll take my MacArthur grant now, please. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130509/5a971c81/attachment.pgp>