[apparmor] [PATCH 4/4] dconf patch

William Hua william.hua at canonical.com
Mon Dec 14 09:04:04 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

Here is another iteration of the patch set, including the kernel patch
from June which went stale due to upstream changes over the past six
months. Please review these and let me know of any revisions required
as soon as possible since the work on the dconf side has already begun
and is currently waiting on us.

Thanks,
Will



On 10/06/2015 03:24 PM, Christian Boltz wrote:
> Hello,
> 
> Am Dienstag, 6. Oktober 2015 schrieb John Johansen:
>> On 10/06/2015 11:05 AM, Christian Boltz wrote:
>>> Am Dienstag, 6. Oktober 2015 schrieb John Johansen:
>>>> diff --git a/parser/Makefile b/parser/Makefile index 
>>>> 1f0db8d..ec54f96 100644 --- a/parser/Makefile +++ 
>>>> b/parser/Makefile
> ...
>>> I know that list is chaotic already (probably for historical 
>>> reasons?), but what about sorting the HDRS files by alphabet? 
>>> (same question for SRCS and maybe some other file lists in the 
>>> Makefile)
>> 
>> yeah we can get to doing something like that, once my make file 
>> patches land.
> 
> Most of them are acked, so feel free to commit those ;-) I'd also 
> accept a *.h wildcard to make maintaining the Makefile easier.
> 
>> This is based on work William did months ago and I am only now 
>> getting a reply out to.
> 
> no problem ;-)
> 
>>>> --- a/parser/tst/equality.sh +++ b/parser/tst/equality.sh
>>>> 
>>>> +verify_binary_equality "dconf read" \ +	"/t { dconf / r, }" 
>>>> \ +	"/t { dconf / read, }" + +verify_binary_equality "dconf 
>>>> write" \ +	"/t { dconf / w, }" \ +	"/t { dconf / write, }" +
>>>>  +verify_binary_equality "dconf read-write" \ +	"/t { dconf
>>>> / rw, }" \ +	"/t { dconf / wr, }" \ +	"/t { dconf /
>>>> readwrite, }" \ +	"/t { dconf / writeread, }" \ +	"/t { dconf
>>>> / read-write, }" \ +	"/t { dconf / write-read, }" \ +	"/t { 
>>>> dconf / read_write, }" \ +	"/t { dconf / write_read, }"
> 
> BTW: I'd add another test here: "/t { dconf / r, dconf / w, }"
> 
>>> Seriously?
>>> 
>>> I have to admit that I don't really know dconf, but having 8 
>>> different ways to allow read and write (one letter vs. word, no
>>> separator vs - vs. _) is too much. We don't win anything with
>>> it, but it makes implementation of the parser and the tools
>>> more difficult than needed.
>>> 
>>> IMHO the single-letter syntax we already use in file rules 
>>> ("rw" or "wr") is enough and will save us some headache.
>> 
>> gah, no that was supposed to be cut out, notice in my intro
>> reply that I moved it back to an apparmor style syntax. I must
>> have either missed this block or missed git adding the change
>> back into the patch
> 
> Note that it's not only in the tests. The parsing code 
> (parser_lex.l) also allows "r(ead)?" and "w(rite)?", and maybe I 
> missed another place
> 
> I also just noticed another interesting bit in parser_yacc.y [1]
> 
> +       | TOK_WRITE { $$ = AA_DCONF_READWRITE; /* writable implies 
> readable */ }
> 
> This sounds like surprising behaviour to me - does this really
> make sense?,If yes, this needs to be documented in bold letters or
> - IMHO better - rules with only w permissions should be rejected
> as invalid to enforce that the profile always contains rw
> permissions, not only w.
> 
> 
> Regards,
> 
> Christian Boltz
> 
> [1] I should have read the patch a bit slower before writing the 
> previous mail ;-)
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWboYEAAoJEGaNijJ4Mbw+QL8IAJZn4KlJBiYmsy+NQbNd732h
be2h8oI5kh/OzH/PMaPWaJF0WJKWM78py/pHwby5Jvksptw8cpsjoEV7fl9PfoNZ
RVrJ361YsgrEq0ibtVP9i4HqV+TUOCyrw7XNdJ+aWGO9kFaSSc5pPGyr0qo6otvI
OP99BJatf3THi/Ou6qill4P+KmSMIHSHJrZmtvTHFc3wspKkkmK4wffKFgo/tBN+
gDM1Zn+CCGSqBAlTdzwIu57GPP5FB/zMx4Zn80l+wZ484QrQsktjZnVDJavoQCz3
Wb1he1V8+EQbP20LuQR43rmx1RqA8LN5NYINemsiqpxNs4eRpchvZU1QotSNCHY=
=2ka8
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-apparmor-add-data-query-support.patch
Type: text/x-patch
Size: 10747 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/76068470/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Split-aa_query_label-into-a-base-aa_query_cmd-and-it.patch
Type: text/x-patch
Size: 8229 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/76068470/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Add-base-function-to-query-generic-label-data-under-.patch
Type: text/x-patch
Size: 7803 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/76068470/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Make-some-parameters-of-parser-interface-constant.patch
Type: text/x-patch
Size: 1605 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/76068470/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Add-support-for-dconf-confinement.patch
Type: text/x-patch
Size: 35835 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/76068470/attachment-0009.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-apparmor-add-data-query-support.patch.sig
Type: application/pgp-signature
Size: 287 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/76068470/attachment-0005.pgp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Split-aa_query_label-into-a-base-aa_query_cmd-and-it.patch.sig
Type: application/pgp-signature
Size: 287 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/76068470/attachment-0006.pgp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Add-base-function-to-query-generic-label-data-under-.patch.sig
Type: application/pgp-signature
Size: 287 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/76068470/attachment-0007.pgp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Make-some-parameters-of-parser-interface-constant.patch.sig
Type: application/pgp-signature
Size: 287 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/76068470/attachment-0008.pgp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Add-support-for-dconf-confinement.patch.sig
Type: application/pgp-signature
Size: 287 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/76068470/attachment-0009.pgp>

More information about the AppArmor mailing list