[apparmor] [patch] Add RlimitRule and RlimitRuleset classes
Christian Boltz
apparmor at cboltz.de
Thu Jun 4 23:31:27 UTC 2015
Hello,
Am Donnerstag, 4. Juni 2015 schrieb Steve Beattie:
> On Mon, May 25, 2015 at 11:59:35PM +0200, Christian Boltz wrote:
> > this patch adds the RlimitRule and RlimitRuleset classes.
> >
> > The class comes with the usual set of features, so I'll only mention
> > a special feature: the is_covered() and is_equal() functions can
> > even compare limits with different units (for example they
> > recognize that 2minutes == 120seconds).
> >
> > Also make RE_PROFILE_RLIMIT a bit more strict (the old one accepted
> > any chars, including spaces, for rlimit and value) and convert it
> > to named matches.
> >
> > [ 41-add-rlimit-rule-class.diff ]
>
> Acked-by: Steve Beattie <steve at nxnw.org>
>
> > BTW: The regex contains '=>' as optional part - is this really
> > correct?
> No, not correct, the parser requires the '<='.
Since this patch touches RE_PROFILE_RLIMIT already, should I change
+RE_PROFILE_RLIMIT = re.compile('^\s*set\s+rlimit\s+(?P<rlimit>[a-z]+)\s+(<=)?\s*(?P<value>[^ ]+)' + RE_COMMA_EOL)
^^^^^
to
+RE_PROFILE_RLIMIT = re.compile('^\s*set\s+rlimit\s+(?P<rlimit>[a-z]+)\s+<=\s*(?P<value>[^ ]+)' + RE_COMMA_EOL)
^^
before commiting it?
I just tested a bit - the whitespace around the arrow is optional, and
the parser accepts "set rlimit nice<=0,". So the final of the regex
would be:
+RE_PROFILE_RLIMIT = re.compile('^\s*set\s+rlimit\s+(?P<rlimit>[a-z]+)\s*<=\s*(?P<value>[^ ]+)' + RE_COMMA_EOL)
^
So should I change the patch to use the updated regex, or do you want a
separate patch for that?
Regards,
Christian Boltz
--
Should you ever feel lonely or be overwhelmed with spare time:
you know where to find us.
[Dominique Leuenberger in opensuse-project]
More information about the AppArmor
mailing list