[apparmor] [PATCH 09/10] update apparmor.d man page to file rule pattern

Christian Boltz apparmor at cboltz.de
Fri Mar 20 19:01:15 UTC 2015 

Hello,

Am Freitag, 20. März 2015 schrieb John Johansen:
> Update the file rule pattern to show it is possible to specify a bare
> file rule. Eg.
> 
>   file,
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
>  parser/apparmor.d.pod | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
> index 1cfbe72..03537ae 100644
> --- a/parser/apparmor.d.pod
> +++ b/parser/apparmor.d.pod
> @@ -195,9 +195,9 @@ B<UNIX ATTR COND> 'attr' '=' ( I<AARE> | '(' '"'
> I<AARE> '"' | I<AARE> ')' )
> 
>  B<UNIX OPT COND> 'opt' '=' ( I<AARE> | '(' '"' I<AARE> '"' | I<AARE>
> ')' )
> 
> -B<FILE RULE> = I<FILE QUALIFIERS> ( ( '"' I<FILEGLOB> '"' |
> I<FILEGLOB> ) I<ACCESS> | [I<ACCESS> ( '"' I<FILEGLOB> '"' |
> I<FILEGLOB> ) ) [ -E<gt> <EXEC TARGET> ] ',' 
> +B<FILE RULE> = I<FILE QUALIFIERS> 

Again, s/<FILE QUALIFIERS>/<QUALIFIERS> [ 'owner' ]   as described in my 
05/10 reply.

> [ [ 'file' ] ( ( '"' I<FILEGLOB> '"' | I<FILEGLOB> )
> I<ACCESS> | [I<ACCESS> ( '"' I<FILEGLOB> '"' | I<FILEGLOB> ) ) [
> -E<gt> <EXEC TARGET> ] ] ','

Parse error ;-)

The line has 5 "[" - but only 4 "]". The "[" in front of the second 
I<ACCESS> is superfluous.

Additionally, it isn't really clear that just 'file' (+ optional 
qualifiers + 'owner') is allowed.

A correct (but hard to parse/understand) line would be:

    B<FILE RULE> = I<QUALIFIERS> [ 'owner' ] ( [ 'file' ]  ( ( '"' I<FILEGLOB> '"' | I<FILEGLOB> ) I<ACCESS> | I<ACCESS> ( '"' I<FILEGLOB> '"' | I<FILEGLOB> ) ) [ -E<gt> <EXEC TARGET> ] | 'file' ) ','


That said - ( '"' I<FILEGLOB> '"' | I<FILEGLOB> ) makes the manpage 
extremely hard to read. Can you please (in a follow-up patch) replace 
this with just  I<FILEGLOB> everywhere, and explain the quoting in the 
FILEGLOB description?

That would simplify the line to something that is more readable:

    B<FILE RULE> = I<QUALIFIERS> [ 'owner' ] ( [ 'file' ] ( I<FILEGLOB> I<ACCESS> | I<ACCESS> I<FILEGLOB> ) [ -E<gt> <EXEC TARGET> ] | 'file' ) ','


> -B<FILE QUALIFIERS> = [ I<QUALIFIERS> ] [ 'owner' ] [ 'file' ]
> +B<FILE QUALIFIERS> = [ I<QUALIFIERS> ] [ 'owner' ]

After my 05/10 reply, <FILE QUALIFIERS> should no longer exist ;-)

With the above fixes applied,
Acked-by: Christian Boltz <apparmor at cboltz.de>


Regards,

Christian Boltz
-- 
"Der Pinguin ist ein gutes Logo für Linux,
denn was nicht fliegt, stürzt auch nicht ab."
Francis Kuhlen (IBM-Vice President Sales)

More information about the AppArmor mailing list