[apparmor] [Patch 0/7] v2 of unacked man page changes

Christian Boltz apparmor at cboltz.de
Sat Mar 21 20:41:52 UTC 2015 

Hello,

just in case you want to do a 8/7 ;-) patch:

With 7/7 applied, we have this interesting[tm] line:

B<PROFILE> = [ I<COMMENT> ... ] [ I<VARIABLE ASSIGNMENT> ... ] ( '"' 
I<PROGRAM> '"' | I<PROGRAM> ) [ 'flags=(complain)' ]'{' [ ( I<RESOURCE 
RULE> | I<COMMENT> | I<INCLUDE> | I<SUBPROFILE> | I<CAPABILITY RULE> | 
I<NETWORK RULE> | I<MOUNT RULE> | I<PIVOT ROOT RULE> | I<DBUS RULE> | 
I<UNIX RULE> | I<FILE RULE> | I<LINK RULE> | I<CHANGE_PROFILE RULE> | 
I<RLIMIT RULE>) ... ] '}'

It would be more readable if we split out the inner part of the profile 
to  a <RULE> group that lists all available rules. The result would be 
something like:

B<PROFILE> = [ I<COMMENT> ... ] [ I<VARIABLE ASSIGNMENT> ... ] ( '"' 
I<PROGRAM> '"' | I<PROGRAM> ) [ 'flags=(complain)' ]'{' 
[ ( I<INCLUDE> | I<RULE> | I<COMMENT> | I<SUBPROFILE> )* ] '}'

B<RULE> = ( I<RESOURCE RULE> | I<CAPABILITY RULE> | I<NETWORK RULE> | 
I<MOUNT RULE> | I<PIVOT ROOT RULE> | I<DBUS RULE> | I<UNIX RULE> | 
I<FILE RULE> | I<LINK RULE> | I<CHANGE_PROFILE RULE> | I<RLIMIT RULE>)


Further notes/bugs:
- <RESOURCE RULES> is listed, but not explained anywhere
- <PROFILE> doesn't contain a hint about the 'profile' keyword or named 
  profiles
- <SUBPROFILE> needs an update - in the current state, it looks like 
  subprofiles can only contain some of the rule types
- <SUBPROFILE> doesn't contain any hint about flags
- the 'hat' keyword isn't mentioned
- <PROFILE> and <SUBPROFILE> should be the first items, with <INCLUDE>
  etc. below
- ( '"' I<PROGRAM> '"' | I<PROGRAM> ) can be simplified to I<PROGRAM>
  + quoting explained in the PROGRAM section ("see <FILEGLOB>" is 
  probably enough)
- several rules don't mention the ','. Maybe it would probably a good 
  idea to add it to the proposed <RULE>
- inline comments are not mentioned anywhere. Maybe also add them to 
  <RULE> as optional part after ','

With all the pending patches, I'm quite sure I overlooked some issues.
I'll proofread the updated manpage after your patches are in bzr ;-)


Regards,

Christian Boltz
-- 
> I'll be happy to fix the wording or Germanglish :D
And shift it to Netherlangish? ;)
[> Jos Poortvliet and Lars Müller in opensuse-project]

More information about the AppArmor mailing list