[apparmor] [PATCH 1/3] apparmor.d.pod: create RULES grouping and cleanup profile PROFILE rule

Christian Boltz apparmor at cboltz.de
Sat Mar 28 22:46:45 UTC 2015


Hello,

Am Mittwoch, 25. März 2015 schrieb John Johansen:
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
>  parser/apparmor.d.pod | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
> index 1cb3b6e..3b4e4e9 100644
> --- a/parser/apparmor.d.pod
> +++ b/parser/apparmor.d.pod
> @@ -54,7 +54,15 @@ B<COMMENT> = '#' I<TEXT>
> 
>  B<TEXT> = any characters
> 
> -B<PROFILE> = [ I<COMMENT> ... ] [ I<VARIABLE ASSIGNMENT> ... ] ( '"' I<PROGRAM> '"' | I<PROGRAM> ) [ 'flags=(complain)' ]'{' [ ( I<RESOURCE RULE> | I<COMMENT> | I<INCLUDE> | I<SUBPROFILE> | I<CAPABILITY RULE> | I<NETWORK RULE> | I<MOUNT RULE> | I<PIVOT ROOT RULE> | I<DBUS RULE> | I<UNIX RULE> | I<FILE RULE> | I<LINK RULE> | I<CHANGE_PROFILE RULE> | I<RLIMIT RULE>) ... ] '}'
> +B<PROFILE> = [ I<COMMENT> ... ] [ I<VARIABLE ASSIGNMENT> ... ] ( '"' I<PROGRAM> '"' | I<PROGRAM> ) [ 'flags=(complain)' ]'{' ( I<RULES> )* '}'
>
> +B<RULES> = [ ( I<COMMENT> | I<LINE RULES> [ '\r' ] '\n' | I<COMMA RULES> ',' | I<BLOCK RULES> )

COMMENT also has to end with   [ '\r' ] '\n' - it's your choice if you
include it in RULES or if you update the definition of COMMENT to
    COMMENT = '#' TEXT [ '\r' ] '\n'
(which might be the better choice)

It might also make sense to move the   [ '\r' ] '\n'   to the definition 
of INCLUDE instead of mentioning it in RULES.

> +B<LINE RULES> = ( I<COMMENT> | I<INCLUDE> )
> +
> +B<COMMA RULES> = ( I<CAPABILITY RULE> | I<NETWORK RULE> | I<MOUNT RULE> | I<PIVOT ROOT RULE> | I<UNIX RULE> | I<FILE RULE> | I<LINK RULE> | I<CHANGE_PROFILE RULE> | I<RLIMIT RULE> | I<DBUS RULE> )
> +
> +B<BLOCK RULES> = I<SUBPROFILE>
>  
> B<SUBPROFILE> = [ I<COMMENT> ... ] ( I<PROGRAMHAT> | 'profile ' I<PROGRAMCHILD> ) '{' [ ( I<FILE RULE> | I<COMMENT> | I<INCLUDE> ) ... ] '}'

With or without the above changes,
Acked-by: Christian Boltz <apparmor at cboltz.de> for trunk and 2.9


Regards,

Christian Boltz
-- 
Oh, ich hatte einen ";)))" vergessen. Ich liebe die Community! Denn die
bringt mir bei der Konferenz Kaffee! [Lars Müller in opensuse-de]




More information about the AppArmor mailing list