[apparmor] What are "AARE"s, exactly?

John Johansen john.johansen at canonical.com
Mon Mar 1 09:26:12 UTC 2021


On 3/1/21 12:34 AM, TheDiveO at gmx.eu wrote:
> 
> Hi,
> 
>  
> thank you very much for taking the time to answering my questions about AAREs and also for going to update the man page of apparmor.d! These upcoming changes help a lot in order to make the link between AAREs and globbing, as well as variable substitution.
> 
> What might (still) be left are the grammar definitions for FILEGLOB and AARE; are they actually the same or is AARE the "superset" of FILEGLOB due to it allowing for VARIABLE? If FILEGLOB and AARE actually are the same, would it make sense to then boil them down into a single grammar element, preferably AARE? Why AARE: because of VARIABLE, to distinguish from "plain" FILEGLOB.
> 
Beyond variable substition AARE slightly different than standard FILEGLOB in the way * and ** are handled. And in its character class negation. Also the full set of what is planned for AARE is not currently exposed so the difference will be larger in the future.

> In consequence, it would also help to specifically reference the "Globbing (AARE)" section from the "Format" section:
> 
>   AARE = ?*[]{}^ See section "Globbing (AARE)" below for meanings.
> 
> Now, that begs for expanding on AARE grammar, which admittedly is a gory issue, try finding a proper globbing grammar :/
> 
No kidding, this is a point of debate.

There are some boolean expression changes coming that sort of expand the syntax (but not at the subexpression level). The exact syntax has not been settled on but it will allow expressions to be things like

  /** - /bin/*.foo px,

or perhaps (another proposed syntax)

  /** except /bin/*.foo px,


the spacing to separate the subexpression from the operator and the other subexpression is required

> But one important aspect here is that contrary to (sh?) range negation "[!]", AppArmor uses [^] similar to typical regex'es.
> 

yep, its been that forever, partly because the original backend for it was pcre

> Another question here is: does AppArmor AARE explicitly support character classes, or is this an undocumented and un-guaranteed side-effect of the Python-based implementation of the parser?
> 

it does not in its current form but may in the future. They are something we have to be very very careful about.



More information about the AppArmor mailing list