[apparmor] [PATCH 3/9] add optional allow prefix to the language

[Christian Boltz]

Hello,

Am Mittwoch, 7. November 2012 schrieb John Johansen:
> On 11/07/2012 02:44 PM, Christian Boltz wrote:
> > Am Mittwoch, 7. November 2012 schrieb John Johansen:
> >> let allow be used as a prefix in place of deny.  Allow is the
> >> default
> >> and is implicit so it is not needed but some user keep tripping
> >> over
> >> it, and it makes the language more symmetric
> > 
> > In other words: the "allow" keyword is purely cosmetics?
> > I tend to say it's superfluous and useless - why should we add it?
> > ;-)
> atm yes, though it will pick up meaning for some rules like the
> environment variable rules that are coming and have allow, deny,
> unset

OK, that's an argument. (But I could also ask if we really need the 
allow keyword for env rules ;-)

> > What about making "allow" more a "don't deny" with the ability to
> > override an earlier or less specific deny rule? This might be useful
> > for local/ sniplets or to override a deny from an abstraction.
> 
> I am very hesitant to allow anything to over ride an explicit deny.

I understand this, but still there might be some cases where it could  
be useful ("deny everything except $small-subset-of-everything" - and 
without causing logging for the everything denials)

> Also I don't think I would use 'allow' for that as I keep running
> into people who are trying to use it in just the basic allow sense,
> as the current patch does.

That's a very valid argument. What about "overridedeny" or 
"iknowwhatiamdoing"? ;-)

> > BTW: does your patch detect conflicting rules like
> > 
> >     allow deny /foo rw,
> > 
> > as an error?
> 
> yes though I should add that to the test suit

Yes, a test would be a good idea ;-)


Regards,

Christian Boltz
-- 
> Danke, dass du das Brett vorm Kopf ein wenig gelockert hast ;)
Kein Problem. Das mit den Brettern passiert mir auch ständig ;-)
[> Stephan Chudowski und Sören Wengerowsky in suse-linux]