[apparmor] [PATCH 2/4] apparmor.d.pod: refactor profile file, profile, subprofile, hat patterns

Wed Apr 1 12:00:22 UTC 2015

Hello,

Am Mittwoch, 1. April 2015 schrieb John Johansen:
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
>  parser/apparmor.d.pod | 48
> ++++++++++++++++++++++++++++++++---------------- 1 file changed, 32
> insertions(+), 16 deletions(-)
> 
> diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
> index 74eed87..bef9680 100644
> --- a/parser/apparmor.d.pod
> +++ b/parser/apparmor.d.pod
> @@ -44,6 +44,10 @@ to the policy; this behaviour is modelled after
> cpp(1).
> 
>  =over 4
> 
> +B<PROFILE FILE> = ( I<PREAMBLE> I<PROFILE> )*
> +
> +B<PREAMBLE> = ( I<COMMENT> | I<VARIABLE ASSIGNMENT> | I<INCLUDE> )*

Add a note that VARIABLE ASSESSMENT must come before PROFILE, and 
everything is fine ;-)

(can be done as a follow-up patch)

>  B<INCLUDE> = '#include' ( I<ABS PATH> | I<MAGIC PATH> )
> 
>  B<ABS PATH> = '"' path '"' (the path is passed to open(2))
> @@ -54,7 +58,19 @@ B<COMMENT> = '#' I<TEXT> [ '\r' ] '\n'
> 
>  B<TEXT> = any characters
> 
> -B<PROFILE> = [ I<COMMENT> ... ] [ I<VARIABLE ASSIGNMENT> ... ] ( '"'
> I<PROGRAM> '"' | I<PROGRAM> ) [ 'flags=(complain)' ]'{' ( I<RULES> )*
> '}' +B<PROFILE> = ( I<PROFILE NAME> ) [ I<ATTACHMENT SPECIFICATION> ]
> [ <PROFILE FLAG CONDS> ] I<BLOCK> +
> +B<PROFILE NAME> = [ 'profile' ] I<FILEGLOB> | 'profile' ( I<UNQUOTED
> PROFILE NAME> | I<QUOTED PROFILE NAME> ) +
> +B<QUOTED PROFILE NAME> = '"' I<UNQUOTED PROFILE NAME> '"'

I don't like the separation of QUOTED and UNQUOTED PROFILE NAME too much 
and would prefer to explain the quoting in the section explaining the 
profile name.

Note that PROFILE NAME is already used, so you'll need to find another 
name.

> +B<UNQUOTED PROFILE NAME> = (must start with alphanumeric character
> (after variable expansion), or '/' B<AARE> have special meanings; see
> below. May include I<VARIABLE>. Rules with embedded spaces or tabs
> must be quoted.) +

...
> -B<BLOCK RULES> = I<SUBPROFILE>
> +B<BLOCK RULES> = ( I<SUBPROFILE> | I<HAT> )
> +
> +B<BLOCK> = '{' ( I<RULES> )* '}'

I'd prefer to have '{' and '}' in the definition of the rules that can 
include a BLOCK.

...
> +B<HATNAME> = '^'  ( {IDS}|{QUOTED_ID see aa_change_hat(2)
> for a description of how this "hat" is used.)

Hmm, is {IDS} really the correct syntax here? I don't know all details 
about the POD syntax, but the whole line looks a bit interesting... 
(and clearly different from all other lines)

BTW: Feel free to commit the already acked patches (if possible without 
merge conflicts). 

Even if not explicitely mentioned, my acks in this patchset are for 
trunk and 2.9.

Regards,

Christian Boltz
-- 
> Offeriere denen mal kein ESMTP, dann klappt das schon :)
scnr: Vielleicht sollte er auch Anfragen ob er ihre Dokumente doch nicht
lieber vom Paketdienst abholen lassen soll, da ich vermute dass die das
evtl. noch mit dem Meißel in Stein hauen ...
[> Ralf Hildebrandt und Matthias Haegele in postfixbuch-users]