[apparmor] [PATCH 4/4] dconf patch

William Hua william.hua at canonical.com
Mon Dec 14 16:31:22 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Just made one minor change to make dconf rules more consistent with
other rules (parsing permissions after paths).



On 12/14/2015 04:04 AM, William Hua wrote:
> Hello,
> 
> Here is another iteration of the patch set, including the kernel
> patch from June which went stale due to upstream changes over the
> past six months. Please review these and let me know of any
> revisions required as soon as possible since the work on the dconf
> side has already begun and is currently waiting on us.
> 
> Thanks, Will
> 
> 
> 
> On 10/06/2015 03:24 PM, Christian Boltz wrote:
>> Hello,
> 
>> Am Dienstag, 6. Oktober 2015 schrieb John Johansen:
>>> On 10/06/2015 11:05 AM, Christian Boltz wrote:
>>>> Am Dienstag, 6. Oktober 2015 schrieb John Johansen:
>>>>> diff --git a/parser/Makefile b/parser/Makefile index 
>>>>> 1f0db8d..ec54f96 100644 --- a/parser/Makefile +++ 
>>>>> b/parser/Makefile
>> ...
>>>> I know that list is chaotic already (probably for historical
>>>>  reasons?), but what about sorting the HDRS files by
>>>> alphabet? (same question for SRCS and maybe some other file
>>>> lists in the Makefile)
>>> 
>>> yeah we can get to doing something like that, once my make file
>>>  patches land.
> 
>> Most of them are acked, so feel free to commit those ;-) I'd also
>>  accept a *.h wildcard to make maintaining the Makefile easier.
> 
>>> This is based on work William did months ago and I am only now
>>>  getting a reply out to.
> 
>> no problem ;-)
> 
>>>>> --- a/parser/tst/equality.sh +++ b/parser/tst/equality.sh
>>>>> 
>>>>> +verify_binary_equality "dconf read" \ +	"/t { dconf / r,
>>>>> }" \ +	"/t { dconf / read, }" + +verify_binary_equality
>>>>> "dconf write" \ +	"/t { dconf / w, }" \ +	"/t { dconf /
>>>>> write, }" + +verify_binary_equality "dconf read-write" \ +
>>>>> "/t { dconf / rw, }" \ +	"/t { dconf / wr, }" \ +	"/t {
>>>>> dconf / readwrite, }" \ +	"/t { dconf / writeread, }" \ +
>>>>> "/t { dconf / read-write, }" \ +	"/t { dconf / write-read,
>>>>> }" \ +	"/t { dconf / read_write, }" \ +	"/t { dconf /
>>>>> write_read, }"
> 
>> BTW: I'd add another test here: "/t { dconf / r, dconf / w, }"
> 
>>>> Seriously?
>>>> 
>>>> I have to admit that I don't really know dconf, but having 8
>>>>  different ways to allow read and write (one letter vs. word,
>>>> no separator vs - vs. _) is too much. We don't win anything
>>>> with it, but it makes implementation of the parser and the
>>>> tools more difficult than needed.
>>>> 
>>>> IMHO the single-letter syntax we already use in file rules 
>>>> ("rw" or "wr") is enough and will save us some headache.
>>> 
>>> gah, no that was supposed to be cut out, notice in my intro 
>>> reply that I moved it back to an apparmor style syntax. I must 
>>> have either missed this block or missed git adding the change 
>>> back into the patch
> 
>> Note that it's not only in the tests. The parsing code 
>> (parser_lex.l) also allows "r(ead)?" and "w(rite)?", and maybe I
>>  missed another place
> 
>> I also just noticed another interesting bit in parser_yacc.y [1]
> 
>> +       | TOK_WRITE { $$ = AA_DCONF_READWRITE; /* writable
>> implies readable */ }
> 
>> This sounds like surprising behaviour to me - does this really 
>> make sense?,If yes, this needs to be documented in bold letters
>> or - IMHO better - rules with only w permissions should be
>> rejected as invalid to enforce that the profile always contains
>> rw permissions, not only w.
> 
> 
>> Regards,
> 
>> Christian Boltz
> 
>> [1] I should have read the patch a bit slower before writing the
>>  previous mail ;-)
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWbu7ZAAoJEGaNijJ4Mbw+OXQH/3mBrwqseHh0+bROwc5K4CUT
ke8NLSRm7W+yhU59XQ4R+9lsIUuqyZCJCsWz2gdDHjrq3wK/AjybIi4WAtnsZ1i1
2pXiZCNfwaBFZceMYwRztDa+jjJkyACzLfvMJ7aqP0qNF1Cq/i4ks1J/uyIGknhO
k0gysuZhRa3fBCaWDgpwLBNL12i1WdvZ6pbJPSBS8fwQdEBjER5Ha+C3Rkxona+Q
K1FrA6j6mq+b6yIBmIhAtp4T7KoZ1zlJrf8HORFgAI3UCqqHQLoX/s3gxjoRH66t
1yA4BuISHcBfKmpw/yjt+kka9N5guoXmpgHfgUN4e4UZSqlrcg49XUtDnLfAi20=
=pCp3
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-apparmor-add-data-query-support.patch
Type: text/x-patch
Size: 10748 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/8dc10168/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Split-aa_query_label-into-a-base-aa_query_cmd-and-it.patch
Type: text/x-patch
Size: 8230 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/8dc10168/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Add-base-function-to-query-generic-label-data-under-.patch
Type: text/x-patch
Size: 7804 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/8dc10168/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Make-some-parameters-of-parser-interface-constant.patch
Type: text/x-patch
Size: 1606 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/8dc10168/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Add-support-for-dconf-confinement.patch
Type: text/x-patch
Size: 35836 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/8dc10168/attachment-0009.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-apparmor-add-data-query-support.patch.sig
Type: application/pgp-signature
Size: 287 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/8dc10168/attachment-0005.pgp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Split-aa_query_label-into-a-base-aa_query_cmd-and-it.patch.sig
Type: application/pgp-signature
Size: 287 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/8dc10168/attachment-0006.pgp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Add-base-function-to-query-generic-label-data-under-.patch.sig
Type: application/pgp-signature
Size: 287 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/8dc10168/attachment-0007.pgp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Make-some-parameters-of-parser-interface-constant.patch.sig
Type: application/pgp-signature
Size: 287 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/8dc10168/attachment-0008.pgp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Add-support-for-dconf-confinement.patch.sig
Type: application/pgp-signature
Size: 287 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/8dc10168/attachment-0009.pgp>

More information about the AppArmor mailing list