[apparmor] dconf patches v4

[John Johansen]

On 08/16/2016 04:17 AM, John Johansen wrote:
> On 08/02/2016 04:32 PM, William Hua wrote:
>> Hello,
>>
>> If I may, I'd like to revive the old dconf confinement patches that we started over a year ago, but were never merged.
>>
>> All necessary patches are attached, as well as an extra test profile and program. I've refreshed them to work properly against kernel 4.6.4 and current AppArmor trunk.
>>
> Hey William
> 
> the kernel patch still looks good, and pathes 1-3 have my ACK
> 

slightly modified versions of the kernel patches have been pushed into
the xenial, yakkety, and zesty kernels, so what follows should be
able to work on any of those releases.

> the issue lies with 04 the actual dconf patch. The code looks good however
> I said it before and I will say it again we can not be putting permission
> information into the query data.
> 
> You have separated out the query data into
>   rpaths
>   rwpaths
>   arpaths
>   arwpaths
> 

The following patches basically restore the split set of paths interfaces
that you proposed above, but achieves the lists in a different way.

packages xenial, yakkety, and zesty have been built in the
lp:apparmor-dev/apparmor-devel ppa

The parser support is still minimal but will provide a full list of
keys/paths, and a dfa with permissions. Pattern matching for dconf
paths is disabled, but special pattern matching chars must be
escaped. This leaves us open to selectively enabled some of the
pattern matching (like alternations) in the future.

I still have regression and check tests to finish, and yes support
for the tools, but it is usable.

The following series is built on top of williams patches but I have
reincluded them so that the patches are all together in a set.