[apparmor] What are "AARE"s, exactly?

Christian Boltz apparmor at cboltz.de
Sat Feb 27 21:32:01 UTC 2021 

Hello,

Am Mittwoch, 24. Februar 2021, 21:07:47 CET schrieb TheDiveO at gmx.eu:
> > It seems the apparmor.d manpage lacks a mention of AARE at one place
> > - the place they are explained ;-)
> 
> Especially a proper definition, it seems. As it is, today's definition
> rather looks like cats having a jolly good time with a keyboard, and
> especially the weird keys.

;-)

> > That place is the "Globbing" section. Have a look at it, it should
> > help to understand the AARE syntax.
> 
> Ah, thanks for that pointer! It does help understanding the AARE
> syntax ... but unfortunately only to _some_ extend. For instance,
> this does not explain the additional features that seems to be
> defined, like using variables; but then, the globbing section doesn't
> cover variables either.

You can use variables inside an AARE, and also inside alternations:

    /foo/@{bar}/** r,
    /foo/{@{bar},baz}/** r,

(of course you need to define the variable @{bar} in the preamble)

> For instance, in the context of specifying a peer using an AARE: does
> that mean that I could specify a set of matching profile names (task
> labels), such as "foo*"? or "/usr/bin/*"?

Yes.

> > If you still have questions, feel free to ask - maybe the manpage
> > needs more improvements ;-)
> 
> ...I would suspect so...

I tried some additions to the apparmor.d manpage. Before I submit them 
to gitlab - do the changes include everything you missed? (If not, feel 
free to propose a better text ;-)

--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -1513,9 +1513,10 @@
 F</etc/apparmor.d/tunables/global>. F</etc/apparmor.d/tunables/global> 
 is typically included at the beginning of an AppArmor profile.

-=head2 Globbing
+=head2 Globbing (AARE)

-File resources may be specified with a globbing syntax similar to that
+File resources and other parameters accepting an AARE
+may be specified with a globbing syntax similar to that
 used by popular shells, such as csh(1), bash(1), zsh(1).

 =over 4
@@ -1548,6 +1549,12 @@
 matching a, b or c

 will expand to one rule to match ab, one rule to match cd

+Can also include variables.
+
+=item B<@{variable}>
+
+will expand to all values assigned to the given variable.
+
 =back

 When AppArmor looks up a directory the pathname being looked up will



Regards,

Christian Boltz
-- 
* mrdocs wonders when darix sleeps
<sshaw> mrdocs: robots don't need sleep
[from #opensuse-buildservice]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20210227/b5fb71e4/attachment.sig>

More information about the AppArmor mailing list