On Tue, Dec 03, 2013 at 12:12:25PM -0800, Steve Beattie wrote: > This patch adds more testcases around variables used in dbus rules. > In particular, it > > - attempts to verify that variable expansion and alternation > expansion results in identical DFA blobs, > - tests that variables can be expanded within alternations, > - tests that alternations can occur in variable definitions, and > - that having alternations inside variable declarations that are > used inside alternations results in parsing success > > Note that vars/vars_dbus_9.sd veers into stress test land, as the > combinatoric expansion results in over 1000 dbus rule entries being > generated, which means that DFA reduction on all the fields takes > noticeable amounts of time (around 1s on my i5 ivy-core laptop). > > Patch history: > v1: initial version > v2: based on feedback: > - add more alternation tests for cases where only part of the > alternation is defined within a variable > - mark test with nested alternations as being successful now that > the patch that implements it was accepted > > Signed-off-by: Steve Beattie <st...@nxnw.org>
Acked-by: Seth Arnold <seth.arn...@canonical.com> These are incredibly useful; the last few point out a feature that I hadn't considered: variables can contain some of the higher-level aspects of regular expressions. These first two felt like they ought to be syntax errors on my first read: > +#=DESCRIPTION variable w/part of an alternation included > +#=EXRESULT PASS > + > +@{BAR}={bar,baz,blort > + > +/does/not/exist { > + /does/not/@{BAR},exist,notexist} r, > +} > +#=DESCRIPTION variable w/part of an alternation included > +#=EXRESULT PASS > + > +@{BAR}=bar,baz,blort} > + > +/does/not/exist { > + /does/not/{exist,notexist@{BAR}/meep r, > +} The next one is less annoying probably because there are no unbalanced braces :) but its meaning still required more concentration: existbar baz blortnotexist > +#=DESCRIPTION variable w/part of an alternation included > +#=EXRESULT PASS > + > +@{BAR}=bar,baz,blort > + > +/does/not/exist { > + /does/not/{exist@{BAR}notexist}/meep r, > +} Probably the merits of allowing "boundary crossing" (for lack of a better term) outweigh trying to forbid it: - Forbidding it would require extra, unpretty, code. - "Hiding" some of the more complicated aare / pcre aspects in mixed-type rules in a variable is probably going to turn out to be very useful. Thanks!
signature.asc
Description: Digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor