Re: [apparmor] What are "AARE"s, exactly?

Sat, 27 Feb 2021 13:32:25 -0800 

Hello,

Am Mittwoch, 24. Februar 2021, 21:07:47 CET schrieb thedi...@gmx.eu:
> > It seems the apparmor.d manpage lacks a mention of AARE at one place
> > - the place they are explained ;-)
> 
> Especially a proper definition, it seems. As it is, today's definition
> rather looks like cats having a jolly good time with a keyboard, and
> especially the weird keys.

;-)

> > That place is the "Globbing" section. Have a look at it, it should
> > help to understand the AARE syntax.
> 
> Ah, thanks for that pointer! It does help understanding the AARE
> syntax ... but unfortunately only to _some_ extend. For instance,
> this does not explain the additional features that seems to be
> defined, like using variables; but then, the globbing section doesn't
> cover variables either.

You can use variables inside an AARE, and also inside alternations:

    /foo/@{bar}/** r,
    /foo/{@{bar},baz}/** r,

(of course you need to define the variable @{bar} in the preamble)

> For instance, in the context of specifying a peer using an AARE: does
> that mean that I could specify a set of matching profile names (task
> labels), such as "foo*"? or "/usr/bin/*"?

Yes.

> > If you still have questions, feel free to ask - maybe the manpage
> > needs more improvements ;-)
> 
> ...I would suspect so...

I tried some additions to the apparmor.d manpage. Before I submit them 
to gitlab - do the changes include everything you missed? (If not, feel 
free to propose a better text ;-)

--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -1513,9 +1513,10 @@
 F</etc/apparmor.d/tunables/global>. F</etc/apparmor.d/tunables/global> 
 is typically included at the beginning of an AppArmor profile.

-=head2 Globbing
+=head2 Globbing (AARE)

-File resources may be specified with a globbing syntax similar to that
+File resources and other parameters accepting an AARE
+may be specified with a globbing syntax similar to that
 used by popular shells, such as csh(1), bash(1), zsh(1).

 =over 4
@@ -1548,6 +1549,12 @@
 matching a, b or c

 will expand to one rule to match ab, one rule to match cd

+Can also include variables.
+
+=item B<@{variable}>
+
+will expand to all values assigned to the given variable.
+
 =back

 When AppArmor looks up a directory the pathname being looked up will



Regards,

Christian Boltz
-- 
* mrdocs wonders when darix sleeps
<sshaw> mrdocs: robots don't need sleep
[from #opensuse-buildservice]

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to