> It is too bad that all of the
> profiles have to be fully parsed just to use basic utilities that don't
> necessarily care about the rules inside of a profile.
The main problem is that we allow "random" filenames for the profiles, so we need to check all files for the to-be-changed profile - but you probably already know that.
Yes, in theory we could just parse the headers and ignore the profile content, but that would mean that we need a (simplified, but still) copy of the profile parsing code.
> While not perfect, I think this is a better approach than refusing to
> parse valid profiles that have existed for quite a few years. What do
> you think?
I'm not the biggest fan of this workaround. Having the tools error out on invalid rules like your example would be much better - especially because such a rule will automagically be changed when saving the profile without any warning. Nevertheless, replacing "break the tools completely" with "unexpected bevaviour on invalid rules" still is a small improvement.
FYI: FileRule accepts the permissions in any order, so maybe you could look at how it's done there. (Needless to say that having a list of possible permissions is easier to handle, but maybe it helps nevertheless.)
Please don't forget to run "make check" for the utils ;-)
BTW: Does your patch also work for something like
dbus bus=session bind bus=system,
> It is too bad that all of the
> profiles have to be fully parsed just to use basic utilities that don't
> necessarily care about the rules inside of a profile.
The main problem is that we allow "random" filenames for the profiles, so we need to check all files for the to-be-changed profile - but you probably already know that.
Yes, in theory we could just parse the headers and ignore the profile content, but that would mean that we need a (simplified, but still) copy of the profile parsing code.
> While not perfect, I think this is a better approach than refusing to
> parse valid profiles that have existed for quite a few years. What do
> you think?
I'm not the biggest fan of this workaround. Having the tools error out on invalid rules like your example would be much better - especially because such a rule will automagically be changed when saving the profile without any warning. Nevertheless, replacing "break the tools completely" with "unexpected bevaviour on invalid rules" still is a small improvement.
FYI: FileRule accepts the permissions in any order, so maybe you could look at how it's done there. (Needless to say that having a list of possible permissions is easier to handle, but maybe it helps nevertheless.)
Please don't forget to run "make check" for the utils ;-)
BTW: Does your patch also work for something like
dbus bus=session bind bus=system,