AppArmor

Support multiline rules

Bug #1795139 reported by Vincas Dargis on 2018-09-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Confirmed	Wishlist	Unassigned

Bug Description

```
$ cat /tmp/test
@{uid}={
[0-9],
[1-9][0-9],
[1-9][0-9][0-9],
[1-9][0-9][0-9][0-9],
[1-9][0-9][0-9][0-9][0-9],
[1-9][0-9][0-9][0-9][0-9][0-9],
[1-9][0-9][0-9][0-9][0-9][0-9][0-9],
[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],
[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],
[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]
}
$ /usr/sbin/apparmor_parser -qp /tmp/test
@{uid}={

AppArmor parser error for /tmp/test in /tmp/test at line 2: Found unexpected character: '['
```

Multiline rules would increase readability/reviewability in specific cases, though this might be overkill if this feature will need lot's of parser changes.

Or am I doing something wrong here?

Revision history for this message

John Johansen (jjohansen) wrote on 2018-09-29:

Multi-line rule are supported in some places (dbus, signal, etc). However this is dependent on how the rule is parsed.

Variable assignments currently use the newline to indicate the end of the variable. They don't currently parse the variable content, so it is possible to introduce thing like a single opening brace '{' in the variable.

How much we could change this now and remain backwards compatible with the majority of actual policy is unclear atm

Changed in apparmor:
status:	New → Confirmed
importance:	Undecided → Wishlist

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.