Comment 1 for bug 1692582

If I'm reading the AppArmor user-space source code correctly, if backwards compatibility wasn't a concern then this could be achieved by adding an additional user-defined field to vec in dbus_rule::gen_policy_re(Profile&) and passing the new number of fields to add_rule_vec(), then adding that same field to the queries built by dbus-daemon in bus/apparmor.c build_message_query().

Unfortunately, again if I'm reading correctly, the query works by building a long string with embedded \0 bytes, then matching it against a DFA representing a single long regular expression that also has embedded \0 bytes - if true, this would mean the number of fields can't usefully be varied.

If extensibility is desired, I think the ideal thing might be if extra fields in the query were ignored (always match) and extra fields in the rule were compared as though the query had an empty string at that point in the vector, but I don't know how feasible that would be.