On 05/09/2013 04:41 PM, John Johansen wrote: > On 05/09/2013 02:12 PM, Jamie Strandboge wrote:
>> Since <access> *always* applies to <subject>, maybe it makes sense to
>> have it be next to it. Ie:
>>
>> dbus [<subject>] <access> [<peer>],
>>
>> such that:
>>
>> profile subject {
>> dbus name=well.known.address acquire,
>> dbus name=well.known.address receive,
>> dbus send -> name=a.peer.address,
>> dbus receive -> name=a.peer.address,
>>
>> # get as specific as you like:
>> dbus name=... interface=... (send, receive) -> name=... path=...,
>> }
>>
> that is a possibility, though it breaks with the "syntax" of having the
> permission at the end of the rule. This is actually a case where the
> permission at the start of the rule makes more sense, than at the tail.
>
> (send, receive) dbus name=... interface=... -> name=... path=...,
>
> of course I'd like to here seth and steve's input on that
>
Personally, I would be ok with it at the beginning-- it is still close
to the subject. Having the access after the subject feels more
consistent with my profiling habits, but I think I could live with
access first. I'll let others comment.
--
Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
