On Mon, Jan 25, 2016 at 05:54:32PM -0600, Tyler Hicks wrote: > I think the use of the 'stack' keyword here would make things confusing > in other areas of the policy language where the 'stack' keyword could > not be used but a we're still referring to a stack of profiles. > > Stealing one of the examples you posted above: > > px /foo/bar -> A//&B, > > We'd have to modify it to be something like: > > px /foo/bar -> A stack B, > > That's actually pretty clear. I think the real problem comes when the > policy admin is reading the audit logs or a dev is using aa_getcon(2). > The audit logs and aa_getcon() will not use the form 'A stack B'. The > 'A//&B' form will be used in those cases. Translating between those > things and the policy language would be a issue.
Good point, I really do like output from logs that can be copy-and-pasted into configurations to fix issues. Thanks
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
