On 10/12/2016 02:55 PM, Christian Boltz wrote:
> Hello,
> Am Mittwoch, 12. Oktober 2016, 14:31:13 CEST schrieb John Johansen:
> ...
>> atm I think I am in favor of wrapping it in the conditional and
>> defaulting that conditional to false.
>> The ubuntu patch then changing the conditional to true. This way
>> the information is being carried upstream. And only the distro
>> specific tweak is out of tree.
> That sounds like a good idea, but... -
> If you look at utils/test/test-parser-simple-tests.py, you'll notice
>     # testcases with various unexpected failures
>     syntax_failure = [
>     ...
>        # Syntax Errors caused by boolean conditions (parse_profile_data()
>        # gets confused by the closing '}')
> followed by a list of all files in parser/tst/simple_tests/conditional/ - 
> except those with EXRESULT FAIL because at least those fail correctly 
> ;-)  (actually they fail for a different reason, but hey, they fail ;-)
> So if you add any boolean condition, expect aa-logprof etc. to break 
> completely :-/
> I'm aware of this since I wrote the test that checks against 
> simple_tests, but it has low priority because nobody seems to use 
> conditionals in practise. At least I never received a bugreport ;-)
> Unfortunately fixing this isn't easy - the tools will probably need to 
> handle a "stack" of parenthesis ("I'm inside 'if $foo'") or something 
> like that. (Besides conditionals, that stack should also handle 
> owner { } and audit { } blocks, and also nested child profiles.)
> To make things even worse, this major code change will probably have to 
> happen in an area of aa.py which is hard to cover with unit tests.

well we are going to have to start fixing this, our plans for policy
versioning and "support" of new features on old parsers rely on boolean
conditional support

> For now, a possible workaround could be to abuse variables. The upstream 
> code could have something like
> and Ubuntu could set it to the real dbus socket. I know this is ugly 
> (and it also means not to use abstractions/dbus-strict), but it's still 
> better than breaking all aa-* tools.

I'd rather not do this

Attachment: signature.asc
Description: OpenPGP digital signature

AppArmor mailing list
Modify settings or unsubscribe at: 

Reply via email to