Ok here's a slightly different approach that allows for a wildcard secid. In this universe:
1) Old parsers just generate a network statement as normal, secmark_count is 0 and we assume that we should do nothing in response to secmark labeling 2) New parsers that generate a bare network statement add a wildcard label, and any further deny statements will be tested in addition to that I think the audit/deny handling in the policy stuff needs to be fixed up, but does this logic look roughly plausible to people? -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
