On 3/1/21 12:34 AM, [email protected] wrote:
>
> Hi,
>
>
> thank you very much for taking the time to answering my questions about AAREs
> and also for going to update the man page of apparmor.d! These upcoming
> changes help a lot in order to make the link between AAREs and globbing, as
> well as variable substitution.
>
> What might (still) be left are the grammar definitions for FILEGLOB and AARE;
> are they actually the same or is AARE the "superset" of FILEGLOB due to it
> allowing for VARIABLE? If FILEGLOB and AARE actually are the same, would it
> make sense to then boil them down into a single grammar element, preferably
> AARE? Why AARE: because of VARIABLE, to distinguish from "plain" FILEGLOB.
>
Beyond variable substition AARE slightly different than standard FILEGLOB in
the way * and ** are handled. And in its character class negation. Also the
full set of what is planned for AARE is not currently exposed so the difference
will be larger in the future.
> In consequence, it would also help to specifically reference the "Globbing
> (AARE)" section from the "Format" section:
>
> AARE = ?*[]{}^ See section "Globbing (AARE)" below for meanings.
>
> Now, that begs for expanding on AARE grammar, which admittedly is a gory
> issue, try finding a proper globbing grammar :/
>
No kidding, this is a point of debate.
There are some boolean expression changes coming that sort of expand the syntax
(but not at the subexpression level). The exact syntax has not been settled on
but it will allow expressions to be things like
/** - /bin/*.foo px,
or perhaps (another proposed syntax)
/** except /bin/*.foo px,
the spacing to separate the subexpression from the operator and the other
subexpression is required
> But one important aspect here is that contrary to (sh?) range negation "[!]",
> AppArmor uses [^] similar to typical regex'es.
>
yep, its been that forever, partly because the original backend for it was pcre
> Another question here is: does AppArmor AARE explicitly support character
> classes, or is this an undocumented and un-guaranteed side-effect of the
> Python-based implementation of the parser?
>
it does not in its current form but may in the future. They are something we
have to be very very careful about.
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
