On Thu, Jan 06, 2022 at 08:38:32PM +0100, Christian Boltz wrote:
> Am Mittwoch, 5. Januar 2022, 23:09:01 CET schrieb Karsten Hilbert:
> > Unless I misunderstand apparmor profile logic it is not
> > purely cosmetic. It excludes "/home/*/" from @{HOME}.
>
> That's the difference between a human parser (you) and apparmor_parser
> ;-) - you think of the profile as "code" (where order matters) while
> apparmor_parser (mostly) doesn't care about the order.
>
> I'll try to explain how apparmor_parser works using pseudo-SQL:
Another way to look at this is through a quick test:
$ cat test_profile
@{A}=@{B} /a/
@{B}=/b/
@{A}+=/c/
profile p {
@{A} r,
}
$ apparmor_parser -Qd < test_profile
----- Debugging built structures -----
Name: p
Profile Mode: Enforce
--- Entries ---
Mode: r:r Name: ({/b/,/a/,/c/})
$
Maybe a simple example will be more clear :)
Thanks
signature.asc
Description: PGP signature
