Re: [libvirt PATCH v2 1/3] scripts: Check spelling

On 1/10/22 11:21, Andrea Bolognani wrote: > On Mon, Jan 10, 2022 at 04:41:25PM +0100, Tim Wiederhake wrote: > > + ("/src/security/apparmor/libvirt-lxc", "devic"), > > Looking at the context where this appears: > > deny /sys/d[^e]*{,/**} wklx, > deny /sys/de[^v]*{,/**} wklx, > deny /sys/dev[^i]*{,/**} wklx, > deny /sys/devi[^c]*{,/**} wklx, > deny /sys/devic[^e]*{,/**} wklx, > deny /sys/device[^s]*{,/**} wklx, > deny /sys/devices/[^v]*{,/**} wklx, > deny /sys/devices/v[^i]*{,/**} wklx, > deny /sys/devices/vi[^r]*{,/**} wklx, > deny /sys/devices/vir[^t]*{,/**} wklx, > deny /sys/devices/virt[^u]*{,/**} wklx, > deny /sys/devices/virtu[^a]*{,/**} wklx, > deny /sys/devices/virtua[^l]*{,/**} wklx, > deny /sys/devices/virtual/[^n]*{,/**} wklx, > deny /sys/devices/virtual/n[^e]*{,/**} wklx, > deny /sys/devices/virtual/ne[^t]*{,/**} wklx, > deny /sys/devices/virtual/net?*{,/**} wklx, > deny /sys/devices/virtual?*{,/**} wklx, > deny /sys/devices?*{,/**} wklx, > > I mean, I don't speak AppArmor but this can't be right, can it? :D It's valid apparmor. At least the apparmor parser doesn't complain :-). ISTM the last rule should cover the others.

> Jim, do you think we actually need such a slippery slope of deny > rules, or can we simplify things a bit? I don't know why all of these deny rules are defined in this manner. /sys/class, /proc/sys/kernel, and others are defined similarly. They were added by Cedric in commit 9265f8ab67d. Cedric, do you recall the purpose of defining the rules in this way?