[apparmor] [PATCH 9/9] Require matched mode strings to terminate
Seth Arnold
seth.arnold at gmail.com
Wed Dec 28 04:41:18 UTC 2011
On Tue, Dec 27, 2011 at 7:01 PM, John Johansen
<john.johansen at canonical.com> wrote:
> mode strings overlap with other potential commands, or strings, and as
> currently written can be match as a leading substring of an ID. Eliminate
> the leading substring case by requiring that for a mode string to be
> recognized it must be terminated by whitespace, eol, eof, or
> comma (end of rule).
>
> The other cases where modes string overlap are ambiguous and the ID should
> be quoted to remove the ambiguity.
> END_OF_RULE [,]
> -{MODES} {
> +({MODES})/({WS}|{END_OF_RULE}|[\n]) {
> DUMP_PREPROCESS;
> yylval.mode = strdup(yytext);
> PDEBUG("Found modes: %s\n", yylval.mode);
How does this represent EOF? Wouldn't EOF be an error condition except
when parsing the profile chunks in abstractions?
Also, be very careful with the variable-length trailing context: flex
runtime goes to hell in a hurry when trailing context isn't a fixed, known
length: http://flex.sourceforge.net/manual/Performance.html
Is fixing this ambiguity this way worth it? (untested, I just go by what I
read...)
Thanks!
More information about the AppArmor
mailing list