[apparmor] [PATCH 9/9] Require matched mode strings to terminate
John Johansen
john.johansen at canonical.com
Wed Dec 28 19:47:49 UTC 2011
On 12/27/2011 08:41 PM, Seth Arnold wrote:
> On Tue, Dec 27, 2011 at 7:01 PM, John Johansen
> <john.johansen at canonical.com> wrote:
>> mode strings overlap with other potential commands, or strings, and as
>> currently written can be match as a leading substring of an ID. Eliminate
>> the leading substring case by requiring that for a mode string to be
>> recognized it must be terminated by whitespace, eol, eof, or
>> comma (end of rule).
>>
>> The other cases where modes string overlap are ambiguous and the ID should
>> be quoted to remove the ambiguity.
>
>> END_OF_RULE [,]
>
>> -{MODES} {
>> +({MODES})/({WS}|{END_OF_RULE}|[\n]) {
>> DUMP_PREPROCESS;
>> yylval.mode = strdup(yytext);
>> PDEBUG("Found modes: %s\n", yylval.mode);
>
> How does this represent EOF? Wouldn't EOF be an error condition except
It doesn't
> when parsing the profile chunks in abstractions?
>
yes it would be, whether we want to change this, so that abstractions can
end their file on the same line as a MODE I am unsure.
For various reasons I favor not having the include be just a text dump,
but perhaps that isn't what other people want.
> Also, be very careful with the variable-length trailing context: flex
> runtime goes to hell in a hurry when trailing context isn't a fixed, known
> length: http://flex.sourceforge.net/manual/Performance.html
>
yes, but this case is a fixed length with a fixed number of characters.
> Is fixing this ambiguity this way worth it? (untested, I just go by what I
> read...)
>
I am open to other solutions, its just the one I came up with
More information about the AppArmor
mailing list