[apparmor] Patch - Fix attachment failure for profiles with name and attachment specification
John Johansen
john.johansen at canonical.com
Tue Mar 8 09:58:28 UTC 2011
Profiles that specify a name and attachment specification fail to attach when the
attachment specification doesn't contain globbing.
eg.
# profile name and attachment the same - attaches as expected
profile /usr/lib/chromium-browser/chromium-browser
# profile without attachment specification - does not attach as expected
profile chromium-browser
# profile with name and attachment specification where the attachment specification uses globbing - attaches as expected
profile chromium-browser /usr/lib/chromium-browser/chromium-broswer*
# profile with name and attachment specification without globbing - FAILS to attach when it should
profile chromium-browser /usr/lib/chromium-browser/chromium-browser
This occurs because the xmatch_len is not set correctly for the profiles that specify
a name and an attachment specification, where the attachment specification does not
contain globbing characters.
In this situation the correct length for the xmatch_len is the length of the name, as
the shortest possible unambiguous match is the name length.
This patch does not fix a related bug where an attachment specification of ** will not
match (/**) will.
---
=== modified file 'parser/parser_regex.c'
--- parser/parser_regex.c 2010-12-20 20:29:10 +0000
+++ parser/parser_regex.c 2011-03-08 08:48:57 +0000
@@ -392,6 +392,8 @@
name = local_name(cod->name);
ptype = convert_aaregex_to_pcre(name, 0, tbuf, PATH_MAX + 3,
&cod->xmatch_len);
+ if (ptype == ePatternBasic)
+ cod->xmatch_len = strlen(name);
if (ptype == ePatternInvalid) {
PERROR(_("%s: Invalid profile name '%s' - bad regular expression\n"), progname, name);
@@ -414,8 +416,14 @@
struct alt_name *alt;
list_for_each(cod->altnames, alt) {
int len;
- convert_aaregex_to_pcre(alt->name, 0, tbuf,
- PATH_MAX + 3, &len);
+ ptype = convert_aaregex_to_pcre(alt->name, 0,
+ tbuf,
+ PATH_MAX + 3,
+ &len);
+ if (ptype == ePatternBasic)
+ len = strlen(alt->name);
+ if (len < cod->xmatch_len)
+ cod->xmatch_len = len;
if (!aare_add_rule(rule, tbuf, 0, AA_MAY_EXEC, 0, dfaflags)) {
aare_delete_ruleset(rule);
return FALSE;
More information about the AppArmor
mailing list