[apparmor] Patch - Fix attachment failure for profiles with name and attachment specification

John Johansen john.johansen at canonical.com
Tue Mar 8 09:58:28 UTC 2011 

Profiles that specify a name and attachment specification fail to attach when the
attachment specification doesn't contain globbing.

eg.
   # profile name and attachment the same - attaches as expected
   profile /usr/lib/chromium-browser/chromium-browser

   # profile without attachment specification - does not attach as expected
  profile chromium-browser

  # profile with name and attachment specification where the attachment specification uses globbing - attaches as expected
  profile chromium-browser /usr/lib/chromium-browser/chromium-broswer*

  # profile with name and attachment specification without globbing - FAILS to attach when it should
  profile chromium-browser /usr/lib/chromium-browser/chromium-browser


This occurs because the xmatch_len is not set correctly for the profiles that specify
a name and an attachment specification, where the attachment specification does not
contain globbing characters.

In this situation the correct length for the xmatch_len is the length of the name, as
the shortest possible unambiguous match is the name length.

This patch does not fix a related bug where an attachment specification of ** will not
match (/**) will.

---

=== modified file 'parser/parser_regex.c'
--- parser/parser_regex.c	2010-12-20 20:29:10 +0000
+++ parser/parser_regex.c	2011-03-08 08:48:57 +0000
@@ -392,6 +392,8 @@
 		name = local_name(cod->name);
 	ptype = convert_aaregex_to_pcre(name, 0, tbuf, PATH_MAX + 3,
 					&cod->xmatch_len);
+	if (ptype == ePatternBasic)
+		cod->xmatch_len = strlen(name);
 
 	if (ptype == ePatternInvalid) {
 		PERROR(_("%s: Invalid profile name '%s' - bad regular expression\n"), progname, name);
@@ -414,8 +416,14 @@
 			struct alt_name *alt;
 			list_for_each(cod->altnames, alt) {
 				int len;
-				convert_aaregex_to_pcre(alt->name, 0, tbuf,
-							PATH_MAX + 3, &len);
+				ptype = convert_aaregex_to_pcre(alt->name, 0,
+								tbuf,
+								PATH_MAX + 3,
+								&len);
+				if (ptype == ePatternBasic)
+					len = strlen(alt->name);
+				if (len < cod->xmatch_len)
+					cod->xmatch_len = len;
 				if (!aare_add_rule(rule, tbuf, 0, AA_MAY_EXEC, 0, dfaflags)) {
 					aare_delete_ruleset(rule);
 					return FALSE;

More information about the AppArmor mailing list