[apparmor] [patch] libapparmor: add support for ip addresses and ports

[Steve Beattie]

On Fri, Apr 06, 2012 at 02:57:18PM -0700, John Johansen wrote:
> On 04/06/2012 10:39 AM, Steve Beattie wrote:
> > 
> > Bugs: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/800826
> >   https://bugzilla.novell.com/show_bug.cgi?id=755923
> > 
> > This patch modifies the libapparmor log parsing code to add support
> > for the additional ip address and port keywords that can occur in
> > network rejection rules. The laddr and faddr keywords stand for local
> > address and foreign address respectively.
> > 
> > The regex used to match an ip address is not very strict, to hopefully
> > catch the formats that the kernel emits for ipv6 addresses; however,
> > because this is in a context triggered by the addr keywords, it should
> > not over-eagerly consume non-ip addresses. Said addresses are returned
> > as strings in the struct to be processed by the calling application.
> > 
> > (When committing, empty .err files will need to be created as well.)
> > 
> see the one comment below otherwise it looks good and can have my Acked-by:

> > -yy_flex_debug = 0;
> > +yy_flex_debug = 1;
> >  %}
> >  
> err I don't think we really want to be defaulting to flex_debug as on :)

Doh, of course. I'll fix that.

(Well, in truth, experimentation here seems to indicate that flex
needs to be invoked with -d for this to actually do anything; I have
locally build packages here with the patch as-is that do not emit
debugging information to stderr, but when testing I had enabled it and
got useful debugging info. Which is why it accidentally got left in.)

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120406/5e890dce/attachment.pgp>