[apparmor] [PATCH 05/13] Require matched mode strings to terminate

Tue Feb 14 17:32:27 UTC 2012

mode strings overlap with other potential commands, or strings, and as
currently written can be match as a leading substring of an ID.  Eliminate
the leading substring case by requiring that for a mode string to be
recognized it must be terminated by whitespace, eol, eof, or
comma (end of rule).

The other cases where modes string overlap are ambiguous and the ID should
be quoted to remove the ambiguity.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/parser_lex.l |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/parser/parser_lex.l b/parser/parser_lex.l
index 8f549c8..e4f8f66 100644
--- a/parser/parser_lex.l
+++ b/parser/parser_lex.l
@@ -175,9 +175,9 @@ SLASH		\/
 COLON		:
 END_OF_RULE	[,]
 RANGE		-
-MODE_CHARS 	([RrWwaLlMmkXx])|(([Pp]|[Cc])[Xx])|(([Pp]|[Cc])?([IiUu])[Xx])
-MODES		{MODE_CHARS}+
 WS		[[:blank:]]
+MODE_CHARS	([RrWwaLlMmkXx])|(([Pp]|[Cc])[Xx])|(([Pp]|[Cc])?([IiUu])[Xx])
+MODES		({MODE_CHARS}+)
 NUMBER		[[:digit:]]+
 
 ID_CHARS	[^ \t\n"!,]
@@ -540,7 +540,7 @@ LT_EQUAL	<=
 			return TOK_ID;
 			}
 
-{MODES}			{
+({MODES})/([[:space:],])	{
 			DUMP_PREPROCESS;
 			yylval.mode = strdup(yytext);
 			PDEBUG("Found modes: %s\n", yylval.mode);
-- 
1.7.9


