[apparmor] [PATCH 05/13] Require matched mode strings to terminate
John Johansen
john.johansen at canonical.com
Tue Feb 14 20:55:26 UTC 2012
On 02/14/2012 11:12 AM, Kees Cook wrote:
> On Tue, Feb 14, 2012 at 09:32:27AM -0800, John Johansen wrote:
>> mode strings overlap with other potential commands, or strings, and as
>> currently written can be match as a leading substring of an ID. Eliminate
>> the leading substring case by requiring that for a mode string to be
>> recognized it must be terminated by whitespace, eol, eof, or
>> comma (end of rule).
>>
>> The other cases where modes string overlap are ambiguous and the ID should
>> be quoted to remove the ambiguity.
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>> ---
>> parser/parser_lex.l | 6 +++---
>> 1 files changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/parser/parser_lex.l b/parser/parser_lex.l
>> index 8f549c8..e4f8f66 100644
>> --- a/parser/parser_lex.l
>> +++ b/parser/parser_lex.l
>> @@ -175,9 +175,9 @@ SLASH \/
>> COLON :
>> END_OF_RULE [,]
>> RANGE -
>> -MODE_CHARS ([RrWwaLlMmkXx])|(([Pp]|[Cc])[Xx])|(([Pp]|[Cc])?([IiUu])[Xx])
>> -MODES {MODE_CHARS}+
>> WS [[:blank:]]
>> +MODE_CHARS ([RrWwaLlMmkXx])|(([Pp]|[Cc])[Xx])|(([Pp]|[Cc])?([IiUu])[Xx])
>> +MODES ({MODE_CHARS}+)
>> NUMBER [[:digit:]]+
>
> Why the relocation churn here? Better to just change only the MODES
> definition for better change readability.
hrmm thats odd, I have no idea. It must have happened when I was refactoring
and I just didn't notice it
>
>> ID_CHARS [^ \t\n"!,]
>> @@ -540,7 +540,7 @@ LT_EQUAL <=
>> return TOK_ID;
>> }
>>
>> -{MODES} {
>> +({MODES})/([[:space:],]) {
>> DUMP_PREPROCESS;
>> yylval.mode = strdup(yytext);
>> PDEBUG("Found modes: %s\n", yylval.mode);
>
> Otherwise, looks fine.
>
> -Kees
>
More information about the AppArmor
mailing list