[apparmor] [PATCH 1/2] utils: Remove unnecessary regex groups

Tyler Hicks tyhicks at canonical.com
Wed Apr 23 21:22:45 UTC 2014 

On 2014-04-23 23:04:38, Christian Boltz wrote:
> Hello,
> 
> Am Mittwoch, 23. April 2014 schrieb Tyler Hicks:
> > The regexes for signal, ptrace, and pivot_root rules each had an extra
> > grouping around the terms 'signal', 'ptrace', and 'pivot_root'. Those
> > extra groupings can be safely removed.
> 
> Indeed.
> 
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> > ---
> >  utils/apparmor/aa.py | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> > 
> > diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
> > index 05ed2d0..4f660e2 100644
> > --- a/utils/apparmor/aa.py
> > +++ b/utils/apparmor/aa.py
> > @@ -2624,9 +2624,9 @@ 
> 
> >  RE_PROFILE_DBUS =
> > re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(dbus[^#]*\s*,)\s*(#.*)
> > ?$')
> > RE_PROFILE_MOUNT =
> > re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?((mount|remount|umount)
> > [^#]*\s*,)\s*(#.*)?$') 
> ...
> > +RE_PROFILE_SIGNAL =
> > re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(signal[^#]*\s*,)\s*(#.
> > *)?$') 
> > +RE_PROFILE_PTRACE =
> > re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(ptrace[^#]*\s*,)\s*(#.
> > *)?$') 
> > +RE_PROFILE_PIVOT_ROOT =
> > re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(pivot_root[^#]*\s*,)\s
> > *(#.*)?$')
> 
> Acked-by: Christian Boltz <apparmor at cboltz.de>

Thanks!

> 
> 
> Side note: the regex for PIVOT_ROOT will also match "pivot_rootbeer" ;-) 
> which is probably not intended (hey, I prefer wine! ;-)
> The same applies for all other regexes quoted above, starting with DBUS.

I noticed that, too, but was already tired of (manually) testing the
python utils to make another change to the code.

> 
> The correct (and untested ;-) solution would be to replace
>     (keyword[^#]*)
> with
>     (keyword(\s+[^#]*)?)
> to enforce some space after the keyword.
> 
> It would be even better to change it to
>     keyword(\s+[^#]*)?
> but that would need some follow-up changes because it excludes the 
> keyword from the match.

Another follow-up change would be that the write_*_rules() methods would
have to be updated to output the appropriate keyword. The dbus,
pivot_root, signal, and ptrace parsing is just saving off the entire
line.

Also, the mount parsing is going to be a problem since it doesn't
differentiate between (mount|remount|umount) when it stores off the raw
line.

> 
> Opinions?

The 2nd option is best, but it is also the most work. But, IMO, there
are much bigger fish to fry.

Tyler

> 
> 
> Regards,
> 
> Christian Boltz
> -- 
> Sorry for the rant, I tried for a long time to find nice words but these
> were the nicest I could find :-) [Stefan Seyfried in opensuse-factory]
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140423/ddf2cde5/attachment.pgp>

More information about the AppArmor mailing list