[apparmor] [patch] fix regexes for pivot_root etc. to avoid pivot_rootbeer is accepted

Christian Boltz apparmor at cboltz.de
Fri Apr 25 21:18:19 UTC 2014 

Hello,

short version: I don't like (pivot_)rootbeer and dbus_drivers ;-)


long version:

This patch fixes regular expressions to enforce a space after some
keyword (dbus, *mount, signal, ptrace, pivot_root) except if the line
only contains the bare keyword.

Note that in most cases (except *mount) I used an alternation - this has 
the advantage that it doesn't change the match group numbering, with the
small disadvantage of having to mention the keyword twice in the regex.
I chose this way to avoid that I have to change lots of other places and
possibly introduce bugs by overlooking something.

For the *mount rules, I read the code - it shouldn't need any changes 
because it uses only matches[0..2] (which also means comments are 
ignored - it's always nice to I find additional bugs while writing a 
patch ;-)

With this patch applied, the additional tests I proposed two hours ago
won't fail anymore.


=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py        2014-04-23 21:28:34 +0000
+++ utils/apparmor/aa.py        2014-04-25 18:39:55 +0000
@@ -2625,11 +2625,11 @@
 RE_PROFILE_HAT_DEF = re.compile('^\s*\^(\"??.+?\"??)\s+((flags=)?\((.+)\)\s+)*\{\s*(#.*)?$')
 RE_NETWORK_FAMILY_TYPE = re.compile('\s+(\S+)\s+(\S+)\s*,$')
 RE_NETWORK_FAMILY = re.compile('\s+(\S+)\s*,$')
-RE_PROFILE_DBUS = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(dbus[^#]*\s*,)\s*(#.*)?$')
-RE_PROFILE_MOUNT = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?((mount|remount|umount)[^#]*\s*,)\s*(#.*)?$')
-RE_PROFILE_SIGNAL = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(signal[^#]*\s*,)\s*(#.*)?$')
-RE_PROFILE_PTRACE = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(ptrace[^#]*\s*,)\s*(#.*)?$')
-RE_PROFILE_PIVOT_ROOT = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(pivot_root[^#]*\s*,)\s*(#.*)?$')
+RE_PROFILE_DBUS = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(dbus\s*,|dbus\s+[^#]*\s*,)\s*(#.*)?$')
+RE_PROFILE_MOUNT = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?((mount|remount|umount)(\s+[^#]*)?\s*,)\s*(#.*)?$')
+RE_PROFILE_SIGNAL = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(signal\s*,|signal\s+[^#]*\s*,)\s*(#.*)?$')
+RE_PROFILE_PTRACE = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(ptrace\s*,|ptrace\s+[^#]*\s*,)\s*(#.*)?$')
+RE_PROFILE_PIVOT_ROOT = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(pivot_root\s*,|pivot_root\s+[^#]*\s*,)\s*(#.*)?$')
 
 # match anything that's not " or #, or matching quotes with anything except quotes inside
 __re_no_or_quoted_hash = '([^#"]|"[^"]*")*'



Regards,

Christian Boltz
-- 
Bei Windows hat man Mailreader, der alles kann. Bei Linux hat man
ein MUA, das eigentlich gar nichts kann, aber das verdammt gut.
[Bernd Brodesser in suse-linux]

More information about the AppArmor mailing list