[apparmor] [patch] fix regexes for pivot_root etc. to avoid pivot_rootbeer is accepted

Fri Apr 25 22:05:21 UTC 2014

On 2014-04-25 23:18:19, Christian Boltz wrote:
> Hello,
> 
> short version: I don't like (pivot_)rootbeer and dbus_drivers ;-)
> 
> 
> long version:
> 
> This patch fixes regular expressions to enforce a space after some
> keyword (dbus, *mount, signal, ptrace, pivot_root) except if the line
> only contains the bare keyword.
> 
> Note that in most cases (except *mount) I used an alternation - this has 
> the advantage that it doesn't change the match group numbering, with the
> small disadvantage of having to mention the keyword twice in the regex.
> I chose this way to avoid that I have to change lots of other places and
> possibly introduce bugs by overlooking something.
> 
> For the *mount rules, I read the code - it shouldn't need any changes 
> because it uses only matches[0..2] (which also means comments are 
> ignored - it's always nice to I find additional bugs while writing a 
> patch ;-)
> 
> With this patch applied, the additional tests I proposed two hours ago
> won't fail anymore.

Acked-by: Tyler Hicks <tyhicks at canonical.com>

Thanks!

> 
> 
> === modified file 'utils/apparmor/aa.py'
> --- utils/apparmor/aa.py        2014-04-23 21:28:34 +0000
> +++ utils/apparmor/aa.py        2014-04-25 18:39:55 +0000
> @@ -2625,11 +2625,11 @@
>  RE_PROFILE_HAT_DEF = re.compile('^\s*\^(\"??.+?\"??)\s+((flags=)?\((.+)\)\s+)*\{\s*(#.*)?$')
>  RE_NETWORK_FAMILY_TYPE = re.compile('\s+(\S+)\s+(\S+)\s*,$')
>  RE_NETWORK_FAMILY = re.compile('\s+(\S+)\s*,$')
> -RE_PROFILE_DBUS = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(dbus[^#]*\s*,)\s*(#.*)?$')
> -RE_PROFILE_MOUNT = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?((mount|remount|umount)[^#]*\s*,)\s*(#.*)?$')
> -RE_PROFILE_SIGNAL = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(signal[^#]*\s*,)\s*(#.*)?$')
> -RE_PROFILE_PTRACE = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(ptrace[^#]*\s*,)\s*(#.*)?$')
> -RE_PROFILE_PIVOT_ROOT = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(pivot_root[^#]*\s*,)\s*(#.*)?$')
> +RE_PROFILE_DBUS = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(dbus\s*,|dbus\s+[^#]*\s*,)\s*(#.*)?$')
> +RE_PROFILE_MOUNT = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?((mount|remount|umount)(\s+[^#]*)?\s*,)\s*(#.*)?$')
> +RE_PROFILE_SIGNAL = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(signal\s*,|signal\s+[^#]*\s*,)\s*(#.*)?$')
> +RE_PROFILE_PTRACE = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(ptrace\s*,|ptrace\s+[^#]*\s*,)\s*(#.*)?$')
> +RE_PROFILE_PIVOT_ROOT = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(pivot_root\s*,|pivot_root\s+[^#]*\s*,)\s*(#.*)?$')
>  
>  # match anything that's not " or #, or matching quotes with anything except quotes inside
>  __re_no_or_quoted_hash = '([^#"]|"[^"]*")*'
> 
> 
> 
> Regards,
> 
> Christian Boltz
> -- 
> Bei Windows hat man Mailreader, der alles kann. Bei Linux hat man
> ein MUA, das eigentlich gar nichts kann, aber das verdammt gut.
> [Bernd Brodesser in suse-linux]
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140425/20c28333/attachment.pgp>