[apparmor] [patch] aamode.py - fix LOG_MODE_RE

[Steve Beattie]

On Mon, Dec 01, 2014 at 09:09:46PM +0100, Christian Boltz wrote:
> Am Montag, 1. Dezember 2014 schrieb Steve Beattie:
> > On Sat, Nov 29, 2014 at 08:10:38PM +0100, Christian Boltz wrote:
> > > LOG_MODE_RE (used in validate_log_mode() in aamode.py) just checked
> > > if the given parameter contains one of the possible matches. This
> > > resulted in "invalid" [1] being a valid log mode (from audit.log
> > > requested_mask or denied_mask) because it contains 'a', which is a
> > > valid file mode.
> > > 
> > > This patch wraps the regex into   ^(...)*$   to make sure the full
> > > string contains only allowed file modes.
> > > 
> > > (The question is if the log (!) really contains things like Pix -
> > > but if not, that's worth another patch ;-)
> > > 
> > > The patch also adds some tests for validate_log_mode().
> > > 
> > > (Just in case you wonder about the order - I first noticed the regex
> > > bug, then wrote the tests.)
> 
> > > +    def test_validate_log_mode_5(self):
> > > +        self.assertTrue(validate_log_mode(''))
> > 
> > Is this the correct result? I don't think the old version would have
> > returned True in that situation, and it seems fishy to do so. I think
> > you want '+' instead of '*' (Kleene star).
> 
> Indeed, that's the only sanity check that worked in the old code ;-)
> Good catch!
> 
> Here's the updated patch with two changes:
> - change the regex to use "+" instead of "*" (which means an empty 
>   string will return False)
> - rename test_validate_log_mode_5() to test_validate_log_mode_invalid_4() 
>   and expect False for ''

Thanks. Acked-by: Steve Beattie <steve at nxnw.org>.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141201/637fe9e5/attachment.pgp>