[apparmor] [PATCH 3/3] Fix: Expansion of profile name when it contains aare characters

Fri Jul 10 17:20:38 UTC 2015

v2
escape \ and add a couple equality tests around it

---

>From 17845cc6d9fd3b167e59394ddc3f53af4c919496 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen at canonical.com>
Date: Fri, 12 Jun 2015 10:18:37 -0700
Subject: [PATCH] Fix: Expansion of profile name when it contains aare
 characters

When @{profile_name} is used within a rule matching expression any
aare expressions should be matched literally and not be interpreted as
aare.

That is
  profile /foo/** { }

needs /foo/** to expand into a regular expression for its attachment
but, /foo/** is also the profiles literal name.  And when trying to
match @{profile_name} in a rule, eg.
  ptrace @{profile_name},

the variable needs to be expaned to
  ptrace /foo/\*\*,

not
  ptrace /foo/**,

that is currently happening.

BugLink: http://bugs.launchpad.net/bugs/1317555

equality tests by
  Tyler Hicks <tyhicks at canonical.com>

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/parser_variable.c | 28 +++++++++++++++++++++++++---
 parser/tst/equality.sh   | 22 ++++++++++++++++++++++
 2 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/parser/parser_variable.c b/parser/parser_variable.c
index d8f77f3..d8cde94 100644
--- a/parser/parser_variable.c
+++ b/parser/parser_variable.c
@@ -287,6 +287,24 @@ static int process_variables_in_name(Profile &prof)
 	return error;
 }
 
+static std::string escape_re(std::string str)
+{
+	for (size_t i = 0; i < str.length(); i++) {
+		if (str[i] == '\\') {
+			/* skip \ and follow char. Skipping \ and first
+			 * char is enough for multichar escape sequence
+			 */
+			i++;
+			continue;
+		}
+		if (strchr("{}[]*?", str[i]) != NULL) {
+			str.insert(i++, "\\");
+		}
+	}
+
+	return str;
+}
+
 int process_profile_variables(Profile *prof)
 {
 	int error = 0, rc;
@@ -296,9 +314,13 @@ int process_profile_variables(Profile *prof)
 	 */
 	error = process_variables_in_name(*prof);
 
-	if (!error)
-		error = new_set_var(PROFILE_NAME_VARIABLE, prof->get_name(false).c_str());
-
+	if (!error) {
+		/* escape profile name elements that could be interpreted
+		 * as regular expressions.
+		 */
+		error = new_set_var(PROFILE_NAME_VARIABLE, escape_re(prof->get_name(false)).c_str());
+	}
+	
 	if (!error)
 		error = process_variables_in_entries(prof->entries);
 
diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh
index fc85e03..7c72359 100755
--- a/parser/tst/equality.sh
+++ b/parser/tst/equality.sh
@@ -488,6 +488,28 @@ verify_binary_inequality "profile name in NOT fq name in hat rule" \
 	":ns:/hname { ^child { signal peer=:ns:/hname//child, } }" \
 	":ns:/hname { ^child { signal peer=@{profile_name}, } }"
 
+verify_binary_equality "@{profile_name} is literal in peer" \
+	"/{a,b} { signal peer=/\{a,b\}, }" \
+	"/{a,b} { signal peer=@{profile_name}, }"
+
+verify_binary_equality "@{profile_name} is literal in peer with pattern" \
+	"/{a,b} { signal peer={/\{a,b\},c}, }" \
+	"/{a,b} { signal peer={@{profile_name},c}, }"
+
+verify_binary_inequality "@{profile_name} is not pattern in peer" \
+	"/{a,b} { signal peer=/{a,b}, }" \
+	"/{a,b} { signal peer=@{profile_name}, }"
+
+verify_binary_equality "@{profile_name} is literal in peer with esc sequence" \
+	"/\\\\a { signal peer=/\\\\a, }" \
+	"/\\\\a { signal peer=@{profile_name}, }"
+
+verify_binary_equality "@{profile_name} is literal in peer with esc alt sequence" \
+	"/\\{a,b\\},c { signal peer=/\\{a,b\\},c, }" \
+	"/\\{a,b\\},c { signal peer=@{profile_name}, }"
+
+
+
 if [ $fails -ne 0 -o $errors -ne 0 ]
 then
 	printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1
-- 
2.1.4



