[apparmor] [PATCH 3/3] Fix: Expansion of profile name when it contains aare characters
John Johansen
john.johansen at canonical.com
Fri Jul 10 17:20:38 UTC 2015
v2
escape \ and add a couple equality tests around it
---
>From 17845cc6d9fd3b167e59394ddc3f53af4c919496 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen at canonical.com>
Date: Fri, 12 Jun 2015 10:18:37 -0700
Subject: [PATCH] Fix: Expansion of profile name when it contains aare
characters
When @{profile_name} is used within a rule matching expression any
aare expressions should be matched literally and not be interpreted as
aare.
That is
profile /foo/** { }
needs /foo/** to expand into a regular expression for its attachment
but, /foo/** is also the profiles literal name. And when trying to
match @{profile_name} in a rule, eg.
ptrace @{profile_name},
the variable needs to be expaned to
ptrace /foo/\*\*,
not
ptrace /foo/**,
that is currently happening.
BugLink: http://bugs.launchpad.net/bugs/1317555
equality tests by
Tyler Hicks <tyhicks at canonical.com>
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
parser/parser_variable.c | 28 +++++++++++++++++++++++++---
parser/tst/equality.sh | 22 ++++++++++++++++++++++
2 files changed, 47 insertions(+), 3 deletions(-)
diff --git a/parser/parser_variable.c b/parser/parser_variable.c
index d8f77f3..d8cde94 100644
--- a/parser/parser_variable.c
+++ b/parser/parser_variable.c
@@ -287,6 +287,24 @@ static int process_variables_in_name(Profile &prof)
return error;
}
+static std::string escape_re(std::string str)
+{
+ for (size_t i = 0; i < str.length(); i++) {
+ if (str[i] == '\\') {
+ /* skip \ and follow char. Skipping \ and first
+ * char is enough for multichar escape sequence
+ */
+ i++;
+ continue;
+ }
+ if (strchr("{}[]*?", str[i]) != NULL) {
+ str.insert(i++, "\\");
+ }
+ }
+
+ return str;
+}
+
int process_profile_variables(Profile *prof)
{
int error = 0, rc;
@@ -296,9 +314,13 @@ int process_profile_variables(Profile *prof)
*/
error = process_variables_in_name(*prof);
- if (!error)
- error = new_set_var(PROFILE_NAME_VARIABLE, prof->get_name(false).c_str());
-
+ if (!error) {
+ /* escape profile name elements that could be interpreted
+ * as regular expressions.
+ */
+ error = new_set_var(PROFILE_NAME_VARIABLE, escape_re(prof->get_name(false)).c_str());
+ }
+
if (!error)
error = process_variables_in_entries(prof->entries);
diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh
index fc85e03..7c72359 100755
--- a/parser/tst/equality.sh
+++ b/parser/tst/equality.sh
@@ -488,6 +488,28 @@ verify_binary_inequality "profile name in NOT fq name in hat rule" \
":ns:/hname { ^child { signal peer=:ns:/hname//child, } }" \
":ns:/hname { ^child { signal peer=@{profile_name}, } }"
+verify_binary_equality "@{profile_name} is literal in peer" \
+ "/{a,b} { signal peer=/\{a,b\}, }" \
+ "/{a,b} { signal peer=@{profile_name}, }"
+
+verify_binary_equality "@{profile_name} is literal in peer with pattern" \
+ "/{a,b} { signal peer={/\{a,b\},c}, }" \
+ "/{a,b} { signal peer={@{profile_name},c}, }"
+
+verify_binary_inequality "@{profile_name} is not pattern in peer" \
+ "/{a,b} { signal peer=/{a,b}, }" \
+ "/{a,b} { signal peer=@{profile_name}, }"
+
+verify_binary_equality "@{profile_name} is literal in peer with esc sequence" \
+ "/\\\\a { signal peer=/\\\\a, }" \
+ "/\\\\a { signal peer=@{profile_name}, }"
+
+verify_binary_equality "@{profile_name} is literal in peer with esc alt sequence" \
+ "/\\{a,b\\},c { signal peer=/\\{a,b\\},c, }" \
+ "/\\{a,b\\},c { signal peer=@{profile_name}, }"
+
+
+
if [ $fails -ne 0 -o $errors -ne 0 ]
then
printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1
--
2.1.4
More information about the AppArmor
mailing list