[apparmor] [PATCH 3/3] Fix: Expansion of profile name when it contains aare characters

Steve Beattie steve at nxnw.org
Sat Jul 11 00:13:29 UTC 2015

On Fri, Jul 10, 2015 at 10:20:38AM -0700, John Johansen wrote:
> v2
> escape \ and add a couple equality tests around it
> ---
> >From 17845cc6d9fd3b167e59394ddc3f53af4c919496 Mon Sep 17 00:00:00 2001
> From: John Johansen <john.johansen at canonical.com>
> Date: Fri, 12 Jun 2015 10:18:37 -0700
> Subject: [PATCH] Fix: Expansion of profile name when it contains aare
>  characters
> When @{profile_name} is used within a rule matching expression any
> aare expressions should be matched literally and not be interpreted as
> aare.
> That is
>   profile /foo/** { }
> needs /foo/** to expand into a regular expression for its attachment
> but, /foo/** is also the profiles literal name.  And when trying to
> match @{profile_name} in a rule, eg.
>   ptrace @{profile_name},
> the variable needs to be expaned to
>   ptrace /foo/\*\*,
> not
>   ptrace /foo/**,
> that is currently happening.
> BugLink: http://bugs.launchpad.net/bugs/1317555
> equality tests by
>   Tyler Hicks <tyhicks at canonical.com>
> Signed-off-by: John Johansen <john.johansen at canonical.com>

This is an okay improvement, so Acked-by: Steve Beattie <steve at nxnw.org>
but we really need to rethink the whole impedance mismatch between
wanting to regex match labels and having labels that are described
by regexes.

If nothing else, we should probably adjust our shipped policies to use a
name when a match pattern contains a regex.

Steve Beattie
<sbeattie at ubuntu.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150710/c05dd6f5/attachment.pgp>

More information about the AppArmor mailing list