[apparmor] [PATCH 3/3] Fix: Expansion of profile name when it contains aare characters

Fri Jun 12 21:35:43 UTC 2015

When @{profile_name} is used within a rule matching expression any
aare expressions should be matched literally and not be interpreted as
aare.

That is
  profile /foo/** { }

needs /foo/** to expand into a regular expression for its attachment
but, /foo/** is also the profiles literal name.  And when trying to
match @{profile_name} in a rule, eg.
  ptrace @{profile_name},

the variable needs to be expaned to
  ptrace /foo/\*\*,

not
  ptrace /foo/**,

that is currently happening.

BugLink: http://bugs.launchpad.net/bugs/1317555

equality tests by
  Tyler Hicks <tyhicks at canonical.com>

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/parser_variable.c | 21 ++++++++++++++++++---
 parser/tst/equality.sh   | 12 ++++++++++++
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/parser/parser_variable.c b/parser/parser_variable.c
index d8f77f3..52cb0b0 100644
--- a/parser/parser_variable.c
+++ b/parser/parser_variable.c
@@ -287,6 +287,17 @@ static int process_variables_in_name(Profile &prof)
 	return error;
 }
 
+static std::string escape_re(std::string str)
+{
+	for (size_t i = 0; i < str.length(); i++) {
+		if (strchr("{}[]*?", str[i]) != NULL) {
+			str.insert(i++, "\\");
+		}
+	}
+
+	return str;
+}
+
 int process_profile_variables(Profile *prof)
 {
 	int error = 0, rc;
@@ -296,9 +307,13 @@ int process_profile_variables(Profile *prof)
 	 */
 	error = process_variables_in_name(*prof);
 
-	if (!error)
-		error = new_set_var(PROFILE_NAME_VARIABLE, prof->get_name(false).c_str());
-
+	if (!error) {
+		/* escape profile name elements that could be interpreted
+		 * as regular expressions.
+		 */
+		error = new_set_var(PROFILE_NAME_VARIABLE, escape_re(prof->get_name(false)).c_str());
+	}
+	
 	if (!error)
 		error = process_variables_in_entries(prof->entries);
 
diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh
index 9056f48..b35ed34 100755
--- a/parser/tst/equality.sh
+++ b/parser/tst/equality.sh
@@ -472,6 +472,18 @@ verify_binary_inequality "profile name in NOT fq name in rule" \
 	":ns:/hname { signal peer=:ns:/hname, }" \
 	":ns:/hname { signal peer=@{profile_name}, }"
 
+verify_binary_equality "@{profile_name} is literal in peer" \
+	"/{a,b} { signal peer=/\{a,b\}, }" \
+	"/{a,b} { signal peer=@{profile_name}, }"
+
+verify_binary_equality "@{profile_name} is literal in peer with pattern" \
+	"/{a,b} { signal peer={/\{a,b\},c}, }" \
+	"/{a,b} { signal peer={@{profile_name},c}, }"
+
+verify_binary_inequality "@{profile_name} is not pattern in peer" \
+	"/{a,b} { signal peer=/{a,b}, }" \
+	"/{a,b} { signal peer=@{profile_name}, }"
+
 if [ $fails -ne 0 -o $errors -ne 0 ]
 then
 	printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1
-- 
2.1.4


