[apparmor] [PATCH 3/3] Fix: Expansion of profile name when it contains aare characters

John Johansen john.johansen at canonical.com
Sat Jun 20 01:34:19 UTC 2015

On 06/18/2015 03:52 PM, Steve Beattie wrote:
> On Wed, Jun 17, 2015 at 04:21:13AM -0700, John Johansen wrote:
>> When @{profile_name} is used within a rule matching expression any
>> aare expressions should be matched literally and not be interpreted as
>> aare.
>> That is
>>   profile /foo/** { }
>> needs /foo/** to expand into a regular expression for its attachment
>> but, /foo/** is also the profiles literal name.  And when trying to
>> match @{profile_name} in a rule, eg.
>>   ptrace @{profile_name},
>> the variable needs to be expaned to
>>   ptrace /foo/\*\*,
>> not
>>   ptrace /foo/**,
>> that is currently happening.
> What happens if someone for example writes a profile for /usr/bin/[ ?
the regex conversion fails and you get a lovely error message
apparmor_parser: Regex grouping error: Unclosed grouping or character class, expecting close }
apparmor_parser: Unable to parse input line '/usr/bin/['
apparmor_parser: Invalid profile name '/usr/bin/[[' - bad regular expression
ERROR processing regexs for profile /usr/bin/[, failed to load

if you want the regex chars to be not interpreted then you need to escape them

/usr/bin/\[ { } results in
a successful compile

More information about the AppArmor mailing list