[apparmor] [PATCH 3/3] Fix: Expansion of profile name when it contains aare characters

Sat Jun 20 02:31:30 UTC 2015

On Fri, Jun 19, 2015 at 06:34:19PM -0700, John Johansen wrote:
> On 06/18/2015 03:52 PM, Steve Beattie wrote:
> > On Wed, Jun 17, 2015 at 04:21:13AM -0700, John Johansen wrote:
> >> When @{profile_name} is used within a rule matching expression any
> >> aare expressions should be matched literally and not be interpreted as
> >> aare.
> >>
> >> That is
> >>   profile /foo/** { }
> >>
> >> needs /foo/** to expand into a regular expression for its attachment
> >> but, /foo/** is also the profiles literal name.  And when trying to
> >> match @{profile_name} in a rule, eg.
> >>   ptrace @{profile_name},
> >>
> >> the variable needs to be expaned to
> >>   ptrace /foo/\*\*,
> >>
> >> not
> >>   ptrace /foo/**,
> >>
> >> that is currently happening.
> > 
> > What happens if someone for example writes a profile for /usr/bin/[ ?
> > 
> the regex conversion fails and you get a lovely error message
> apparmor_parser: Regex grouping error: Unclosed grouping or character class, expecting close }
> apparmor_parser: Unable to parse input line '/usr/bin/['
> apparmor_parser: Invalid profile name '/usr/bin/[[' - bad regular expression
> ERROR processing regexs for profile /usr/bin/[, failed to load
> 
> if you want the regex chars to be not interpreted then you need to escape them
> 
> so
> /usr/bin/\[ { } results in
> a successful compile

so if one writes:

  /usr/bin/\[ {
    signal peer=@{profile_name},
  }

does the patch you posted not convert that @{profile_name} into
"/usr/bin/\\[" ?

That was the point of my insufficiently fleshed out question.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150619/c2e9c15f/attachment-0001.pgp>