[apparmor] [patch] Split off RE_PROFILE_NAME and RE_PROFILE_PATH from RE_PROFILE_START

Christian Boltz apparmor at cboltz.de
Fri May 8 19:27:41 UTC 2015 

Hello,

this patch splits off RE_PROFILE_NAME and RE_PROFILE_PATH from 
RE_PROFILE_START (might get re-used later ;-)

Also add two tests for profile names not starting with / - the quoted
version wasn't catched as invalid before, so this change is actually 
also a bugfix.

I propose this patch for trunk and 2.9.


[ 01-split-off-RE_PROFILE_NAME-and-PATH.diff ]

=== modified file utils/apparmor/regex.py
--- utils/apparmor/regex.py     2015-04-24 22:05:14.670654871 +0200
+++ utils/apparmor/regex.py     2015-05-08 21:12:50.397146889 +0200
@@ -26,6 +26,9 @@
 RE_EOL                  = '\s*(?P<comment>#.*?)?\s*$'  # optional whitespace, optional <comment>, optional whitespace, end of the line
 RE_COMMA_EOL            = '\s*,' + RE_EOL # optional whitespace, comma + RE_EOL
 
+RE_PROFILE_NAME         = '(?P<%s>(\S+|"[^"]+"))'    # string without spaces, or quoted string. %s is the match group name
+RE_PROFILE_PATH         = '(?P<%s>(/\S+|"/[^"]+"))'  # filename (starting with '/') without spaces, or quoted filename. %s is the match group name
+
 RE_PROFILE_END          = re.compile('^\s*\}' + RE_EOL)
 RE_PROFILE_CAP          = re.compile(RE_AUDIT_DENY + 'capability(?P<capability>(\s+\S+)+)?' + RE_COMMA_EOL)
 RE_PROFILE_LINK         = re.compile(RE_AUDIT_DENY + 'link\s+(((subset)|(<=))\s+)?([\"\@\/].*?"??)\s+->\s*([\"\@\/].*?"??)' + RE_COMMA_EOL)
@@ -62,9 +67,9 @@
 RE_PROFILE_START          = re.compile(
     '^(?P<leadingspace>\s*)' +
     '(' +
-        '(?P<plainprofile>(/\S+|"[^"]+"))' + # just a path
+        RE_PROFILE_PATH % 'plainprofile' + # just a path
         '|' + # or
-        '(' + 'profile' + '\s+(?P<namedprofile>(\S+|"[^"]+"))' + '(\s+(?P<attachment>(/\S+|"/[^"]+")))?' + ')' + # 'profile', profile name, optionally attachment
+        '(' + 'profile' + '\s+' + RE_PROFILE_NAME % 'namedprofile' + '(\s+' + RE_PROFILE_PATH % 'attachment' + ')?' + ')' + # 'profile', profile name, optionally attachment
     ')' +
     '\s+((flags=)?\((?P<flags>.+)\)\s+)?\{' +
     RE_EOL)
=== modified file utils/test/test-regex_matches.py
--- utils/test/test-regex_matches.py    2015-04-27 22:25:01.512298747 +0200
+++ utils/test/test-regex_matches.py    2015-05-08 21:09:17.085562824 +0200
@@ -403,6 +403,8 @@
         ('/bin/foo /bin/bar', False), # missing 'profile' keyword
         ('profile {', False), # no attachment
         ('   profile foo bar /foo {', False), # missing quotes around "foo bar"
+        ('bin/foo {', False), # not starting with '/'
+        ('"bin/foo" {', False), # not starting with '/', quoted version
 
         ('   /foo {',                     { 'plainprofile': '/foo',    'namedprofile': None,          'attachment': None,     'flags': None,       'comment': None }),
         ('   "/foo" {',                   { 'plainprofile': '"/foo"',  'namedprofile': None,          'attachment': None,     'flags': None,       'comment': None }),



Regards,

Christian Boltz
-- 
Zu Risiken und Nebenwirkungen der PIN und TAN-Eingabe im Internet
beachten Sie die üblichen Sicherheitsmaßnahmen und fragen sie Ihren
gesunden Menschenverstand oder einen Experten.
[gefunden auf http://www.heise.de/security/news/meldung/61241]

More information about the AppArmor mailing list