[apparmor] [patch] move quote_if_needed() to apparmor.rule
Christian Boltz
apparmor at cboltz.de
Sat May 9 11:41:28 UTC 2015
Hello,
Am Freitag, 8. Mai 2015 schrieb Seth Arnold:
> On Fri, May 08, 2015 at 11:56:46PM +0200, Christian Boltz wrote:
> > +++ utils/apparmor/rule/__init__.py 2015-05-08
> > 23:46:26.461767822 +0200 +def quote_if_needed(data):
> > + '''quote data if it contains whitespace'''
> > + if ' ' in data:
> > + data = '"' + data + '"'
> > + return data
>
> This looks broken to me; the following profile fails to compile:
>
>
> profile foo {
> file "/foo " bar" r,
> }
>
> while the following profile compiles fine:
>
> profile foo {
> file "/foo \" bar" r,
> }
>
> The quoting mechanism should also escape any " marks within.
(from the follow-up mail)
> .. And it should probably also be idempotent and not grow quoted
> content indefinitely each time it is called.
Agreed, but
a) handling escaping isn't as easy as it looks, at least when it comes
to corner cases
b) to avoid duplicate escaping, maybe the parsing functions
(strip_quotes()) should un-escape what they read, and the output
functions (like quote_if_needed()) should add the escaping back.
(While this would be the best solution, I'm not sure if it works for
us.)
c) the regex uses something like "[^"]*" to match quoted strings, so
parsing will fail at that level already (any idea for a better
regex?)
BTW: Do we have documentation that describes what needs to be escaped,
and how this needs to be done? I could imagine that \ needs to become \\
and man apparmor.d (only) mentions \000 and \x00 when searching for
"escap.*" or "\", which means that manpage is far from complete :-/
Regards,
Christian Boltz
--
Was hat ein Revolver mit Windows 98 gemeinsam?
Solange sie nicht geladen sind, sind sie harmlos.
More information about the AppArmor
mailing list