[apparmor] [patch] [04/38] Add detailed regex for file rules

Christian Boltz apparmor at cboltz.de
Fri Aug 12 20:45:59 UTC 2016 

Hello,

$subject.

For now, use an additional regex RE_PROFILE_FILE_ENTRY to avoid
breakage of the existing code by the added match groups.

The regex includes support for file rules with leading and trailing
permissions as well as bare file rules.

Note: even with the restriction to the permission letters we actually
use, it's in theory still possible that a future additional rule type or
permission letter might lead to additional matches for other rule types.
Therefore the parsing code should check for all other rule types before
matching for file rules.


[ 04-path-rule-regex-named-match.diff ]

--- utils/apparmor/regex.py	2016-01-16 21:43:16.935778920 +0100
+++ utils/apparmor/regex.py	2016-01-16 21:44:09.979448746 +0100
@@ -82,6 +82,27 @@
     RE_COMMA_EOL)
 
 
+# RE_PATH_PERMS is as restrictive as possible, but might still cause mismatches when adding different rule types.
+# Therefore parsing code should match against file rules only after trying to match all other rule types.
+RE_PATH_PERMS = '(?P<%s>[mrwalkPUCpucix]+)'
+
+# XXX drop RE_PROFILE_PATH_ENTRY, RE_PROFILE_BARE_FILE_ENTRY and RE_OWNER after switching to this regex
+RE_PROFILE_FILE_ENTRY = re.compile(
+    RE_AUDIT_DENY +
+    '(?P<owner>owner\s+)?' +  # optionally: <owner>
+    '(' +
+        '(?P<bare_file>file)' +  # bare 'file,'
+    '|' + # or
+        '(?P<file_keyword>file\s+)?' +  # optional 'file' keyword
+        '(' +
+            RE_PROFILE_PATH_OR_VAR % 'path' + '\s+' + RE_PATH_PERMS % 'perms' +  # path and perms
+        '|' +  # or
+            RE_PATH_PERMS % 'perms2' + '\s+' + RE_PROFILE_PATH_OR_VAR % 'path2' +  # perms and path
+        ')' +
+        '(\s+->\s*' + RE_PROFILE_NAME % 'target' + ')?' +
+    ')' +
+    RE_COMMA_EOL)
+
 
 def parse_profile_start_line(line, filename):
     matches = RE_PROFILE_START.search(line)



Regards,

Christian Boltz
-- 
* h01ger goes to get food, brb
<intrigeri> apparmor="DENIED" operation="open" profile="/usr/bin/h01ger"
name="/dev/food0" pid=19136 requested_mask="r" denied_mask="r" fsuid=0
ouid=0
[from #apparmor]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160812/4343aa0c/attachment-0001.pgp>

More information about the AppArmor mailing list