[apparmor] [patch] [04/38] Add detailed regex for file rules

Seth Arnold seth.arnold at canonical.com
Wed Sep 14 05:38:51 UTC 2016 

On Fri, Aug 12, 2016 at 10:45:59PM +0200, Christian Boltz wrote:
> Hello,
> 
> $subject.
> 
> For now, use an additional regex RE_PROFILE_FILE_ENTRY to avoid
> breakage of the existing code by the added match groups.
> 
> The regex includes support for file rules with leading and trailing
> permissions as well as bare file rules.
> 
> Note: even with the restriction to the permission letters we actually
> use, it's in theory still possible that a future additional rule type or
> permission letter might lead to additional matches for other rule types.
> Therefore the parsing code should check for all other rule types before
> matching for file rules.
> 
> 
> [ 04-path-rule-regex-named-match.diff ]

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> 
> --- utils/apparmor/regex.py	2016-01-16 21:43:16.935778920 +0100
> +++ utils/apparmor/regex.py	2016-01-16 21:44:09.979448746 +0100
> @@ -82,6 +82,27 @@
>      RE_COMMA_EOL)
>  
>  
> +# RE_PATH_PERMS is as restrictive as possible, but might still cause mismatches when adding different rule types.
> +# Therefore parsing code should match against file rules only after trying to match all other rule types.
> +RE_PATH_PERMS = '(?P<%s>[mrwalkPUCpucix]+)'
> +
> +# XXX drop RE_PROFILE_PATH_ENTRY, RE_PROFILE_BARE_FILE_ENTRY and RE_OWNER after switching to this regex
> +RE_PROFILE_FILE_ENTRY = re.compile(
> +    RE_AUDIT_DENY +
> +    '(?P<owner>owner\s+)?' +  # optionally: <owner>
> +    '(' +
> +        '(?P<bare_file>file)' +  # bare 'file,'
> +    '|' + # or
> +        '(?P<file_keyword>file\s+)?' +  # optional 'file' keyword
> +        '(' +
> +            RE_PROFILE_PATH_OR_VAR % 'path' + '\s+' + RE_PATH_PERMS % 'perms' +  # path and perms
> +        '|' +  # or
> +            RE_PATH_PERMS % 'perms2' + '\s+' + RE_PROFILE_PATH_OR_VAR % 'path2' +  # perms and path
> +        ')' +
> +        '(\s+->\s*' + RE_PROFILE_NAME % 'target' + ')?' +
> +    ')' +
> +    RE_COMMA_EOL)
> +
>  
>  def parse_profile_start_line(line, filename):
>      matches = RE_PROFILE_START.search(line)
> 
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160913/77adc4bf/attachment.pgp>

More information about the AppArmor mailing list