[apparmor] [patch] [04/38] Add detailed regex for file rules
Seth Arnold
seth.arnold at canonical.com
Wed Sep 14 05:38:51 UTC 2016
On Fri, Aug 12, 2016 at 10:45:59PM +0200, Christian Boltz wrote:
> Hello,
>
> $subject.
>
> For now, use an additional regex RE_PROFILE_FILE_ENTRY to avoid
> breakage of the existing code by the added match groups.
>
> The regex includes support for file rules with leading and trailing
> permissions as well as bare file rules.
>
> Note: even with the restriction to the permission letters we actually
> use, it's in theory still possible that a future additional rule type or
> permission letter might lead to additional matches for other rule types.
> Therefore the parsing code should check for all other rule types before
> matching for file rules.
>
>
> [ 04-path-rule-regex-named-match.diff ]
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Thanks
>
> --- utils/apparmor/regex.py 2016-01-16 21:43:16.935778920 +0100
> +++ utils/apparmor/regex.py 2016-01-16 21:44:09.979448746 +0100
> @@ -82,6 +82,27 @@
> RE_COMMA_EOL)
>
>
> +# RE_PATH_PERMS is as restrictive as possible, but might still cause mismatches when adding different rule types.
> +# Therefore parsing code should match against file rules only after trying to match all other rule types.
> +RE_PATH_PERMS = '(?P<%s>[mrwalkPUCpucix]+)'
> +
> +# XXX drop RE_PROFILE_PATH_ENTRY, RE_PROFILE_BARE_FILE_ENTRY and RE_OWNER after switching to this regex
> +RE_PROFILE_FILE_ENTRY = re.compile(
> + RE_AUDIT_DENY +
> + '(?P<owner>owner\s+)?' + # optionally: <owner>
> + '(' +
> + '(?P<bare_file>file)' + # bare 'file,'
> + '|' + # or
> + '(?P<file_keyword>file\s+)?' + # optional 'file' keyword
> + '(' +
> + RE_PROFILE_PATH_OR_VAR % 'path' + '\s+' + RE_PATH_PERMS % 'perms' + # path and perms
> + '|' + # or
> + RE_PATH_PERMS % 'perms2' + '\s+' + RE_PROFILE_PATH_OR_VAR % 'path2' + # perms and path
> + ')' +
> + '(\s+->\s*' + RE_PROFILE_NAME % 'target' + ')?' +
> + ')' +
> + RE_COMMA_EOL)
> +
>
> def parse_profile_start_line(line, filename):
> matches = RE_PROFILE_START.search(line)
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160913/77adc4bf/attachment.pgp>
More information about the AppArmor
mailing list