[apparmor] [patch] [28/38] AARE: let match() handle plain path regexes as non-regex

Thu Sep 29 19:10:48 UTC 2016

On Thu, Sep 29, 2016 at 08:48:21PM +0200, Christian Boltz wrote:
> Hello,
> 
> Am Montag, 26. September 2016, 14:45:34 CEST schrieb Steve Beattie:
> > On Fri, Aug 12, 2016 at 11:03:09PM +0200, Christian Boltz wrote:
> > > when matching an AARE against another AARE, most AARE objects don't
> > > contain orig_regex (only AARE instances originating from a log event
> > > contain orig_regex).
> > > 
> > > In this case, match() will use is_equal() to error out on the safe
> > > side. Unfortunately this also means that there are lots of false
> > > negative cases where match() returns False errornously.
> > > 
> > > With this patch, match() checks the given AARE regex and, if it
> > > doesn't contain any special characters (wildcards, alternations or
> > > variables), handles it as plain path. This avoids most of the false
> > > negatives.
> > > 
> > > Also extend the AARE tests to check a bunch of plain path regexes
> > > using AARE matching instead of only str matching.
> > > 
> > > [ 28-aare-plain-path.diff ]
> > 
> > Acked-by: Steve Beattie <steve at nxnw.org>, though I'm not crazy about
> > commingling the plain checks with the regex checks in the same
> > function, as I suspect it will make figuring out what's failing when
> > something goes wrong more difficult (in answering "What's being
> > tested and why?").
> 
> Please allow me to disagree ;-)

Sorry, I wrote my comment particularly poorly. My complaint was
about commingling the regex and non-regex checks in the *testcases*
in test/test-aare.py, not the implementation itself in match(). My
apologies for the confusion.

Thanks.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160929/be0d298a/attachment.pgp>