Hello, Am Freitag, 6. Juli 2012 schrieb John Johansen: > On 07/06/2012 03:18 PM, Christian Boltz wrote: > > Am Donnerstag, 5. Juli 2012 schrieb John Johansen: > >> The best it could do is apply the same mapping to the tools apply. > > > > Sounds like a good idea, but it doesn't cover everything ;-) (see > > below)> > >> However I think Christian is > >> right that passing through whitespace, etc could be problematic. > > > > There are other characters that can also cause some "funny > > effects"[tm] ;-) > > sure there are a whole host of characters that could be interpreted in > strange ways
Indeed ;-) (Sometimes I wish Linux would only support "normal"/"sane" filenames - but obviously people like it if they can do funny things, for example https://bugzilla.novell.com/show_bug.cgi?id=757393 ) > > Just curious - how would that profile name look as filename for > > /etc/apparmor.d/ ? Hmm, let's try... [...] > > In other words: genprof doesn't seem to replace any special > > character. Maybe it better should :-/ > > heh, not surprising, as it has been lagging in feature support since > 2.3 I know I didn't get to updating it when I initially added support > to the parser for profile name globbing Ah, that explains it ;-) [...] > heh again not surprising, we should open a bug Done - https://bugs.launchpad.net/apparmor/+bug/1021967 > I am not opposed to replacing more characters, the current > implementation (not yet posted) is a little more straight isgraph(), > replacing WS with _ and / with ., and just dropping a few others (" ' > ..) What about using a whitelist with allowed chars and replacing everything else? Blacklists tend to miss (at least) one thing that will explode later... > > That all said - what do you think how the /sys/ entry/directory for > > the /** profile should be named? > > Well ideally the profile would have a specified name, ie > > profile default /** { } > > so that "default" is used No cheating please ;-) > but in the case where it isn't > > 123-** > > wouldn't be too bad, admittedly using globbing/regex special chars is > a little scarry. "a little"?!? Are you joking? > We could replace them with something like > > 123-XX That looks MUCH better and will avoid lots of trouble. > or escape them > > 123-\*\* Backslashes in the filename? That makes things extremely funny because you then have to escape the backslashes _and_ the * char. In the shell, you'll probably end up with something like (untested) 123-\\\*\\\* Do you still like this idea? *eg* > I don't really have a preference they each have their problems. IMHO not replacing special chars will cause a bigger set of problems (at least if your target is not to make all tools reading /sys/ safe regarding the handling of funny[tm] characters in filenames ;-) In case you are interested - the attached little script[1] creates some files with funny[tm] filenames. This should give you some ideas how crazy filenames can be... (Feel free to test some of the binaries and scripts you regularly run with those filenames. I wouldn't be too surprised if they break something ;-) Regards, Christian Boltz [1] gzip'ed to make sure it arrives without unintentional changes -- Zu Schade, daß der ASCII-Zeichensatz keine kleinen Totenköpfe, Blitze, Fäuste und Bömbchen hat... [Ratti in fontlinge-devel]
kranke_dateinamen_erstellen.gz
Description: GNU Zip compressed data
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
