v2 escape \ and add a couple equality tests around it ---
>From 17845cc6d9fd3b167e59394ddc3f53af4c919496 Mon Sep 17 00:00:00 2001 From: John Johansen <[email protected]> Date: Fri, 12 Jun 2015 10:18:37 -0700 Subject: [PATCH] Fix: Expansion of profile name when it contains aare characters When @{profile_name} is used within a rule matching expression any aare expressions should be matched literally and not be interpreted as aare. That is profile /foo/** { } needs /foo/** to expand into a regular expression for its attachment but, /foo/** is also the profiles literal name. And when trying to match @{profile_name} in a rule, eg. ptrace @{profile_name}, the variable needs to be expaned to ptrace /foo/\*\*, not ptrace /foo/**, that is currently happening. BugLink: http://bugs.launchpad.net/bugs/1317555 equality tests by Tyler Hicks <[email protected]> Signed-off-by: John Johansen <[email protected]> --- parser/parser_variable.c | 28 +++++++++++++++++++++++++--- parser/tst/equality.sh | 22 ++++++++++++++++++++++ 2 files changed, 47 insertions(+), 3 deletions(-) diff --git a/parser/parser_variable.c b/parser/parser_variable.c index d8f77f3..d8cde94 100644 --- a/parser/parser_variable.c +++ b/parser/parser_variable.c @@ -287,6 +287,24 @@ static int process_variables_in_name(Profile &prof) return error; } +static std::string escape_re(std::string str) +{ + for (size_t i = 0; i < str.length(); i++) { + if (str[i] == '\\') { + /* skip \ and follow char. Skipping \ and first + * char is enough for multichar escape sequence + */ + i++; + continue; + } + if (strchr("{}[]*?", str[i]) != NULL) { + str.insert(i++, "\\"); + } + } + + return str; +} + int process_profile_variables(Profile *prof) { int error = 0, rc; @@ -296,9 +314,13 @@ int process_profile_variables(Profile *prof) */ error = process_variables_in_name(*prof); - if (!error) - error = new_set_var(PROFILE_NAME_VARIABLE, prof->get_name(false).c_str()); - + if (!error) { + /* escape profile name elements that could be interpreted + * as regular expressions. + */ + error = new_set_var(PROFILE_NAME_VARIABLE, escape_re(prof->get_name(false)).c_str()); + } + if (!error) error = process_variables_in_entries(prof->entries); diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh index fc85e03..7c72359 100755 --- a/parser/tst/equality.sh +++ b/parser/tst/equality.sh @@ -488,6 +488,28 @@ verify_binary_inequality "profile name in NOT fq name in hat rule" \ ":ns:/hname { ^child { signal peer=:ns:/hname//child, } }" \ ":ns:/hname { ^child { signal peer=@{profile_name}, } }" +verify_binary_equality "@{profile_name} is literal in peer" \ + "/{a,b} { signal peer=/\{a,b\}, }" \ + "/{a,b} { signal peer=@{profile_name}, }" + +verify_binary_equality "@{profile_name} is literal in peer with pattern" \ + "/{a,b} { signal peer={/\{a,b\},c}, }" \ + "/{a,b} { signal peer={@{profile_name},c}, }" + +verify_binary_inequality "@{profile_name} is not pattern in peer" \ + "/{a,b} { signal peer=/{a,b}, }" \ + "/{a,b} { signal peer=@{profile_name}, }" + +verify_binary_equality "@{profile_name} is literal in peer with esc sequence" \ + "/\\\\a { signal peer=/\\\\a, }" \ + "/\\\\a { signal peer=@{profile_name}, }" + +verify_binary_equality "@{profile_name} is literal in peer with esc alt sequence" \ + "/\\{a,b\\},c { signal peer=/\\{a,b\\},c, }" \ + "/\\{a,b\\},c { signal peer=@{profile_name}, }" + + + if [ $fails -ne 0 -o $errors -ne 0 ] then printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1 -- 2.1.4 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
