Hello, $subject.
For now, use an additional regex RE_PROFILE_FILE_ENTRY to avoid
breakage of the existing code by the added match groups.
The regex includes support for file rules with leading and trailing
permissions as well as bare file rules.
Note: even with the restriction to the permission letters we actually
use, it's in theory still possible that a future additional rule type or
permission letter might lead to additional matches for other rule types.
Therefore the parsing code should check for all other rule types before
matching for file rules.
[ 04-path-rule-regex-named-match.diff ]
--- utils/apparmor/regex.py 2016-01-16 21:43:16.935778920 +0100
+++ utils/apparmor/regex.py 2016-01-16 21:44:09.979448746 +0100
@@ -82,6 +82,27 @@
RE_COMMA_EOL)
+# RE_PATH_PERMS is as restrictive as possible, but might still cause
mismatches when adding different rule types.
+# Therefore parsing code should match against file rules only after trying to
match all other rule types.
+RE_PATH_PERMS = '(?P<%s>[mrwalkPUCpucix]+)'
+
+# XXX drop RE_PROFILE_PATH_ENTRY, RE_PROFILE_BARE_FILE_ENTRY and RE_OWNER
after switching to this regex
+RE_PROFILE_FILE_ENTRY = re.compile(
+ RE_AUDIT_DENY +
+ '(?P<owner>owner\s+)?' + # optionally: <owner>
+ '(' +
+ '(?P<bare_file>file)' + # bare 'file,'
+ '|' + # or
+ '(?P<file_keyword>file\s+)?' + # optional 'file' keyword
+ '(' +
+ RE_PROFILE_PATH_OR_VAR % 'path' + '\s+' + RE_PATH_PERMS % 'perms'
+ # path and perms
+ '|' + # or
+ RE_PATH_PERMS % 'perms2' + '\s+' + RE_PROFILE_PATH_OR_VAR %
'path2' + # perms and path
+ ')' +
+ '(\s+->\s*' + RE_PROFILE_NAME % 'target' + ')?' +
+ ')' +
+ RE_COMMA_EOL)
+
def parse_profile_start_line(line, filename):
matches = RE_PROFILE_START.search(line)
Regards,
Christian Boltz
--
* h01ger goes to get food, brb
<intrigeri> apparmor="DENIED" operation="open" profile="/usr/bin/h01ger"
name="/dev/food0" pid=19136 requested_mask="r" denied_mask="r" fsuid=0
ouid=0
[from #apparmor]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
