[apparmor] [patch] [28/38] AARE: let match() handle plain path regexes as non-regex

Fri, 12 Aug 2016 14:03:27 -0700 

Hello,

when matching an AARE against another AARE, most AARE objects don't
contain orig_regex (only AARE instances originating from a log event
contain orig_regex).

In this case, match() will use is_equal() to error out on the safe side.
Unfortunately this also means that there are lots of false negative
cases where match() returns False errornously.

With this patch, match() checks the given AARE regex and, if it doesn't
contain any special characters (wildcards, alternations or variables),
handles it as plain path. This avoids most of the false negatives.

Also extend the AARE tests to check a bunch of plain path regexes using
AARE matching instead of only str matching.


[ 28-aare-plain-path.diff ]

=== modified file ./utils/apparmor/aare.py
--- utils/apparmor/aare.py      2016-07-31 13:01:49.562023867 +0200
+++ utils/apparmor/aare.py      2016-07-31 16:26:50.092665766 +0200
@@ -53,12 +53,19 @@
         else:
             return AARE(self.regex, is_path=False)
 
+    # check if a regex is a plain path (not containing variables, alternations 
or wildcards)
+    # some special characters are probably not covered by the plain_path regex 
(if in doubt, better error out on the safe side)
+    plain_path = re.compile('^[0-9a-zA-Z/._-]+$')
+
     def match(self, expression):
         '''check if the given expression (string or AARE) matches the regex'''
 
         if type(expression) == AARE:
             if expression.orig_regex:
                 expression = expression.orig_regex
+            elif self.plain_path.match(expression.regex):
+                # regex doesn't contain variables or wildcards, therefore 
handle it as plain path
+                expression = expression.regex
             else:
                 return self.is_equal(expression)  # better safe than sorry
         elif not type_is_str(expression):

--- utils/test/test-aare.py     2016-07-31 13:01:49.562023867 +0200
+++ utils/test/test-aare.py     2016-07-31 16:46:39.743227189 +0200
@@ -138,6 +138,9 @@
 
         aare_obj = AARE(regex, True)
         self.assertEqual(aare_obj.match(path), expected, 'Incorrectly parsed 
AARE object: %s' % regex)
+        if not ('*' in path or '{' in path or '}' in path or '?' in path):
+            self.assertEqual(aare_obj.match(AARE(path, False)), expected, 
'Incorrectly parsed AARE object: AARE(%s)' % regex)
+
 
     def test_multi_usage(self):
         aare_obj = AARE('/foo/*', True)



Regards,

Christian Boltz
-- 
Just assume that all the people who don't reply agree, with a +1.
If they disagree, they should raise their voices with an argument.
When there's no argument left, it means we all agree.
[Vincent Untz in opensuse-foundation]

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to