From 1ff9306c93d9a76d6790082cb334c28da03ead9e Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Thu, 13 Mar 2025 17:11:07 +0100
Subject: [PATCH] UnixRule: allow comma as separator in peer=

... and add some tests for it
---
 utils/apparmor/rule/unix.py | 2 +-
 utils/test/test-unix.py     | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/utils/apparmor/rule/unix.py b/utils/apparmor/rule/unix.py
index c071a216a..ae8f978ee 100644
--- a/utils/apparmor/rule/unix.py
+++ b/utils/apparmor/rule/unix.py
@@ -47,7 +47,7 @@ sep = r'\s*[\s,]\s*'
 unix_accesses = rf'\s*(\s*(?P<accesses>\({join_access}({sep}{join_access})*\s*\)|{join_access}))?'
 unix_rule_conds = rf'(\s*({re_cond_set("type")}|{re_cond_set("protocol")}))*'
 unix_local_expr = rf'(\s*({re_cond("addr")}|{re_cond("label")}|{re_cond("attr")}|{re_cond("opt")}))*'
-unix_peer_expr = rf'peer\s*=\s*\((\s*({re_cond("addr", "addr_peer")}|{re_cond("label", "label_peer")}))*\)'
+unix_peer_expr = rf'peer\s*=\s*\((\s*({re_cond("addr", "addr_peer")}|{re_cond("label", "label_peer")})(\s*,)?)*\)'
 
 RE_UNIX_DETAILS = re.compile(rf'^(\s*{unix_accesses})?(\s*{unix_rule_conds})?(\s*{unix_local_expr})?(\s*{unix_peer_expr})?\s*$')
 
diff --git a/utils/test/test-unix.py b/utils/test/test-unix.py
index 4a4cf0568..15614466a 100644
--- a/utils/test/test-unix.py
+++ b/utils/test/test-unix.py
@@ -42,6 +42,10 @@ class UnixTestParse(AATest):
         ('unix peer=(addr=@/tmp/foo-*),',                   UnixRule(UnixRule.ALL,      UnixRule.ALL,                     UnixRule.ALL,                 {'addr': '@/tmp/foo-*'},        False, False, False, '')),
         ('unix (accept, rw) protocol=AA type=BB opt=AA label=bb peer=(addr=a label=bb),',
                                                             UnixRule(('accept', 'rw'),  {'type': 'BB', 'protocol': 'AA'}, {'opt': 'AA', 'label': 'bb'}, {'addr': 'a', 'label': 'bb'},   False, False, False, '')),  # noqa: E127
+        ('unix peer=( label=la, addr="@/h"),',              UnixRule(UnixRule.ALL,      UnixRule.ALL,                     UnixRule.ALL,                {'addr': '@/h', 'label': 'la,'}, False, False, False, '')),
+        ('unix peer=(addr="@/h o", label="l a"),',          UnixRule(UnixRule.ALL,      UnixRule.ALL,                     UnixRule.ALL,              {'addr': '@/h o', 'label': 'l a'}, False, False, False, '')),
+        ('unix addr="@/h" label=la,',                       UnixRule(UnixRule.ALL,      UnixRule.ALL,                     {'addr': '@/h', 'label': 'la'},    UnixRule.ALL,              False, False, False, '')),
+        ('unix addr="@/h o" label="l a",',                  UnixRule(UnixRule.ALL,      UnixRule.ALL,                     {'addr': '@/h o', 'label': 'l a'}, UnixRule.ALL,              False, False, False, '')),
     )
 
     def _run_test(self, rawrule, expected):