mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-04 00:05:14 +00:00
Code Issues Releases Wiki Activity

Profiles that specify a name and attachment specification fail to attach when the

Browse Source 
attachment specification doesn't contain globbing.

eg.
   # profile name and attachment the same - attaches as expected
   profile /usr/lib/chromium-browser/chromium-browser

   # profile without attachment specification - does not attach as expected
  profile chromium-browser

  # profile with name and attachment specification where the attachment specification uses globbing - attaches as expected
  profile chromium-browser /usr/lib/chromium-browser/chromium-broswer*

  # profile with name and attachment specification without globbing - FAILS to attach when it should
  profile chromium-browser /usr/lib/chromium-browser/chromium-browser


This occurs because the xmatch_len is not set correctly for the profiles that specify
a name and an attachment specification, where the attachment specification does not
contain globbing characters.

In this situation the correct length for the xmatch_len is the length of the name, as
the shortest possible unambiguous match is the name length.

This patch does not fix a related bug where an attachment specification of ** will not
match (/**) will.
This commit is contained in:
John Johansen
2011-03-08 10:12:09 -08:00
parent 9819bf5df0
commit 258c39d4a5
1 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
parser/parser_regex.c
View File

@@ -392,6 +392,8 @@ static int process_profile_name_xmatch(struct codomain *cod)
name = local_name(cod->name); name = local_name(cod->name);
ptype = convert_aaregex_to_pcre(name, 0, tbuf, PATH_MAX + 3, ptype = convert_aaregex_to_pcre(name, 0, tbuf, PATH_MAX + 3,
&cod->xmatch_len); &cod->xmatch_len);
if (ptype == ePatternBasic)
cod->xmatch_len = strlen(name);
if (ptype == ePatternInvalid) { if (ptype == ePatternInvalid) {
PERROR(_("%s: Invalid profile name '%s' - bad regular expression\n"), progname, name); PERROR(_("%s: Invalid profile name '%s' - bad regular expression\n"), progname, name);
@@ -414,8 +416,14 @@ static int process_profile_name_xmatch(struct codomain *cod)
struct alt_name *alt; struct alt_name *alt;
list_for_each(cod->altnames, alt) { list_for_each(cod->altnames, alt) {
int len; int len;
convert_aaregex_to_pcre(alt->name, 0, tbuf, ptype = convert_aaregex_to_pcre(alt->name, 0,
PATH_MAX + 3, &len); tbuf,
PATH_MAX + 3,
&len);
if (ptype == ePatternBasic)
len = strlen(alt->name);
if (len < cod->xmatch_len)
cod->xmatch_len = len;
if (!aare_add_rule(rule, tbuf, 0, AA_MAY_EXEC, 0, dfaflags)) { if (!aare_add_rule(rule, tbuf, 0, AA_MAY_EXEC, 0, dfaflags)) {
aare_delete_ruleset(rule); aare_delete_ruleset(rule);
return FALSE; return FALSE;