From 2852e1ecdf9e7bd754e75e0c9adfaeadeea48a67 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Sun, 14 Mar 2021 08:50:16 -0700 Subject: [PATCH] parser: fix filter slashes for link targets The parser is failing to properly filter the slashes in the link name after variable expansion. Causing match failures when multiple slashes occur. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/153 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/723 Signed-off-by: John Johansen Acked-by: Steve Beattie --- parser/parser_regex.c | 1 + parser/tst/equality.sh | 14 ++++++++++++++ 2 files changed, 15 insertions(+) diff --git a/parser/parser_regex.c b/parser/parser_regex.c index 8b4a4866a..e04d44be9 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -642,6 +642,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) int pos; vec[0] = tbuf.c_str(); if (entry->link_name) { + filter_slashes(entry->link_name); ptype = convert_aaregex_to_pcre(entry->link_name, 0, glob_default, lbuf, &pos); if (ptype == ePatternInvalid) return FALSE; diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh index 147432603..f607859f2 100755 --- a/parser/tst/equality.sh +++ b/parser/tst/equality.sh @@ -618,6 +618,20 @@ verify_binary_equality "mount rules slash filtering" \ "@{FOO}=/foo /t { mount /dev//@{FOO} -> /mnt/bar, }" +# verify slash filtering for link rules +verify_binary_equality "link rules slash filtering" \ + "/t { link /dev/foo -> /mnt/bar, }" \ + "/t { link ///dev/foo -> /mnt/bar, }" \ + "/t { link /dev/foo -> /mnt//bar, }" \ + "/t { link /dev///foo -> ////mnt/bar, }" \ + "@{BAR}=/mnt/ + /t { link /dev///foo -> @{BAR}/bar, }" \ + "@{FOO}=/dev/ + /t { link @{FOO}//foo -> /mnt/bar, }" \ + "@{FOO}=/dev/ + @{BAR}=/mnt/ + /t { link @{FOO}/foo -> @{BAR}/bar, }" \ + if [ $fails -ne 0 ] || [ $errors -ne 0 ] then printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1