Check for mount rules with multiple 'fstype'

... and adjust the tools to raise an exception if such a rule is found. While this is not nice, it's better than the previous behaviour where only the last 'fstype' was kept, and the others were lost when writing the rule. (cherry picked from commit b5894687ed) Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-31 14:25:52 +00:00 · 2025-04-06 14:33:56 +02:00
parent 9178bfc444
commit 3023e6cd09
4 changed files with 36 additions and 5 deletions
--- a/parser/tst/simple_tests/mount/ok_opt_88.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_88.sd
@@ -0,0 +1,14 @@
+#
+#=Description mount rule with multiple fstype
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+  mount options=(ro) fstype=ext3 fstype=ext4 -> /destination,
+  mount fstype=ext3 options=(ro) fstype=ext4 -> /destination,
+
+  mount options=(ro) fstype in (ext3) fstype in (ext4) -> /destination,
+  mount fstype in (ext3) options=(ro) fstype in (ext4) -> /destination,
+
+  mount options=(ro) fstype in (ext3) fstype=(ext4) -> /destination,
+  mount fstype in (ext3) options=(ro) fstype=ext4 -> /destination,
+}
--- a/utils/apparmor/rule/mount.py
+++ b/utils/apparmor/rule/mount.py
@@ -92,9 +92,11 @@ dest_fileglob_pattern = (
 RE_MOUNT_DETAILS = re.compile(r'^\s*' + mount_condition_pattern + rf'(\s+{source_fileglob_pattern})?' + rf'(\s+->\s+{dest_fileglob_pattern})?\s*' + r'$')
 RE_UMOUNT_DETAILS = re.compile(r'^\s*' + mount_condition_pattern + rf'(\s+{dest_fileglob_pattern})?\s*' + r'$')

-# check if a rule contains multiple 'options'
-# (not using option_pattern here because a) it also matches an empty string, and b) using it twice would cause name conflicts)
-RE_MOUNT_MULTIPLE_OPTIONS = re.compile(r'\soptions\s*(=|\sin\s).*\soptions\s*(=|\sin\s)')
+# check if a rule contains multiple 'options' or 'fstype'
+# (not using option_pattern or fs_type_pattern here because a) it also matches an empty string, and b) using it twice would cause name conflicts)
+multi_param_template = r'\sPARAM\s*(=|\sin).*\sPARAM\s*(=|\sin)'
+RE_MOUNT_MULTIPLE_OPTIONS = re.compile(multi_param_template.replace('PARAM', 'options'))
+RE_MOUNT_MULTIPLE_FS_TYPE = re.compile(multi_param_template.replace('PARAM', 'v?fstype'))


 class MountRule(BaseRule):
@@ -180,6 +182,11 @@ class MountRule(BaseRule):
                raise AppArmorException('Can\'t parse mount rule ' + raw_rule)

            if r['fstype'] is not None:
+                # mount rules with multiple 'fstype' are not supported by the tools yet, and when writing them, only the last 'fstype' would survive.
+                # Therefore raise an exception when parsing such a rule to prevent breaking the rule.
+                if RE_MOUNT_MULTIPLE_FS_TYPE.search(raw_rule):
+                    raise AppArmorException("mount rules with multiple 'fstype' are not supported by the tools")
+
                is_fstype_equal = r['fstype_equals_or_in']
                fstype = parse_aare_list(strip_parenthesis(r['fstype']), 'fstype')
            else:
--- a/utils/test/test-mount.py
+++ b/utils/test/test-mount.py
@@ -103,6 +103,14 @@ class MountTestParseInvalid(AATest):
        ('mount options in (ro) fstype=ext4 options in (rw) -> /destination,',  AppArmorException),
        ('mount options = (ro) options in (rw) fstype=ext4 -> /destination,',   AppArmorException),
        ('mount options = (ro) fstype=ext4 options in (rw) -> /destination,',   AppArmorException),
+
+        # mount rules with multiple 'fstype' are not supported by the tools yet, and when writing them, only the last 'fstype' would survive. Therefore MountRule intentionally raises an exception when parsing such a rule.
+        ('mount options=(ro) fstype=ext3 fstype=ext4 -> /destination,',             AppArmorException),
+        ('mount fstype=ext3 options=(ro) fstype=ext4 -> /destination,',             AppArmorException),
+        ('mount options=(ro) fstype in (ext3) fstype in (ext4) -> /destination,',   AppArmorException),
+        ('mount fstype in (ext3) options=(ro) fstype in (ext4) -> /destination,',   AppArmorException),
+        ('mount options=(ro) fstype in (ext3) fstype=(ext4) -> /destination,',      AppArmorException),
+        ('mount fstype in (ext3) options=(ro) fstype=ext4 -> /destination,',        AppArmorException),
    )

    def _run_test(self, rawrule, expected):
--- a/utils/test/test-parser-simple-tests.py
+++ b/utils/test/test-parser-simple-tests.py
@@ -415,8 +415,10 @@ syntax_failure = (
    'file/file/ok_embedded_spaces_4.sd',  # \-escaped space
    'file/ok_quoted_4.sd',  # quoted string including \"

-    # mount rules with multiple 'options' are not supported by the tools yet, and when writing them, only the last 'options' would survive. Therefore MountRule intentionally raises an exception when parsing such a rule.
-    'mount/ok_opt_87.sd',
+    # mount rules with multiple 'options' or 'fstype' are not supported by the tools yet, and when writing them, only the last 'options'/'fstype' would survive.
+    # Therefore MountRule intentionally raises an exception when parsing such a rule.
+    'mount/ok_opt_87.sd',  # multiple options
+    'mount/ok_opt_88.sd',  # multiple fstype

    # misc
    'vars/vars_dbus_12.sd',  # AARE starting with {{ are not handled