Merge mount: accept fstype and options in any order

Note: If multiple fstype= or options= are given, this is not detected as an error (to keep the regex simpler). When writing back such a rule, only one fstype and options will "survive". Adjust the exclude list in test-parser-simple-tests.py accordingly: - several valid mount rules no longer fail - two invalid mount rules which so far accidentally raised an exception because of the fstype/options order no longer raise this exception (conflicting mount options, which are the real reason why these rules are invalid, are not detected in the tools) Fixes: https://gitlab.com/apparmor/apparmor/-/issues/501 I propose this fix for 4.0, 4.1 and master. (Note: excluding `mount/ok_opt_86.sd` was added in !1561, so we either need to also backport this, or have to slightly adjust this MR for backporting.) Closes #501 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1616 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-08-30 05:47:59 +00:00 · 2025-04-06 06:56:22 +00:00 · 2025-04-06 06:56:22 +00:00 · 37666dd736
commit 37666dd736
parent 46a6c3b061 7726c86b79
2 changed files with 6 additions and 13 deletions
--- a/utils/apparmor/rule/mount.py
+++ b/utils/apparmor/rule/mount.py
@ -54,7 +54,10 @@ option_pattern = r'\s*(\boption(s?)\b\s*(?P<options_equals_or_in>=|in)\s*'\
    r'(?P<options>\(\s*(' + join_valid_flags + r')(' + sep + r'(' + join_valid_flags + r'))*\s*\)|' \
    r'(\s*' + join_valid_flags + r')'\
    r'))?'
-mount_condition_pattern = rf'({fs_type_pattern})?\s*({option_pattern})?'
+
+# allow any order of fstype and options
+# Note: also matches if multiple fstype= or options= are given to keep the regex simpler
+mount_condition_pattern = rf'({fs_type_pattern}\s*|{option_pattern}\s*)*'

 # Source can either be
 # - A path          : /foo
--- a/utils/test/test-parser-simple-tests.py
+++ b/utils/test/test-parser-simple-tests.py
@ -87,6 +87,8 @@ exception_not_raised = (
    'mount/bad_opt_31.sd',
    'mount/bad_1.sd',
    'mount/bad_2.sd',
+    'mount/bad_3.sd',
+    'mount/bad_4.sd',

    'profile/flags/flags_bad10.sd',
    'profile/flags/flags_bad11.sd',
@ -315,15 +317,6 @@ unknown_line = (
    'bare_include_tests/ok_85.sd',
    'bare_include_tests/ok_86.sd',

-    # According to spec mount should be in the form fstype=... options=... and NOT in the form options=... fstype=...
-    'mount/ok_opt_combo_3.sd',
-    'mount/ok_opt_combo_2.sd',
-    'mount/ok_opt_combo_1.sd',
-    'mount/ok_opt_combo_4.sd',
-
-    # Options should be comma separated
-    'mount/in_4.sd',  # also order option then fstype is invalid
-
    # Unsupported \\" in unix AARE
    'unix/ok_regex_03.sd',
    'unix/ok_regex_09.sd',
@ -441,9 +434,6 @@ syntax_failure = (
    'network/network_ok_17.sd',
    'network/network_ok_45.sd',
    'network/network_ok_46.sd',
-
-    # detached mount
-    'mount/ok_opt_86.sd',
 )