parser: Fix expansion of variables in unix rules addr= conditional

The parser is not treating unix addr as a path and filtering slashes after variable expansion. This can lead to errors where @{foo}=/a/ unix bind addr=@{foo}/bar, will always fail because addr is being matched as /a//bar instead of /a/bar. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607 Fixes: https://bugs.launchpad.net/apparmor/+bug/1856738 Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-22 01:57:43 +00:00 · 2020-08-31 19:01:06 -07:00 · 2020-08-31 19:01:06 -07:00 · 6af05006d9
commit 6af05006d9
parent 46c355345e
3 changed files with 4 additions and 1 deletions
--- a/parser/af_unix.cc
+++ b/parser/af_unix.cc
@ -157,9 +157,11 @@ int unix_rule::expand_variables(void)
 	error = expand_entry_variables(&addr);
 	if (error)
 		return error;
+	filter_slashes(addr);
 	error = expand_entry_variables(&peer_addr);
 	if (error)
 		return error;
+	filter_slashes(peer_addr);

 	return 0;
 }
--- a/parser/parser.h
+++ b/parser/parser.h
@ -402,6 +402,7 @@ extern int post_process_entry(struct cod_entry *entry);
 extern int process_policydb(Profile *prof);

 extern int process_policy_ents(Profile *prof);
+extern void filter_slashes(char *path);

 /* parser_variable.c */
 int expand_entry_variables(char **name);
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@ -47,7 +47,7 @@ enum error_type {
 * that's a distinct namespace in linux) and trailing slashes.
 * NOTE: modifies in place the contents of the path argument */

-static void filter_slashes(char *path)
+void filter_slashes(char *path)
 {
 	char *sptr, *dptr;
 	BOOL seen_slash = 0;