mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 01:57:43 +00:00
Code Issues Releases Wiki Activity

Fix change_profile so that it works with regular expressions (lpn390810)

Browse Source 
Change_profile was broken so that it couldn't parse expressions that
weren't path based or started with a variable.  Furthermore if the name
held any expressions it was not hanlded correctly, as it was being passed
directly to dfa conversion without going through glob -> pcre conversion.
This commit is contained in:
John Johansen 2009-07-23 21:18:37 +00:00
parent 298b32e82e
commit 6afe6185be
13 changed files with 496 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
parser/parser_lex.l
View File

@ -87,6 +87,7 @@ LT_EQUAL <=
%x FLAGS_MODE
%x ASSIGN_MODE
%x RLIMIT_MODE
%x CHANGE_PROFILE_MODE
%%
@ -237,6 +238,47 @@ LT_EQUAL <=
}
}
<CHANGE_PROFILE_MODE>{
{ARROW} {
PDEBUG("Matched a arrow\n");
yylval = (YYSTYPE) yytext;
return TOK_ARROW;
}
{ID}+ {
/* Ugh, this is a gross hack. I used to use
* {ID}+ to match all TOK_IDs, but that would
* also match TOK_MODE + TOK_END_OF_RULE
* without any spaces in between (because it's
* a longer match). So now, when I want to
* match any random string, I go into a
* seperate state. */
yylval = (YYSTYPE) processunquoted(yytext, yyleng);
PDEBUG("Found sub name: \"%s\"\n", yylval);
BEGIN(INITIAL);
return TOK_ID;
}
{QUOTED_ID} {
/* Ugh, this is a gross hack. I used to use
* {ID}+ to match all TOK_IDs, but that would
* also match TOK_MODE + TOK_END_OF_RULE
* without any spaces in between (because it's
* a longer match). So now, when I want to
* match any random string, I go into a
* seperate state. */
yylval = (YYSTYPE) processquoted(yytext, yyleng);
PDEBUG("Found sub name: \"%s\"\n", yylval);
BEGIN(INITIAL);
return TOK_ID;
}
{WS}+ { /* Ignoring whitespace */ }
[^\n] {
/* Something we didn't expect */
yyerror(_("Found unexpected character: '%s'"), yytext);
}
}
#.*\n { /* Comment - ignore */
current_lineno++;
PDEBUG("Line no++: %d\n", current_lineno);
@ -377,6 +419,9 @@ LT_EQUAL <=
case TOK_NETWORK:
BEGIN(NETWORK_MODE);
break;
case TOK_CHANGE_PROFILE:
BEGIN(CHANGE_PROFILE_MODE);
break;
default: /* nothing */
break;
}

11
parser/parser_regex.c
View File

@ -487,6 +487,7 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
if (!entry) /* shouldn't happen */
return TRUE;
ptype = convert_aaregex_to_pcre(entry->name, 0, tbuf, PATH_MAX + 3);
if (ptype == ePatternInvalid)
return FALSE;
@ -513,7 +514,7 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
entry->mode & ~AA_LINK_BITS,
entry->audit & ~AA_LINK_BITS))
return FALSE;
} else {
} else if (entry->mode & ~AA_CHANGE_PROFILE) {
if (!aare_add_rule(dfarules, tbuf, entry->deny, entry->mode,
entry->audit))
return FALSE;
@ -542,12 +543,14 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
if (entry->mode & AA_CHANGE_PROFILE) {
if (entry->namespace) {
char *vec[2];
vec[0] = entry->namespace;
vec[1] = entry->name;
char lbuf[PATH_MAX + 8];
ptype = convert_aaregex_to_pcre(entry->namespace, 0, lbuf, PATH_MAX + 8);
vec[0] = lbuf;
vec[1] = tbuf;
if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE, 0, 2, vec))
return FALSE;
} else {
if (!aare_add_rule(dfarules, entry->name, 0, AA_CHANGE_PROFILE, 0))
if (!aare_add_rule(dfarules, tbuf, 0, AA_CHANGE_PROFILE, 0))
return FALSE;
}
}

11
parser/tst/simple_tests/change_profile/ok_6.sd Normal file
View File

@ -0,0 +1,11 @@
#
#=DESCRIPTION change_profile with quotes
#=EXRESULT PASS
#
/usr/bin/foo {
change_profile -> "/bin/foo",
}
/usr/bin/foo2 {
change_profile -> "/bin/ foo",
}

11
parser/tst/simple_tests/change_profile/ok_7.sd Normal file
View File

@ -0,0 +1,11 @@
#
#=DESCRIPTION change_profile to a hat with quotes
#=EXRESULT PASS
#
/usr/bin/foo {
change_profile -> "/bin/foo//bar",
}
/usr/bin/foo2 {
change_profile -> "/bin/foo// bar",
}

11
parser/tst/simple_tests/change_profile/ok_8.sd Normal file
View File

@ -0,0 +1,11 @@
#
#=DESCRIPTION change_profile with name space with quotes
#=EXRESULT PASS
#
/usr/bin/foo {
change_profile -> ":foo:/bin/foo",
}
/usr/bin/foo2 {
change_profile -> ":foo:/bin/ foo",
}

24
parser/tst/simple_tests/change_profile/re_ok_1.sd Normal file
View File

@ -0,0 +1,24 @@
#
#=DESCRIPTION change_profile
#=EXRESULT PASS
#
/usr/bin/foo {
change_profile -> /bin/*,
}
/usr/bin/foo2 {
change_profile -> /bin/**,
}
/usr/bin/foo3 {
change_profile -> /bin/?,
}
/usr/bin/foo4 {
change_profile -> /bin/[ab],
}
/usr/bin/foo5 {
change_profile -> /bin/[^ab],
}

69
parser/tst/simple_tests/change_profile/re_ok_2.sd Normal file
View File

@ -0,0 +1,69 @@
#
#=DESCRIPTION change_profile to a hat
#=EXRESULT PASS
#
/usr/bin/foo {
change_profile -> /bin/foo//bar,
}
/usr/bin/foo2 {
change_profile -> /bin/foo//ba*,
}
/usr/bin/foo3 {
change_profile -> /bin/foo//ba**,
}
/usr/bin/foo4 {
change_profile -> /bin/foo//ba?,
}
/usr/bin/foo5 {
change_profile -> /bin/foo//ba[ab],
}
/usr/bin/foo6 {
change_profile -> /bin/foo//ba[^ab],
}
/usr/bin/foo7 {
change_profile -> /bin/fo*//bar,
}
/usr/bin/foo8 {
change_profile -> /bin/fo**//bar,
}
/usr/bin/foo9 {
change_profile -> /bin/fo?//bar,
}
/usr/bin/foo10 {
change_profile -> /bin/fo[ab]//bar,
}
/usr/bin/foo11 {
change_profile -> /bin/fo[^ab]//bar,
}
/usr/bin/foo12 {
change_profile -> /bin/fo*//ba*,
}
/usr/bin/foo13 {
change_profile -> /bin/fo**//ba**,
}
/usr/bin/foo14 {
change_profile -> /bin/fo?//ba?,
}
/usr/bin/foo15 {
change_profile -> /bin/fo[ab]//ba[ab],
}
/usr/bin/foo16 {
change_profile -> /bin/fo[^ab]//ba[^ab],
}

67
parser/tst/simple_tests/change_profile/re_ok_3.sd Normal file
View File

@ -0,0 +1,67 @@
#
#=DESCRIPTION change_profile with name space
#=EXRESULT PASS
#
/usr/bin/foo {
change_profile -> :foo:/bin/foo,
}
/usr/bin/foo2 {
change_profile -> :foo:/bin/fo*,
}
/usr/bin/foo3 {
change_profile -> :foo:/bin/fo**,
}
/usr/bin/foo4 {
change_profile -> :foo:/bin/fo?,
}
/usr/bin/foo5 {
change_profile -> :foo:/bin/fo[ab],
}
/usr/bin/foo6 {
change_profile -> :foo:/bin/fo[^ab],
}
/usr/bin/foo7 {
change_profile -> :fo*:/bin/foo,
}
/usr/bin/foo8 {
change_profile -> :fo**:/bin/foo,
}
/usr/bin/foo9 {
change_profile -> :fo?:/bin/foo,
}
/usr/bin/foo10 {
change_profile -> :fo[ab]:/bin/foo,
}
/usr/bin/foo11 {
change_profile -> :fo[^ab]:/bin/foo,
}
/usr/bin/foo12 {
change_profile -> :fo*:/bin/fo*,
}
/usr/bin/foo13 {
change_profile -> :fo**:/bin/fo**,
}
/usr/bin/foo14 {
change_profile -> :fo?:/bin/fo?,
}
/usr/bin/foo15 {
change_profile -> :fo[ab]:/bin/fo[ab],
}
/usr/bin/foo16 {
change_profile -> :fo[^ab]:/bin/fo[^ab],
}

51
parser/tst/simple_tests/change_profile/re_ok_4.sd Normal file
View File

@ -0,0 +1,51 @@
#
#=DESCRIPTION change_profile with a variable (LP: #390810)
#=EXRESULT PASS
#
@{LIBVIRT}="libvirt"
@{LIBVIRT_RE}="libvirt*"
/usr/bin/foo {
change_profile -> @{LIBVIRT}-fo*,
}
/usr/bin/foo2 {
change_profile -> @{LIBVIRT}-fo**,
}
/usr/bin/foo3 {
change_profile -> @{LIBVIRT}-fo[ab],
}
/usr/bin/foo4 {
change_profile -> @{LIBVIRT}-fo[^ab],
}
/usr/bin/foo5 {
change_profile -> @{LIBVIRT}-fo?,
}
/usr/bin/foo6 {
change_profile -> @{LIBVIRT_RE}-foo,
}
/usr/bin/foo7 {
change_profile -> @{LIBVIRT_RE}-fo*,
}
/usr/bin/foo8 {
change_profile -> @{LIBVIRT_RE}-fo**,
}
/usr/bin/foo9 {
change_profile -> @{LIBVIRT_RE}-fo?,
}
/usr/bin/foo10 {
change_profile -> @{LIBVIRT_RE}-fo[ab],
}
/usr/bin/foo11 {
change_profile -> @{LIBVIRT_RE}-fo[^ab],
}

25
parser/tst/simple_tests/change_profile/re_ok_5.sd Normal file
View File

@ -0,0 +1,25 @@
#
#=DESCRIPTION change_profile with just res
#=EXRESULT PASS
#
/usr/bin/foo {
change_profile -> *,
}
/usr/bin/foo2 {
change_profile -> **,
}
/usr/bin/foo3 {
change_profile -> ?,
}
/usr/bin/foo4 {
change_profile -> [ab],
}
/usr/bin/foo5 {
change_profile -> [^ab],
}

65
parser/tst/simple_tests/change_profile/re_ok_6.sd Normal file
View File

@ -0,0 +1,65 @@
#
#=DESCRIPTION change_profile with just res, child profile
#=EXRESULT PASS
#
/usr/bin/foo {
change_profile -> *//ab,
}
/usr/bin/foo2 {
change_profile -> **//ab,
}
/usr/bin/foo3 {
change_profile -> ?//ab,
}
/usr/bin/foo4 {
change_profile -> [ab]//ab,
}
/usr/bin/foo5 {
change_profile -> [^ab]//ab,
}
/usr/bin/foo6 {
change_profile -> ab//*,
}
/usr/bin/foo7 {
change_profile -> ab//**,
}
/usr/bin/foo8 {
change_profile -> ab//?,
}
/usr/bin/foo9 {
change_profile -> ab//[ab],
}
/usr/bin/foo10 {
change_profile -> ab//[^ab],
}
/usr/bin/foo11 {
change_profile -> *//*,
}
/usr/bin/foo12 {
change_profile -> **//*,
}
/usr/bin/foo13 {
change_profile -> ?//*,
}
/usr/bin/foo14 {
change_profile -> [ab]//*,
}
/usr/bin/foo15 {
change_profile -> [^ab]//*,
}

65
parser/tst/simple_tests/change_profile/re_ok_7.sd Normal file
View File

@ -0,0 +1,65 @@
#
#=DESCRIPTION change_profile with just re, namespace
#=EXRESULT PASS
#
/usr/bin/foo {
change_profile -> :ab:*,
}
/usr/bin/foo2 {
change_profile -> :ab:**,
}
/usr/bin/foo3 {
change_profile -> :ab:?,
}
/usr/bin/foo4 {
change_profile -> :ab:[ab],
}
/usr/bin/foo5 {
change_profile -> :ab:[^ab],
}
/usr/bin/foo6 {
change_profile -> :*:ab,
}
/usr/bin/foo7 {
change_profile -> :**:ab,
}
/usr/bin/foo8 {
change_profile -> :?:ab,
}
/usr/bin/foo9 {
change_profile -> :[ab]:ab,
}
/usr/bin/foo10 {
change_profile -> :[^ab]:ab,
}
/usr/bin/foo11 {
change_profile -> :*:*,
}
/usr/bin/foo12 {
change_profile -> :**:**,
}
/usr/bin/foo13 {
change_profile -> :?:?,
}
/usr/bin/foo14 {
change_profile -> :[ab]:[ab],
}
/usr/bin/foo15 {
change_profile -> :[^ab]:[^ab],
}

45
parser/tst/simple_tests/change_profile/re_ok_8.sd Normal file
View File

@ -0,0 +1,45 @@
#
#=DESCRIPTION change_profile re with quotes
#=EXRESULT PASS
#
/usr/bin/foo5 {
change_profile -> "/bin/*",
}
/usr/bin/foo6 {
change_profile -> "/bin/**",
}
/usr/bin/foo7 {
change_profile -> "/bin/[ab]",
}
/usr/bin/foo8 {
change_profile -> "/bin/[^ab]",
}
/usr/bin/foo10 {
change_profile -> "/bin/?ab",
}
/usr/bin/foo11 {
change_profile -> "/bin/ *",
}
/usr/bin/foo12 {
change_profile -> "/bin/ **",
}
/usr/bin/foo13 {
change_profile -> "/bin/ [ab]",
}
/usr/bin/foo14 {
change_profile -> "/bin/ [^ab]",
}
/usr/bin/foo15 {
change_profile -> "/bin/ ?ab",
}