mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-29 13:28:19 +00:00
Code Issues Releases Wiki Activity

parser: make lead # in assignment value indicate a comment

Browse Source 
technically a # leading a value in an assignment expression is allowed,
however people are also using it to a comment at the end of a line.
ie.

  @{var1}=value1    # comment about this value or for a given system

this unsurprisingly leads to odd/unexpected behavior when the variable
is used.

  allow rw /@{var1},

expands into
  allow rw /{value1,#,comment,about,this,value,or,for,a,given,system},

change a leading # as value in an assignment expression to a comment.
If the # is really supposed to lead the value, require it to be escaped
or in quotes.
ie.

  @{var1}=value1 \#not_a_comment

Note: this could potentially break som policy if the # was used as the
      leading character for a value in an assignment expression, but
      is worth it to avoid the confusion.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2024-06-07 16:43:22 -07:00
parent 1ec42d8bec
commit 8fe75b8e9c
2 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
parser/parser_lex.l
View File

@ -255,9 +255,11 @@ MODES {MODE_CHARS}+
WS [[:blank:]] WS [[:blank:]]
NUMBER [[:digit:]]+ NUMBER [[:digit:]]+
ID_FIRST_CHARS [^ \t\r\n"!,#]
ID_FIRST {ID_CHARS}|(,{ID_CHARS}|\\[ ]|\\\t|\\\"|\\!|\\,|\\#)
ID_CHARS [^ \t\r\n"!,] ID_CHARS [^ \t\r\n"!,]
ID {ID_CHARS}|(,{ID_CHARS}|\\[ ]|\\\t|\\\"|\\!|\\,) ID {ID_CHARS}|(,{ID_CHARS}|\\[ ]|\\\t|\\\"|\\!|\\,)
IDS {ID}+ IDS {ID_FIRST}{ID}*
INC_ID [^ \t\r\n"!,<>]|(,[^ \t\r\n"!,<>]|\\[ ]|\\\t|\\\"|\\!|\\,) INC_ID [^ \t\r\n"!,<>]|(,[^ \t\r\n"!,<>]|\\[ ]|\\\t|\\\"|\\!|\\,)
INC_IDS {INC_ID}+ INC_IDS {INC_ID}+
POST_VAR_ID_CHARS [^ \t\n"!,]{-}[=\+] POST_VAR_ID_CHARS [^ \t\n"!,]{-}[=\+]
@ -507,6 +509,12 @@ GT >
yyerror(_("Variable declarations do not accept trailing commas")); yyerror(_("Variable declarations do not accept trailing commas"));
} }
#.*\r?\n { /* normal comment */
DUMP_AND_DEBUG("comment(%d): %s\n", current_lineno, yytext);
current_lineno++;
POP();
}
\\\n { DUMP_PREPROCESS; current_lineno++ ; } \\\n { DUMP_PREPROCESS; current_lineno++ ; }
\r?\n { \r?\n {

12
parser/tst/equality.sh
View File

@ -643,6 +643,18 @@ verify_binary_equality "attachment slash filtering" \
@{FOO}=/foo @{FOO}=/foo
/t @{BAR}/@{FOO} { }" /t @{BAR}/@{FOO} { }"
# verify comment at end of variable assignment is not treated as a value
verify_binary_equality "comment at end of set var" \
"/t { /bin/ r, }" \
"@{BAR}=/bin/ #a tail comment
/t { @{BAR} r, }"
verify_binary_equality "value like comment at end of set var" \
"/t { /{bin/,#value} r, }" \
"@{BAR}=bin/ \#value
/t { /@{BAR} r, }"
# This can potentially fail as ideally it requires a better dfa comparison # This can potentially fail as ideally it requires a better dfa comparison
# routine as it can generates hormomorphic dfas. The enumeration of the # routine as it can generates hormomorphic dfas. The enumeration of the
# dfas dumped will be different, even if the binary is the same # dfas dumped will be different, even if the binary is the same