From d8360dc76564cfb2fe401ce9edbc51fa23d1edcc Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Wed, 19 Jun 2024 13:28:24 +0200
Subject: [PATCH] UnixRule: Fix handling of peers with a ?

`?` is a valid AARE char, add it to the regexes that match the AARE.

Also add some tests to ensure this is really fixed, and make the error
output of the tests more useful/verbose.

Note: One of the added tests (with a space in the peer name) uncovered a
bug in quote handling. This will be fixed in the next commit.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/404
---
 utils/apparmor/rule/unix.py | 4 ++--
 utils/test/test-unix.py     | 5 ++++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/utils/apparmor/rule/unix.py b/utils/apparmor/rule/unix.py
index c5566df9d..da1466d16 100644
--- a/utils/apparmor/rule/unix.py
+++ b/utils/apparmor/rule/unix.py
@@ -23,8 +23,8 @@ from apparmor.translations import init_translation
 
 _ = init_translation()
 
-_aare = r'([][!/\\\,().*@{}\w^-]+)'
-_quoted_aare = r'"([][!/\\\,().*@{}\w\s^-]+)"'
+_aare = r'([][!/\\\,().*?@{}\w^-]+)'
+_quoted_aare = r'"([][!/\\\,().*?@{}\w\s^-]+)"'
 aare = rf'({_aare}|{_quoted_aare}|\(({_aare}|{_quoted_aare})\))'
 aare_set = rf'({_aare}|{_quoted_aare}|\(({_aare}|{_quoted_aare})+\))'
 
diff --git a/utils/test/test-unix.py b/utils/test/test-unix.py
index fd8dea6fd..decf2adab 100644
--- a/utils/test/test-unix.py
+++ b/utils/test/test-unix.py
@@ -37,6 +37,9 @@ class UnixTestParse(AATest):
         ('unix (accept, rw) protocol=AA type=BB,',          UnixRule(('accept', 'rw'),  {'type': 'BB', 'protocol': 'AA'}, UnixRule.ALL,                 UnixRule.ALL,                   False, False, False, '')),
         ('unix shutdown addr=@srv,',                        UnixRule('shutdown',        UnixRule.ALL,                     {'addr': '@srv'},             UnixRule.ALL,                   False, False, False, '')),
         ('unix send addr=@foo{a,b} peer=(label=splat),',    UnixRule('send',            UnixRule.ALL,                     {'addr': '@foo{a,b}'},        {'label': 'splat'},             False, False, False, '')),
+        ('unix peer=(addr=@/tmp/foo-??????),',              UnixRule(UnixRule.ALL,      UnixRule.ALL,                     UnixRule.ALL,                 {'addr': '@/tmp/foo-??????'},   False, False, False, '')),
+      # ('unix peer=(addr="@/tmp/f o-??????"),',            UnixRule(UnixRule.ALL,      UnixRule.ALL,                     UnixRule.ALL,                 {'addr': '@/tmp/f o-??????'},   False, False, False, '')),  # quote handling is broken
+        ('unix peer=(addr=@/tmp/foo-*),',                   UnixRule(UnixRule.ALL,      UnixRule.ALL,                     UnixRule.ALL,                 {'addr': '@/tmp/foo-*'},        False, False, False, '')),
         ('unix (accept, rw) protocol=AA type=BB opt=AA label=bb peer=(addr=a label=bb),',
                                                             UnixRule(('accept', 'rw'),  {'type': 'BB', 'protocol': 'AA'}, {'opt': 'AA', 'label': 'bb'}, {'addr': 'a', 'label': 'bb'},   False, False, False, '')),  # noqa: E127
     )
@@ -45,7 +48,7 @@ class UnixTestParse(AATest):
         self.assertTrue(UnixRule.match(rawrule))
         obj = UnixRule.create_instance(rawrule)
         expected.raw_rule = rawrule.strip()
-        self.assertTrue(obj.is_equal(expected, True))
+        self.assertTrue(obj.is_equal(expected, True), f'\n  {rawrule}   expected,\n  {obj.get_clean()}   returned by obj.get_clean()\n  {expected.get_clean()}   returned by expected.get_clean()')
 
     def test_diff_local(self):
         obj1 = UnixRule('send', UnixRule.ALL, {'addr': 'foo'}, UnixRule.ALL, )