util: enhance AARE file path validation

Fixes https://bugs.launchpad.net/apparmor/+bug/2106033 Improve the validation of AARE file paths by introducing a new regex that supports paths starting with '{' (e.g. '{/,/org/freedesktop/DBus}'). These paths are notably used in snap.lxd.* profiles. Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
2025-09-05 00:35:13 +00:00 · 2025-04-02 17:24:41 +02:00
parent ca0b695c0c
commit dbf4c27154
4 changed files with 40 additions and 8 deletions
--- a/utils/test/test-aare.py
+++ b/utils/test/test-aare.py
@@ -238,6 +238,8 @@ class TestAAREIsPath(AATest):
        (('/foo*',    True,     '/foobar'), True),
        (('@{PROC}/', True,     '/foobar'), False),
        (('foo*',     False,    'foobar'),  True),
+        (('{/a,/b}',  True,     '/a'),      True),
+        (('{@{X},/b}', True,    '/b'),      True),
    )

    def _run_test(self, params, expected):
@@ -249,6 +251,18 @@ class TestAAREIsPath(AATest):
        with self.assertRaises(AppArmorException):
            AARE('foo*', True)

+    def test_path_bad_alternative(self):
+        with self.assertRaises(AppArmorException):
+            AARE('{/a,@{foo},invalid}', True)
+
+    def test_path_bad_alternative2(self):
+        with self.assertRaises(AppArmorException):
+            AARE('{invalid,@{X},/X}', True)
+
+    def test_path_bad_alternative3(self):
+        with self.assertRaises(AppArmorException):
+            AARE('{/foo,@{invalid,/X}', True)
+

 class TestAARERepr(AATest):
    def test_repr(self):