mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 22:35:35 +00:00
Code Issues Releases Wiki Activity

Merge utils: Improve regex for mount source and target

Browse Source 
* Make glob_pattern more readable
    - replace filename and variable regex parts with RE_PROFILE_PATH_OR_VAR
    - split to multiline string

* Move `[\w-]+` into inner match group by removing/moving the ')' after the empty source.

* Prepare source_fileglob_pattern and dest_fileglob_pattern to be customizable by moving adding the closing ')))' into each of them.

* Allow empty source and any word only in mount source

See the individual commits for details.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1574
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This commit is contained in:
John Johansen
2025-03-18 04:55:21 +00:00
parent a82b16f059 ae20b62c31
commit e065dfb35a
1 changed files with 20 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
utils/apparmor/rule/mount.py
View File

@@ -15,7 +15,7 @@ import re
from apparmor.common import AppArmorBug, AppArmorException
from apparmor.regex import RE_PROFILE_MOUNT, strip_parenthesis, strip_quotes
from apparmor.regex import RE_PROFILE_MOUNT, RE_PROFILE_PATH_OR_VAR, strip_parenthesis, strip_quotes
from apparmor.rule import AARE
from apparmor.rule import BaseRule, BaseRuleset, parse_modifiers, logprof_value_or_all, check_and_split_list
@@ -66,9 +66,25 @@ mount_condition_pattern = rf'({fs_type_pattern})?\s*({option_pattern})?'
# - A path : /foo
# - A globbed Path : **
glob_pattern = r'(\s*(?P<%s>([/{]\S*|\*\*\S*|"[/{][^"]*"|\*\*[^"]*"|@{\S+}\S*|"@{\S+}[^"]*"|"")|[\w-]+))'
source_fileglob_pattern = glob_pattern % 'source_file'
dest_fileglob_pattern = glob_pattern % 'dest_file'
glob_pattern = (
r'(\s*(?P<%s>('
+ RE_PROFILE_PATH_OR_VAR % 'IGNOREDEV' # path or variable
+ r'|\{\S*|"\{[^"]*"' # alternation, optionally quoted (note: no leading "/" needed/enforced)
+ r'|\*\*\S*|\*\*[^"]*"' # starting with "**"
# Note: the closing ')))' needs to be added in the final regex
)
source_fileglob_pattern = (
glob_pattern % 'source_file'
+ r'|""' # empty source
+ r'|[\w-]+' # any word including "-"
+ ')))'
)
dest_fileglob_pattern = (
glob_pattern.replace('IGNOREDEV', 'IGNOREMP') % 'dest_file'
+ ')))'
)
RE_MOUNT_DETAILS = re.compile(r'^\s*' + mount_condition_pattern + rf'(\s+{source_fileglob_pattern})?' + rf'(\s+->\s+{dest_fileglob_pattern})?\s*' + r'$')
RE_UMOUNT_DETAILS = re.compile(r'^\s*' + mount_condition_pattern + rf'(\s+{dest_fileglob_pattern})?\s*' + r'$')