mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-23 02:27:12 +00:00
cfe20d2b63
Add userland support for matching based on extended file attributes. This leverages DFA based matching already in the kernel: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8e51f908 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=73f488cd Matching is exposed via flags on the profile: /usr/bin/* xattrs=(user.foo=bar user.bar=foo) { # ... } xattr values are appended to the existing xmatch via a null transition. $ echo '/usr/bin/* xattrs=(user.foo=foo user.bar=bar) {}' | \ ./parser/apparmor_parser -QT -D expr-tree DFA: Expression Tree /usr/bin/[^\0000/]([^\0000/])*(\0000bar)?(\0000foo)?< 0x1> DFA: Expression Tree (\a|(\n|(\0002|\t)))< 0x4> Tested manually on a 4.19 kernel via QEMU+KVM. TODO: * ~~Add regression tests~~ (EDIT: done) * ~~EDIT: add support in the tools~~ (EDIT: done) Questions for reviewers: * ~~parser/libapparmor: regex construction probably needs cleaning up~~ (EDIT: done) * ~~parser/parser_regex.c: confused what xmatch length is for~~ (EDIT: done) /cc @mjg59 PR: https://gitlab.com/apparmor/apparmor/merge_requests/270 Signed-off-by: John Johansen <john.johansen@canonical.com>
Known Bugs: Will allow multiple letters in the () due to translation/unicode issues with regexing the key. User input will probably bug out in a different locale.