Hello, this patch splits off RE_PROFILE_NAME and RE_PROFILE_PATH from RE_PROFILE_START (might get re-used later ;-)
Also add two tests for profile names not starting with / - the quoted version wasn't catched as invalid before, so this change is actually also a bugfix. I propose this patch for trunk and 2.9. [ 01-split-off-RE_PROFILE_NAME-and-PATH.diff ] === modified file utils/apparmor/regex.py --- utils/apparmor/regex.py 2015-04-24 22:05:14.670654871 +0200 +++ utils/apparmor/regex.py 2015-05-08 21:12:50.397146889 +0200 @@ -26,6 +26,9 @@ RE_EOL = '\s*(?P<comment>#.*?)?\s*$' # optional whitespace, optional <comment>, optional whitespace, end of the line RE_COMMA_EOL = '\s*,' + RE_EOL # optional whitespace, comma + RE_EOL +RE_PROFILE_NAME = '(?P<%s>(\S+|"[^"]+"))' # string without spaces, or quoted string. %s is the match group name +RE_PROFILE_PATH = '(?P<%s>(/\S+|"/[^"]+"))' # filename (starting with '/') without spaces, or quoted filename. %s is the match group name + RE_PROFILE_END = re.compile('^\s*\}' + RE_EOL) RE_PROFILE_CAP = re.compile(RE_AUDIT_DENY + 'capability(?P<capability>(\s+\S+)+)?' + RE_COMMA_EOL) RE_PROFILE_LINK = re.compile(RE_AUDIT_DENY + 'link\s+(((subset)|(<=))\s+)?([\"\@\/].*?"??)\s+->\s*([\"\@\/].*?"??)' + RE_COMMA_EOL) @@ -62,9 +67,9 @@ RE_PROFILE_START = re.compile( '^(?P<leadingspace>\s*)' + '(' + - '(?P<plainprofile>(/\S+|"[^"]+"))' + # just a path + RE_PROFILE_PATH % 'plainprofile' + # just a path '|' + # or - '(' + 'profile' + '\s+(?P<namedprofile>(\S+|"[^"]+"))' + '(\s+(?P<attachment>(/\S+|"/[^"]+")))?' + ')' + # 'profile', profile name, optionally attachment + '(' + 'profile' + '\s+' + RE_PROFILE_NAME % 'namedprofile' + '(\s+' + RE_PROFILE_PATH % 'attachment' + ')?' + ')' + # 'profile', profile name, optionally attachment ')' + '\s+((flags=)?\((?P<flags>.+)\)\s+)?\{' + RE_EOL) === modified file utils/test/test-regex_matches.py --- utils/test/test-regex_matches.py 2015-04-27 22:25:01.512298747 +0200 +++ utils/test/test-regex_matches.py 2015-05-08 21:09:17.085562824 +0200 @@ -403,6 +403,8 @@ ('/bin/foo /bin/bar', False), # missing 'profile' keyword ('profile {', False), # no attachment (' profile foo bar /foo {', False), # missing quotes around "foo bar" + ('bin/foo {', False), # not starting with '/' + ('"bin/foo" {', False), # not starting with '/', quoted version (' /foo {', { 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': None, 'comment': None }), (' "/foo" {', { 'plainprofile': '"/foo"', 'namedprofile': None, 'attachment': None, 'flags': None, 'comment': None }), Regards, Christian Boltz -- Zu Risiken und Nebenwirkungen der PIN und TAN-Eingabe im Internet beachten Sie die üblichen Sicherheitsmaßnahmen und fragen sie Ihren gesunden Menschenverstand oder einen Experten. [gefunden auf http://www.heise.de/security/news/meldung/61241] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor