From 2a96ddc7fdf62720c13b8bbe55204cc2eb54522f Mon Sep 17 00:00:00 2001 From: John Johansen Date: Mon, 31 Aug 2020 19:01:06 -0700 Subject: [PATCH] parser: Fix expansion of variables in unix rules addr= conditional The parser is not treating unix addr as a path and filtering slashes after variable expansion. This can lead to errors where @{foo}=/a/ unix bind addr=@{foo}/bar, will always fail because addr is being matched as /a//bar instead of /a/bar. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607 Fixes: https://bugs.launchpad.net/apparmor/+bug/1856738 Signed-off-by: John Johansen (cherry picked from commit 6af05006d9dd1bfaa36e555841496a4cbf3992ee) --- parser/af_unix.cc | 2 ++ parser/parser.h | 1 + parser/parser_regex.c | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/parser/af_unix.cc b/parser/af_unix.cc index c80a9f532..98a9b657e 100644 --- a/parser/af_unix.cc +++ b/parser/af_unix.cc @@ -151,9 +151,11 @@ int unix_rule::expand_variables(void) error = expand_entry_variables(&addr); if (error) return error; + filter_slashes(addr); error = expand_entry_variables(&peer_addr); if (error) return error; + filter_slashes(peer_addr); return 0; } diff --git a/parser/parser.h b/parser/parser.h index 5643f5518..7b703c5c6 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -367,6 +367,7 @@ extern int post_process_entry(struct cod_entry *entry); extern int process_policydb(Profile *prof); extern int process_policy_ents(Profile *prof); +extern void filter_slashes(char *path); /* parser_variable.c */ int expand_entry_variables(char **name); diff --git a/parser/parser_regex.c b/parser/parser_regex.c index 72df37aa8..8e0f63581 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -47,7 +47,7 @@ enum error_type { * that's a distinct namespace in linux) and trailing slashes. * NOTE: modifies in place the contents of the path argument */ -static void filter_slashes(char *path) +void filter_slashes(char *path) { char *sptr, *dptr; BOOL seen_slash = 0;