Handle differentation of directories and files via / for the dfa engine.

This causes the dfa engine to not strip trailing / and to handle /*/ /**/ and /* and /** cases specially so that directories don't get matched unintentionally aare pcre /foo/* -> /foo/[^/][^/]* so the dir /foo/ will not match the rule /foo/** -> /foo/[^/].* /*/foo -> /[^/][^/]*/foo so the rule won't match //foo /**/foo -> /[^/].*/foo rules that contain more than a * or ** between dir / elements do not get converted, ie. /foo* /foo** /foo*/ /foo**/ /*foo /**foo /*foo/ /**foo/ there is a known case where this patch is incomplete. When there exists an alternation that can be empty and * or ** ie. /{foo,}* /{foo,*}
2025-03-04 08:24:42 +01:00 · 2007-03-14 22:00:39 +00:00 · 2007-03-14 22:00:39 +00:00 · 51b25bd3e5
commit 51b25bd3e5
parent a39a3b0410
1 changed files with 43 additions and 4 deletions
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@ -107,11 +107,19 @@ static void filter_slashes(char *path)
 		}
 	}
 	*dptr = 0;
-	/* eliminate trailing slash */
+
+	if (regex_type != AARE_DFA) {
+		/* eliminate trailing slashes for versions of apparmor that
+		 * do not use the dfa engine.
+		 * Versions of apparmor which use the dfa engine use the
+		 * trailing / to differentiate between file and directory
+		 * matches
+		 */
 		len = strlen(path);
 		if (len > 2 && path[len -1] == '/') {
 			path[len - 1] = 0;
 		}
+	}
 }

 static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
@ -177,6 +185,35 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
 				 */
 				STORE("\\*", dptr, 2);
 			} else {
+				if ((dptr > pcre) &&  *(dptr - 1) == '/') {
+					#if 0
+					/* handle comment containing use
+					 * of C comment characters
+					 * /* /*/ and /** to describe paths
+					 *
+					 * modify what is emitted for * and **
+					 * when used as the only path
+					 * component
+					 * ex.
+					 * /* /*/ /**/ /**
+					 * this prevents these expressions
+					 * from matching directories or
+					 * invalid paths
+					 * in these case * and ** must
+					 * match at least 1 character to
+					 * get a valid path element.
+					 * ex.
+					 * /foo/* -> should not match /foo/
+					 * /foo/*bar -> should match /foo/bar
+					 * /*/foo -> should not match //foo
+					 */
+					#endif
+					char *s = sptr;
+					while (*s == '*')
+						s++;
+					if (*s == '/' || !*s)
+						STORE("[^/]", dptr, 4);
+				}
 				if (*(sptr + 1) == '*') {
 					/* is this the first regex form we
 					 * have seen and also the end of
@ -621,6 +658,8 @@ static int test_filter_slashes(void)
 	return rc;
 }

+int regex_type = AARE_PCRE;
+
 int main(void)
 {
 	int rc = 0;