Update the parse to emit a 0 to seperate pairs in the dfa.

This was always the intended behavior and fixes a bug where the dfa will match change profile rules using // seperator.
2025-03-04 08:24:42 +01:00 · 2008-03-13 16:46:19 +00:00 · 2008-03-13 16:46:19 +00:00 · 814773b2e1
commit 814773b2e1
parent 923fc92c7a
4 changed files with 42 additions and 24 deletions
--- a/parser/libapparmor_re/apparmor_re.h
+++ b/parser/libapparmor_re/apparmor_re.h
@ -21,7 +21,10 @@ typedef struct aare_ruleset aare_ruleset_t;

 aare_ruleset_t *aare_new_ruleset(int reverse);
 void aare_delete_ruleset(aare_ruleset_t *rules);
-int aare_add_rule(aare_ruleset_t *rules, char *rule, uint32_t perms);
+int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
+		  uint32_t perms, uint32_t audit);
+int aare_add_rule_vec(aare_ruleset_t *rules, int deny, uint32_t perms,
+		      uint32_t audit, int count, char **rulev);
 void *aare_create_dfa(aare_ruleset_t *rules, int equiv_classes, size_t *size);

 #ifdef __cplusplus
--- a/parser/libapparmor_re/flex-tables.h
+++ b/parser/libapparmor_re/flex-tables.h
@ -22,6 +22,7 @@ struct table_set_header {
 #define YYTD_ID_DEF	4
 #define YYTD_ID_EC	5
 #define YYTD_ID_META	6
+#define YYTD_ID_ACCEPT2 7
 #define YYTD_ID_NXT	8

 #define YYTD_DATA8	1
--- a/parser/libapparmor_re/regexp.y
+++ b/parser/libapparmor_re/regexp.y
@ -1546,17 +1546,33 @@ uint32_t accept_perms(State *state)
 }

 extern "C" int aare_add_rule(aare_ruleset_t *rules, char *rule, uint32_t perms)
+{
+    return aare_add_rule_vec(rules, perms, 1, &rule);
+}
+
+extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, uint32_t perms,
+				 int count, char **rulev)
 {
    static MatchFlag *match_flags[sizeof(perms) * 8 - 1];
    static MatchFlag *exec_match_flags[8 * 2];
    static ExactMatchFlag *exact_match_flags[8 * 2];
-    Node *tree, *accept;
+    Node *tree = NULL, *accept;
    int exact_match;

    assert(perms != 0);

-    if (regexp_parse(&tree, rule))
+    if (regexp_parse(&tree, rulev[0]))
 	return 0;
+    for (int i = 1; i < count; i++) {
+	    Node *subtree = NULL;
+	    Node *node = new CharNode(0);
+	    if (!node)
+		return 0;
+	    tree = new CatNode(tree, node);
+	    if (regexp_parse(&subtree, rulev[i]))
+		return 0;
+	    tree = new CatNode(tree, subtree);
+    }

    /*
     * Check if we have an expression with or without wildcards. This
@ -1580,7 +1596,7 @@ extern "C" int aare_add_rule(aare_ruleset_t *rules, char *rule, uint32_t perms)
 #define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7)

 if (perms & ALL_EXEC_TYPE && (!perms & AA_EXEC_BITS))
-	fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rule);
+	fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);

    accept = NULL;
    for (unsigned int n = 0; perms && n < (sizeof(perms) * 8) - 1; n++) {
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@ -509,33 +509,31 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
 		/* add the pair rule */
 		char lbuf[PATH_MAX + 8];
 		int perms = AA_LINK_BITS & entry->mode;
+		char *vec[2];
+		vec[0] = tbuf;
 		if (entry->link_name) {
-			sprintf(lbuf, "%s//%s", entry->name, entry->link_name);
+			ptype = convert_aaregex_to_pcre(entry->link_name, 0, lbuf, PATH_MAX + 8);
+			if (ptype == ePatternInvalid)
+				return FALSE;
+			vec[1] = lbuf;
 		} else {
 			perms |= LINK_TO_LINK_SUBSET(perms);
-			sprintf(lbuf, "%s///**", entry->name);
+			vec[1] = "/[^/].*";
 		}
-		ptype = convert_aaregex_to_pcre(lbuf, 0, tbuf, PATH_MAX + 8);
-		if (ptype == ePatternInvalid)
+		if (!aare_add_rule_vec(dfarules, perms, 2, vec))
 			return FALSE;
-		if (!aare_add_rule(dfarules, tbuf, perms))
-			return FALSE;
-/*		if (!aare_add_vec_rule(dfarules, perms,
-				       tbuf, "/**", NULL))
-			return FALSE;
-*/
 	}
 	if (entry->mode & AA_CHANGE_PROFILE) {
-		char lbuf[2*PATH_MAX + 8];
-		if (entry->namespace)
-			sprintf(lbuf, "%s//%s", entry->namespace, entry->name);
-		else
-			sprintf(lbuf, "%s", entry->name);
-		ptype = convert_aaregex_to_pcre(lbuf, 0, tbuf, 2*PATH_MAX + 8);
-		if (ptype == ePatternInvalid)
-			return FALSE;
-		if (!aare_add_rule(dfarules, tbuf, AA_CHANGE_PROFILE))
-			return FALSE;
+		if (entry->namespace) {
+			char *vec[2];
+			vec[0] = entry->namespace;
+			vec[1] = entry->name;
+			if (!aare_add_rule_vec(dfarules, AA_CHANGE_PROFILE, 2, vec))
+			    return FALSE;
+		} else {
+			if (!aare_add_rule(dfarules, entry->name, AA_CHANGE_PROFILE))
+				return FALSE;
+		}
 	}
 	return TRUE;
 }