Fix handling of quoted peers in UnixRule (and others)

In UnixRule (and probably also in other rules that use print_dict_values()` and `initialize_cond_dict()`), the handling of peers with a value that is quoted and/or needs to be quoted was broken because - quotes didn't get stripped in `initialize_cond_dict()` - `print_dict_values()` didn't use `quote_if_needed()` Note: print_dict_values also handles integers (like network ports). Convert them to a string so that `if ' ' in data` in `quote_if_needed()` doesn't explode. Also enable the test that uncovered this bug.
2025-03-04 00:14:44 +01:00 · 2024-06-19 13:41:02 +02:00 · 2024-06-19 13:41:02 +02:00 · b53d15896e
commit b53d15896e
parent d8360dc765
2 changed files with 4 additions and 3 deletions
--- a/utils/apparmor/rule/init.py
+++ b/utils/apparmor/rule/init.py
@ -17,6 +17,7 @@ from abc import ABCMeta, abstractmethod

 from apparmor.aare import AARE
 from apparmor.common import AppArmorBug, AppArmorException
+from apparmor.regex import strip_quotes
 from apparmor.translations import init_translation

 _ = init_translation()
@ -574,7 +575,7 @@ def check_dict_keys(d, possible_keys, type_all):

 def initialize_cond_dict(d, keys, suffix, type_all):
    out = {
-        key: d[f'{key}{suffix}']
+        key: strip_quotes(d[f'{key}{suffix}'])
        for key in keys
        if f'{key}{suffix}' in d and d[f'{key}{suffix}'] is not None
    }
@ -592,7 +593,7 @@ def tuple_to_dict(t, keys):
 def print_dict_values(d, type_all, prefix=None):
    if d == type_all:
        return ''
-    to_print = ' '.join(f'{k}={v}' for k, v in d.items())
+    to_print = ' '.join(f'{k}={quote_if_needed(str(v))}' for k, v in d.items())
    if prefix:
        return f' {prefix}=({to_print})'
    else:
--- a/utils/test/test-unix.py
+++ b/utils/test/test-unix.py
@ -38,7 +38,7 @@ class UnixTestParse(AATest):
        ('unix shutdown addr=@srv,',                        UnixRule('shutdown',        UnixRule.ALL,                     {'addr': '@srv'},             UnixRule.ALL,                   False, False, False, '')),
        ('unix send addr=@foo{a,b} peer=(label=splat),',    UnixRule('send',            UnixRule.ALL,                     {'addr': '@foo{a,b}'},        {'label': 'splat'},             False, False, False, '')),
        ('unix peer=(addr=@/tmp/foo-??????),',              UnixRule(UnixRule.ALL,      UnixRule.ALL,                     UnixRule.ALL,                 {'addr': '@/tmp/foo-??????'},   False, False, False, '')),
-      # ('unix peer=(addr="@/tmp/f o-??????"),',            UnixRule(UnixRule.ALL,      UnixRule.ALL,                     UnixRule.ALL,                 {'addr': '@/tmp/f o-??????'},   False, False, False, '')),  # quote handling is broken
+        ('unix peer=(addr="@/tmp/f o-??????"),',            UnixRule(UnixRule.ALL,      UnixRule.ALL,                     UnixRule.ALL,                 {'addr': '@/tmp/f o-??????'},   False, False, False, '')),
        ('unix peer=(addr=@/tmp/foo-*),',                   UnixRule(UnixRule.ALL,      UnixRule.ALL,                     UnixRule.ALL,                 {'addr': '@/tmp/foo-*'},        False, False, False, '')),
        ('unix (accept, rw) protocol=AA type=BB opt=AA label=bb peer=(addr=a label=bb),',
                                                            UnixRule(('accept', 'rw'),  {'type': 'BB', 'protocol': 'AA'}, {'opt': 'AA', 'label': 'bb'}, {'addr': 'a', 'label': 'bb'},   False, False, False, '')),  # noqa: E127