parser: fix filter slashes for profile attachments

The parser is failing to properly filter the slashes in the profile attachment after variable expansion. Causing matche failures when multiple slashes occur. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/154 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/727 Reported-by: Mikhail Morfikov <mmorfikov@gmail.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: time out
2025-03-04 08:24:42 +01:00 · 2021-03-16 03:44:19 -07:00 · 2021-03-16 03:44:19 -07:00 · be0d2fa947
commit be0d2fa947
parent 71bf9e132f
2 changed files with 24 additions and 6 deletions
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@ -468,20 +468,26 @@ static int process_profile_name_xmatch(Profile *prof)
 {
 	std::string tbuf;
 	pattern_t ptype;
-	const char *name;
+	char *name;

 	struct cond_entry *entry;
 	const char *xattr_value;

-	/* don't filter_slashes for profile names */
-	if (prof->attachment)
+	if (prof->attachment) {
 		name = prof->attachment;
-	else
-		name = local_name(prof->name);
+	} else {
+		/* don't filter_slashes for profile names, do on attachment */
+		name = strdup(local_name(prof->name));
+		if (!name)
+			return FALSE;
+	}
+	filter_slashes(name);
 	ptype = convert_aaregex_to_pcre(name, 0, glob_default, tbuf,
 					&prof->xmatch_len);
 	if (ptype == ePatternBasic)
 		prof->xmatch_len = strlen(name);
+	if (!prof->attachment)
+		free(name);

 	if (ptype == ePatternInvalid) {
 		PERROR(_("%s: Invalid profile name '%s' - bad regular expression\n"), progname, name);
@ -505,6 +511,7 @@ static int process_profile_name_xmatch(Profile *prof)
 			list_for_each(prof->altnames, alt) {
 				int len;
 				tbuf.clear();
+				filter_slashes(alt->name);
 				ptype = convert_aaregex_to_pcre(alt->name, 0,
 								glob_default,
 								tbuf, &len);
--- a/parser/tst/equality.sh
+++ b/parser/tst/equality.sh
@ -630,7 +630,18 @@ verify_binary_equality "link rules slash filtering" \
                           /t { link @{FOO}//foo -> /mnt/bar, }" \
                       "@{FOO}=/dev/
                        @{BAR}=/mnt/
-                           /t { link @{FOO}/foo -> @{BAR}/bar, }" \
+                           /t { link @{FOO}/foo -> @{BAR}/bar, }"
+
+verify_binary_equality "attachment slash filtering" \
+                       "/t /bin/foo { }" \
+                       "/t /bin//foo { }" \
+                       "@{BAR}=/bin/
+			   /t @{BAR}/foo { }" \
+                       "@{FOO}=/foo
+			   /t /bin/@{FOO} { }" \
+                       "@{BAR}=/bin/
+                        @{FOO}=/foo
+			   /t @{BAR}/@{FOO} { }"

 if [ $fails -ne 0 ] || [ $errors -ne 0 ]
 then