mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

parser: remove length restriction in convert_aaregex_to_pcre usage

Browse source 
This patch removes the string length limit in convert_aaregex_to_pcre()
usage. One of the benefits to moving to C++ is the ability to use
std::strings, which dynamically resize themselves. While it's a large
patch, a non-trivial amount is due to needing to get a char * string
back out via the c_str() method.

The unit tests are modified to include checks to ensure that
convert_aaregex_to_pcre only appends to the passed pcre string,
it never resets it.

As the test case with overlong alternations added in the previous
patch now passes, the TODO status is removed from it.

(Note: there's a couple of FIXME comments related to converting typebuf
to std::string that are added by this patch that are addressed in the
next patch. I kept that conversion separate to try to reduce the size
of this patch a little.)

Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This commit is contained in:
Steve Beattie 2013-12-16 01:15:17 -08:00
parent 62c13f66b0
commit cc1a6f0e55
2 changed files with 173 additions and 189 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

361
parser/parser_regex.c
View file

@ -24,6 +24,8 @@
#include <apparmor.h> #include <apparmor.h>
#define _(s) gettext(s) #define _(s) gettext(s)
#include <string>
/* #define DEBUG */ /* #define DEBUG */
#include "parser.h" #include "parser.h"
@ -81,17 +83,11 @@ static void filter_slashes(char *path)
*dptr = 0; *dptr = 0;
} }
/* converts the apparmor regex in aare and appends pcre regex output
* to pcre string */
static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor, static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
char *pcre, size_t pcre_size, std::string& pcre, int *first_re_pos)
int *first_re_pos)
{ {
#define STORE(_src, _dest, _len) \
if ((const char*)_dest + _len > (pcre + pcre_size)){ \
error = e_buffer_overflow; \
} else { \
memcpy(_dest, _src, _len); \
_dest += _len; \
}
#define update_re_pos(X) if (!(*first_re_pos)) { *first_re_pos = (X); } #define update_re_pos(X) if (!(*first_re_pos)) { *first_re_pos = (X); }
#define MAX_ALT_DEPTH 50 #define MAX_ALT_DEPTH 50
*first_re_pos = 0; *first_re_pos = 0;
@ -101,7 +97,6 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
enum error_type error; enum error_type error;
const char *sptr; const char *sptr;
char *dptr;
pattern_t ptype; pattern_t ptype;
BOOL bEscape = 0; /* flag to indicate escape */ BOOL bEscape = 0; /* flag to indicate escape */
@ -113,14 +108,13 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
ptype = ePatternBasic; /* assume no regex */ ptype = ePatternBasic; /* assume no regex */
sptr = aare; sptr = aare;
dptr = pcre;
if (dfaflags & DFA_DUMP_RULE_EXPR) if (dfaflags & DFA_DUMP_RULE_EXPR)
fprintf(stderr, "aare: %s -> ", aare); fprintf(stderr, "aare: %s -> ", aare);
if (anchor) if (anchor)
/* anchor beginning of regular expression */ /* anchor beginning of regular expression */
*dptr++ = '^'; pcre.append("^");
while (error == e_no_error && *sptr) { while (error == e_no_error && *sptr) {
switch (*sptr) { switch (*sptr) {
@ -135,7 +129,7 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
* this is done by stripping later * this is done by stripping later
*/ */
if (bEscape) { if (bEscape) {
STORE("\\\\", dptr, 2); pcre.append("\\\\");
} else { } else {
bEscape = TRUE; bEscape = TRUE;
++sptr; ++sptr;
@ -149,9 +143,9 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
* end up using this regex buffer (i.e another * end up using this regex buffer (i.e another
* non-escaped regex follows) * non-escaped regex follows)
*/ */
STORE("\\*", dptr, 2); pcre.append("\\*");
} else { } else {
if ((dptr > pcre) && *(dptr - 1) == '/') { if ((pcre.length() > 0) && pcre[pcre.length() - 1] == '/') {
#if 0 #if 0
// handle comment containing use // handle comment containing use
// of C comment characters // of C comment characters
@ -177,7 +171,7 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
while (*s == '*') while (*s == '*')
s++; s++;
if (*s == '/' || !*s) { if (*s == '/' || !*s) {
STORE("[^/\\x00]", dptr, 8); pcre.append("[^/\\x00]");
} }
} }
if (*(sptr + 1) == '*') { if (*(sptr + 1) == '*') {
@ -195,12 +189,12 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
ptype = ePatternRegex; ptype = ePatternRegex;
} }
STORE("[^\\x00]*", dptr, 8); pcre.append("[^\\x00]*");
sptr++; sptr++;
} else { } else {
update_re_pos(sptr - aare); update_re_pos(sptr - aare);
ptype = ePatternRegex; ptype = ePatternRegex;
STORE("[^/\\x00]*", dptr, 9); pcre.append("[^/\\x00]*");
} /* *(sptr+1) == '*' */ } /* *(sptr+1) == '*' */
} /* bEscape */ } /* bEscape */
@ -212,48 +206,48 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
* so no need to escape, just skip * so no need to escape, just skip
* transform * transform
*/ */
STORE(sptr, dptr, 1); pcre.append(1, *sptr);
} else { } else {
update_re_pos(sptr - aare); update_re_pos(sptr - aare);
ptype = ePatternRegex; ptype = ePatternRegex;
STORE("[^/\\x00]", dptr, 8); pcre.append("[^/\\x00]");
} }
break; break;
case '[': case '[':
if (bEscape) { if (bEscape) {
/* [ is a PCRE special character */ /* [ is a PCRE special character */
STORE("\\[", dptr, 2); pcre.append("\\[");
} else { } else {
update_re_pos(sptr - aare); update_re_pos(sptr - aare);
incharclass = 1; incharclass = 1;
ptype = ePatternRegex; ptype = ePatternRegex;
STORE(sptr, dptr, 1); pcre.append(1, *sptr);
} }
break; break;
case ']': case ']':
if (bEscape) { if (bEscape) {
/* ] is a PCRE special character */ /* ] is a PCRE special character */
STORE("\\]", dptr, 2); pcre.append("\\]");
} else { } else {
if (incharclass == 0) { if (incharclass == 0) {
error = e_parse_error; error = e_parse_error;
PERROR(_("%s: Regex grouping error: Invalid close ], no matching open [ detected\n"), progname); PERROR(_("%s: Regex grouping error: Invalid close ], no matching open [ detected\n"), progname);
} }
incharclass = 0; incharclass = 0;
STORE(sptr, dptr, 1); pcre.append(1, *sptr);
} }
break; break;
case '{': case '{':
if (bEscape) { if (bEscape) {
/* { is a PCRE special character */ /* { is a PCRE special character */
STORE("\\{", dptr, 2); pcre.append("\\{");
} else { } else {
if (incharclass) { if (incharclass) {
/* don't expand inside [] */ /* don't expand inside [] */
STORE("{", dptr, 1); pcre.append("{");
} else { } else {
update_re_pos(sptr - aare); update_re_pos(sptr - aare);
ingrouping++; ingrouping++;
@ -264,7 +258,7 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
} else { } else {
grouping_count[ingrouping] = 0; grouping_count[ingrouping] = 0;
ptype = ePatternRegex; ptype = ePatternRegex;
STORE("(", dptr, 1); pcre.append("(");
} }
} /* incharclass */ } /* incharclass */
} }
@ -273,11 +267,11 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
case '}': case '}':
if (bEscape) { if (bEscape) {
/* { is a PCRE special character */ /* { is a PCRE special character */
STORE("\\}", dptr, 2); pcre.append("\\}");
} else { } else {
if (incharclass) { if (incharclass) {
/* don't expand inside [] */ /* don't expand inside [] */
STORE("}", dptr, 1); pcre.append("}");
} else { } else {
if (grouping_count[ingrouping] == 0) { if (grouping_count[ingrouping] == 0) {
error = e_parse_error; error = e_parse_error;
@ -290,7 +284,7 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
PERROR(_("%s: Regex grouping error: Invalid close }, no matching open { detected\n"), progname); PERROR(_("%s: Regex grouping error: Invalid close }, no matching open { detected\n"), progname);
ingrouping = 0; ingrouping = 0;
} }
STORE(")", dptr, 1); pcre.append(")");
} /* incharclass */ } /* incharclass */
} /* bEscape */ } /* bEscape */
@ -302,20 +296,20 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
/* escape inside char class is a /* escape inside char class is a
* valid matching char for '\' * valid matching char for '\'
*/ */
STORE("\\,", dptr, 2); pcre.append("\\,");
} else { } else {
/* ',' is not a PCRE regex character /* ',' is not a PCRE regex character
* so no need to escape, just skip * so no need to escape, just skip
* transform * transform
*/ */
STORE(sptr, dptr, 1); pcre.append(1, *sptr);
} }
} else { } else {
if (ingrouping && !incharclass) { if (ingrouping && !incharclass) {
grouping_count[ingrouping]++; grouping_count[ingrouping]++;
STORE("|", dptr, 1); pcre.append("|");
} else { } else {
STORE(sptr, dptr, 1); pcre.append(1, *sptr);
} }
} }
break; break;
@ -325,10 +319,10 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
case '^': case '^':
case '$': case '$':
if (incharclass) { if (incharclass) {
STORE(sptr, dptr, 1); pcre.append(1, *sptr);
} else { } else {
STORE("\\", dptr, 1); pcre.append("\\");
STORE(sptr, dptr, 1); pcre.append(1, *sptr);
} }
break; break;
@ -343,7 +337,7 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
case '|': case '|':
case '(': case '(':
case ')': case ')':
STORE("\\", dptr, 1); pcre.append("\\");
// fall through to default // fall through to default
default: default:
@ -353,7 +347,7 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
pwarn("Character %c was quoted unnecessarily, " pwarn("Character %c was quoted unnecessarily, "
"dropped preceding quote ('\\') character\n", *sptr); "dropped preceding quote ('\\') character\n", *sptr);
} }
STORE(sptr, dptr, 1); pcre.append(1, *sptr);
break; break;
} /* switch (*sptr) */ } /* switch (*sptr) */
@ -376,10 +370,7 @@ static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
} }
/* anchor end and terminate pattern string */ /* anchor end and terminate pattern string */
if ((error == e_no_error) && anchor) { if ((error == e_no_error) && anchor) {
STORE("$" , dptr, 1); pcre.append("$");
}
if (error == e_no_error) {
STORE("", dptr, 1);
} }
/* check error again, as above STORE may have set it */ /* check error again, as above STORE may have set it */
if (error != e_no_error) { if (error != e_no_error) {
@ -400,7 +391,7 @@ out:
ptype = ePatternInvalid; ptype = ePatternInvalid;
if (dfaflags & DFA_DUMP_RULE_EXPR) if (dfaflags & DFA_DUMP_RULE_EXPR)
fprintf(stderr, "%s\n", pcre); fprintf(stderr, "%s\n", pcre.c_str());
return ptype; return ptype;
} }
@ -417,7 +408,7 @@ static const char *local_name(const char *name)
static int process_profile_name_xmatch(Profile *prof) static int process_profile_name_xmatch(Profile *prof)
{ {
char tbuf[PATH_MAX + 3]; /* +3 for ^, $ and \0 */ std::string tbuf;
pattern_t ptype; pattern_t ptype;
const char *name; const char *name;
@ -426,7 +417,7 @@ static int process_profile_name_xmatch(Profile *prof)
name = prof->attachment; name = prof->attachment;
else else
name = local_name(prof->name); name = local_name(prof->name);
ptype = convert_aaregex_to_pcre(name, 0, tbuf, PATH_MAX + 3, ptype = convert_aaregex_to_pcre(name, 0, tbuf,
&prof->xmatch_len); &prof->xmatch_len);
if (ptype == ePatternBasic) if (ptype == ePatternBasic)
prof->xmatch_len = strlen(name); prof->xmatch_len = strlen(name);
@ -444,7 +435,7 @@ static int process_profile_name_xmatch(Profile *prof)
aare_ruleset_t *rule = aare_new_ruleset(0); aare_ruleset_t *rule = aare_new_ruleset(0);
if (!rule) if (!rule)
return FALSE; return FALSE;
if (!aare_add_rule(rule, tbuf, 0, AA_MAY_EXEC, 0, dfaflags)) { if (!aare_add_rule(rule, tbuf.c_str(), 0, AA_MAY_EXEC, 0, dfaflags)) {
aare_delete_ruleset(rule); aare_delete_ruleset(rule);
return FALSE; return FALSE;
} }
@ -452,15 +443,15 @@ static int process_profile_name_xmatch(Profile *prof)
struct alt_name *alt; struct alt_name *alt;
list_for_each(prof->altnames, alt) { list_for_each(prof->altnames, alt) {
int len; int len;
tbuf.clear();
ptype = convert_aaregex_to_pcre(alt->name, 0, ptype = convert_aaregex_to_pcre(alt->name, 0,
tbuf, tbuf,
PATH_MAX + 3,
&len); &len);
if (ptype == ePatternBasic) if (ptype == ePatternBasic)
len = strlen(alt->name); len = strlen(alt->name);
if (len < prof->xmatch_len) if (len < prof->xmatch_len)
prof->xmatch_len = len; prof->xmatch_len = len;
if (!aare_add_rule(rule, tbuf, 0, AA_MAY_EXEC, 0, dfaflags)) { if (!aare_add_rule(rule, tbuf.c_str(), 0, AA_MAY_EXEC, 0, dfaflags)) {
aare_delete_ruleset(rule); aare_delete_ruleset(rule);
return FALSE; return FALSE;
} }
@ -478,7 +469,7 @@ static int process_profile_name_xmatch(Profile *prof)
static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry) static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
{ {
char tbuf[PATH_MAX + 3]; /* +3 for ^, $ and \0 */ std::string tbuf;
pattern_t ptype; pattern_t ptype;
int pos; int pos;
@ -488,7 +479,7 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
if (entry->mode & ~AA_CHANGE_PROFILE) if (entry->mode & ~AA_CHANGE_PROFILE)
filter_slashes(entry->name); filter_slashes(entry->name);
ptype = convert_aaregex_to_pcre(entry->name, 0, tbuf, PATH_MAX+3, &pos); ptype = convert_aaregex_to_pcre(entry->name, 0, tbuf, &pos);
if (ptype == ePatternInvalid) if (ptype == ePatternInvalid)
return FALSE; return FALSE;
@ -510,30 +501,30 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
* entry of the pair * entry of the pair
*/ */
if (entry->deny && (entry->mode & AA_LINK_BITS)) { if (entry->deny && (entry->mode & AA_LINK_BITS)) {
if (!aare_add_rule(dfarules, tbuf, entry->deny, if (!aare_add_rule(dfarules, tbuf.c_str(), entry->deny,
entry->mode & ~AA_LINK_BITS, entry->mode & ~AA_LINK_BITS,
entry->audit & ~AA_LINK_BITS, dfaflags)) entry->audit & ~AA_LINK_BITS, dfaflags))
return FALSE; return FALSE;
} else if (entry->mode & ~AA_CHANGE_PROFILE) { } else if (entry->mode & ~AA_CHANGE_PROFILE) {
if (!aare_add_rule(dfarules, tbuf, entry->deny, entry->mode, if (!aare_add_rule(dfarules, tbuf.c_str(), entry->deny, entry->mode,
entry->audit, dfaflags)) entry->audit, dfaflags))
return FALSE; return FALSE;
} }
if (entry->mode & (AA_LINK_BITS)) { if (entry->mode & (AA_LINK_BITS)) {
/* add the pair rule */ /* add the pair rule */
char lbuf[PATH_MAX + 8]; std::string lbuf;
int perms = AA_LINK_BITS & entry->mode; int perms = AA_LINK_BITS & entry->mode;
const char *vec[2]; const char *vec[2];
int pos; int pos;
vec[0] = tbuf; vec[0] = tbuf.c_str();
if (entry->link_name) { if (entry->link_name) {
ptype = convert_aaregex_to_pcre(entry->link_name, 0, lbuf, PATH_MAX + 8, &pos); ptype = convert_aaregex_to_pcre(entry->link_name, 0, lbuf, &pos);
if (ptype == ePatternInvalid) if (ptype == ePatternInvalid)
return FALSE; return FALSE;
if (entry->subset) if (entry->subset)
perms |= LINK_TO_LINK_SUBSET(perms); perms |= LINK_TO_LINK_SUBSET(perms);
vec[1] = lbuf; vec[1] = lbuf.c_str();
} else { } else {
perms |= LINK_TO_LINK_SUBSET(perms); perms |= LINK_TO_LINK_SUBSET(perms);
vec[1] = "/[^/].*"; vec[1] = "/[^/].*";
@ -543,7 +534,7 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
} }
if (entry->mode & AA_CHANGE_PROFILE) { if (entry->mode & AA_CHANGE_PROFILE) {
const char *vec[3]; const char *vec[3];
char lbuf[PATH_MAX + 8]; std::string lbuf;
int index = 1; int index = 1;
/* allow change_profile for all execs */ /* allow change_profile for all execs */
@ -551,10 +542,10 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
if (entry->ns) { if (entry->ns) {
int pos; int pos;
ptype = convert_aaregex_to_pcre(entry->ns, 0, lbuf, PATH_MAX + 8, &pos); ptype = convert_aaregex_to_pcre(entry->ns, 0, lbuf, &pos);
vec[index++] = lbuf; vec[index++] = lbuf.c_str();
} }
vec[index++] = tbuf; vec[index++] = tbuf.c_str();
/* regular change_profile rule */ /* regular change_profile rule */
if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE | AA_ONEXEC, 0, index - 1, &vec[1], dfaflags)) if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE | AA_ONEXEC, 0, index - 1, &vec[1], dfaflags))
@ -639,7 +630,7 @@ out:
static int build_list_val_expr(char *buffer, int size, struct value_list *list) static int build_list_val_expr(char *buffer, int size, struct value_list *list)
{ {
struct value_list *ent; struct value_list *ent;
char tmp[PATH_MAX + 3]; std::string tmp;
char *p; char *p;
int len; int len;
pattern_t ptype; pattern_t ptype;
@ -656,28 +647,28 @@ static int build_list_val_expr(char *buffer, int size, struct value_list *list)
if (p > buffer + size) if (p > buffer + size)
goto fail; goto fail;
ptype = convert_aaregex_to_pcre(list->value, 0, tmp, PATH_MAX+3, &pos); ptype = convert_aaregex_to_pcre(list->value, 0, tmp, &pos);
if (ptype == ePatternInvalid) if (ptype == ePatternInvalid)
goto fail; goto fail;
len = strlen(tmp); len = tmp.length();
if (len > size - (p - buffer)) if (len > size - (p - buffer))
goto fail; goto fail;
strcpy(p, tmp); strcpy(p, tmp.c_str());
p += len; p += len;
list_for_each(list->next, ent) { list_for_each(list->next, ent) {
ptype = convert_aaregex_to_pcre(ent->value, 0, tmp, tmp.clear();
PATH_MAX+3, &pos); ptype = convert_aaregex_to_pcre(ent->value, 0, tmp, &pos);
if (ptype == ePatternInvalid) if (ptype == ePatternInvalid)
goto fail; goto fail;
strncpy(p, "|", size - (p - buffer)); strncpy(p, "|", size - (p - buffer));
p++; p++;
len = strlen(tmp); len = tmp.length();
if (len > size - (p - buffer)) if (len > size - (p - buffer))
goto fail; goto fail;
strcpy(p, tmp); strcpy(p, tmp.c_str());
p += len; p += len;
} }
strncpy(p, ")", size - (p - buffer)); strncpy(p, ")", size - (p - buffer));
@ -690,22 +681,19 @@ fail:
return FALSE; return FALSE;
} }
static int convert_entry(char *buffer, int size, char *entry) static int convert_entry(std::string& buffer, char *entry)
{ {
pattern_t ptype; pattern_t ptype;
int pos; int pos;
if (entry) { if (entry) {
ptype = convert_aaregex_to_pcre(entry, 0, buffer, size, &pos); ptype = convert_aaregex_to_pcre(entry, 0, buffer, &pos);
if (ptype == ePatternInvalid) if (ptype == ePatternInvalid)
return FALSE; return FALSE;
} else { } else {
/* match any char except \000 0 or more times */ buffer.append("[^\\000]*");
if (size < 8)
return FALSE;
strcpy(buffer, "[^\\000]*");
} }
return TRUE; return TRUE;
} }
@ -750,38 +738,24 @@ static int build_mnt_flags(char *buffer, int size, unsigned int flags,
return TRUE; return TRUE;
} }
static int build_mnt_opts(char *buffer, int size, struct value_list *opts) static int build_mnt_opts(std::string& buffer, struct value_list *opts)
{ {
struct value_list *ent; struct value_list *ent;
char tmp[PATH_MAX + 3];
char *p;
int len;
pattern_t ptype; pattern_t ptype;
int pos; int pos;
if (!opts) { if (!opts) {
if (size < 8) buffer.append("[^\\000]*");
return FALSE;
strncpy(buffer, "[^\\000]*", size);
return TRUE; return TRUE;
} }
p = buffer;
list_for_each(opts, ent) { list_for_each(opts, ent) {
ptype = convert_aaregex_to_pcre(ent->value, 0, tmp, ptype = convert_aaregex_to_pcre(ent->value, 0, buffer, &pos);
PATH_MAX+3, &pos);
if (ptype == ePatternInvalid) if (ptype == ePatternInvalid)
goto fail; goto fail;
len = strlen(tmp); if (ent->next)
if (len > size - (p - buffer)) buffer.append(",");
goto fail;
strcpy(p, tmp);
p += len;
if (ent->next && size - (p - buffer) > 1) {
*p++ = ',';
*p = 0;
}
} }
return TRUE; return TRUE;
@ -792,16 +766,18 @@ fail:
static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry) static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
{ {
char mntbuf[PATH_MAX + 3]; std::string mntbuf;
char devbuf[PATH_MAX + 3]; std::string devbuf;
char typebuf[PATH_MAX + 3]; char typebuf[PATH_MAX + 3];
char flagsbuf[PATH_MAX + 3]; char flagsbuf[PATH_MAX + 3];
char optsbuf[PATH_MAX + 3]; std::string optsbuf;
char *p; char class_mount_hdr[64];
const char *vec[5]; const char *vec[5];
int count = 0; int count = 0;
unsigned int flags, inv_flags; unsigned int flags, inv_flags;
sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
/* a single mount rule may result in multiple matching rules being /* a single mount rule may result in multiple matching rules being
* created in the backend to cover all the possible choices * created in the backend to cover all the possible choices
*/ */
@ -810,25 +786,25 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
&& !entry->device && !entry->dev_type) { && !entry->device && !entry->dev_type) {
int allow; int allow;
/* remount can't be conditional on device and type */ /* remount can't be conditional on device and type */
p = mntbuf;
/* rule class single byte header */ /* rule class single byte header */
p += sprintf(p, "\\x%02x", AA_CLASS_MOUNT); mntbuf.assign(class_mount_hdr);
if (entry->mnt_point) { if (entry->mnt_point) {
/* both device && mnt_point or just mnt_point */ /* both device && mnt_point or just mnt_point */
if (!convert_entry(p, PATH_MAX +3, entry->mnt_point)) if (!convert_entry(mntbuf, entry->mnt_point))
goto fail; goto fail;
vec[0] = mntbuf; vec[0] = mntbuf.c_str();
} else { } else {
if (!convert_entry(p, PATH_MAX +3, entry->device)) if (!convert_entry(mntbuf, entry->device))
goto fail; goto fail;
vec[0] = mntbuf; vec[0] = mntbuf.c_str();
} }
/* skip device */ /* skip device */
if (!convert_entry(devbuf, PATH_MAX +3, NULL)) devbuf.clear();
if (!convert_entry(devbuf, NULL))
goto fail; goto fail;
vec[1] = devbuf; vec[1] = devbuf.c_str();
/* skip type */ /* skip type */
vec[2] = devbuf; vec[2] = devbuf.c_str();
flags = entry->flags; flags = entry->flags;
inv_flags = entry->inv_flags; inv_flags = entry->inv_flags;
@ -839,8 +815,6 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags)) if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
goto fail; goto fail;
vec[3] = flagsbuf; vec[3] = flagsbuf;
if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
goto fail;
if (entry->opts) if (entry->opts)
allow = AA_MATCH_CONT; allow = AA_MATCH_CONT;
@ -856,9 +830,10 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
if (entry->opts) { if (entry->opts) {
/* rule with data match required */ /* rule with data match required */
if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts)) optsbuf.clear();
if (!build_mnt_opts(optsbuf, entry->opts))
goto fail; goto fail;
vec[4] = optsbuf; vec[4] = optsbuf.c_str();
if (!aare_add_rule_vec(dfarules, entry->deny, if (!aare_add_rule_vec(dfarules, entry->deny,
entry->allow, entry->allow,
entry->audit | AA_AUDIT_MNT_DATA, entry->audit | AA_AUDIT_MNT_DATA,
@ -870,18 +845,21 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_BIND) if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_BIND)
&& !entry->dev_type && !entry->opts) { && !entry->dev_type && !entry->opts) {
/* bind mount rules can't be conditional on dev_type or data */ /* bind mount rules can't be conditional on dev_type or data */
p = mntbuf; std::string tmpbuf;
/* rule class single byte header */ /* rule class single byte header */
p += sprintf(p, "\\x%02x", AA_CLASS_MOUNT); mntbuf.assign(class_mount_hdr);
if (!convert_entry(p, PATH_MAX +3, entry->mnt_point)) if (!convert_entry(mntbuf, entry->mnt_point))
goto fail; goto fail;
vec[0] = mntbuf; vec[0] = mntbuf.c_str();
if (!convert_entry(devbuf, PATH_MAX +3, entry->device)) devbuf.clear();
if (!convert_entry(devbuf, entry->device))
goto fail; goto fail;
vec[1] = devbuf; vec[1] = devbuf.c_str();
if (!convert_entry(typebuf, PATH_MAX +3, NULL)) /* FIXME: when typebuf gets converted to std::string,
* switch tmpbuf back to typebuf */
if (!convert_entry(tmpbuf, NULL))
goto fail; goto fail;
vec[2] = typebuf; vec[2] = tmpbuf.c_str();
flags = entry->flags; flags = entry->flags;
inv_flags = entry->inv_flags; inv_flags = entry->inv_flags;
@ -903,17 +881,17 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
/* change type base rules can not be conditional on device, /* change type base rules can not be conditional on device,
* device type or data * device type or data
*/ */
p = mntbuf;
/* rule class single byte header */ /* rule class single byte header */
p += sprintf(p, "\\x%02x", AA_CLASS_MOUNT); mntbuf.assign(class_mount_hdr);
if (!convert_entry(p, PATH_MAX +3, entry->mnt_point)) if (!convert_entry(mntbuf, entry->mnt_point))
goto fail; goto fail;
vec[0] = mntbuf; vec[0] = mntbuf.c_str();
/* skip device and type */ /* skip device and type */
if (!convert_entry(devbuf, PATH_MAX +3, NULL)) devbuf.clear();
if (!convert_entry(devbuf, NULL))
goto fail; goto fail;
vec[1] = devbuf; vec[1] = devbuf.c_str();
vec[2] = devbuf; vec[2] = devbuf.c_str();
flags = entry->flags; flags = entry->flags;
inv_flags = entry->inv_flags; inv_flags = entry->inv_flags;
@ -934,19 +912,22 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
/* mount move rules can not be conditional on dev_type, /* mount move rules can not be conditional on dev_type,
* or data * or data
*/ */
p = mntbuf; std::string tmpbuf;
/* rule class single byte header */ /* rule class single byte header */
p += sprintf(p, "\\x%02x", AA_CLASS_MOUNT); mntbuf.assign(class_mount_hdr);
if (!convert_entry(p, PATH_MAX +3, entry->mnt_point)) if (!convert_entry(mntbuf, entry->mnt_point))
goto fail; goto fail;
vec[0] = mntbuf; vec[0] = mntbuf.c_str();
if (!convert_entry(devbuf, PATH_MAX +3, entry->device)) devbuf.clear();
if (!convert_entry(devbuf, entry->device))
goto fail; goto fail;
vec[1] = devbuf; vec[1] = devbuf.c_str();
/* skip type */ /* skip type */
if (!convert_entry(typebuf, PATH_MAX +3, NULL)) /* FIXME: when typebuf gets converted to std::string,
* switch tmpbuf back to typebuf */
if (!convert_entry(tmpbuf, NULL))
goto fail; goto fail;
vec[2] = typebuf; vec[2] = tmpbuf.c_str();
flags = entry->flags; flags = entry->flags;
inv_flags = entry->inv_flags; inv_flags = entry->inv_flags;
@ -968,15 +949,15 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
/* generic mount if flags are set that are not covered by /* generic mount if flags are set that are not covered by
* above commands * above commands
*/ */
p = mntbuf;
/* rule class single byte header */ /* rule class single byte header */
p += sprintf(p, "\\x%02x", AA_CLASS_MOUNT); mntbuf.assign(class_mount_hdr);
if (!convert_entry(p, PATH_MAX +3, entry->mnt_point)) if (!convert_entry(mntbuf, entry->mnt_point))
goto fail; goto fail;
vec[0] = mntbuf; vec[0] = mntbuf.c_str();
if (!convert_entry(devbuf, PATH_MAX +3, entry->device)) devbuf.clear();
if (!convert_entry(devbuf, entry->device))
goto fail; goto fail;
vec[1] = devbuf; vec[1] = devbuf.c_str();
if (!build_list_val_expr(typebuf, PATH_MAX+2, entry->dev_type)) if (!build_list_val_expr(typebuf, PATH_MAX+2, entry->dev_type))
goto fail; goto fail;
vec[2] = typebuf; vec[2] = typebuf;
@ -1005,9 +986,10 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
if (entry->opts) { if (entry->opts) {
/* rule with data match required */ /* rule with data match required */
if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts)) optsbuf.clear();
if (!build_mnt_opts(optsbuf, entry->opts))
goto fail; goto fail;
vec[4] = optsbuf; vec[4] = optsbuf.c_str();
if (!aare_add_rule_vec(dfarules, entry->deny, if (!aare_add_rule_vec(dfarules, entry->deny,
entry->allow, entry->allow,
entry->audit | AA_AUDIT_MNT_DATA, entry->audit | AA_AUDIT_MNT_DATA,
@ -1017,27 +999,26 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
} }
} }
if (entry->allow & AA_MAY_UMOUNT) { if (entry->allow & AA_MAY_UMOUNT) {
p = mntbuf;
/* rule class single byte header */ /* rule class single byte header */
p += sprintf(p, "\\x%02x", AA_CLASS_MOUNT); mntbuf.assign(class_mount_hdr);
if (!convert_entry(p, PATH_MAX +3, entry->mnt_point)) if (!convert_entry(mntbuf, entry->mnt_point))
goto fail; goto fail;
vec[0] = mntbuf; vec[0] = mntbuf.c_str();
if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow, if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
entry->audit, 1, vec, dfaflags)) entry->audit, 1, vec, dfaflags))
goto fail; goto fail;
count++; count++;
} }
if (entry->allow & AA_MAY_PIVOTROOT) { if (entry->allow & AA_MAY_PIVOTROOT) {
p = mntbuf;
/* rule class single byte header */ /* rule class single byte header */
p += sprintf(p, "\\x%02x", AA_CLASS_MOUNT); mntbuf.assign(class_mount_hdr);
if (!convert_entry(p, PATH_MAX +3, entry->mnt_point)) if (!convert_entry(mntbuf, entry->mnt_point))
goto fail; goto fail;
vec[0] = mntbuf; vec[0] = mntbuf.c_str();
if (!convert_entry(devbuf, PATH_MAX +3, entry->device)) devbuf.clear();
if (!convert_entry(devbuf, entry->device))
goto fail; goto fail;
vec[1] = devbuf; vec[1] = devbuf.c_str();
if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow, if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
entry->audit, 2, vec, dfaflags)) entry->audit, 2, vec, dfaflags))
goto fail; goto fail;
@ -1058,13 +1039,13 @@ fail:
static int process_dbus_entry(aare_ruleset_t *dfarules, struct dbus_entry *entry) static int process_dbus_entry(aare_ruleset_t *dfarules, struct dbus_entry *entry)
{ {
char busbuf[PATH_MAX + 3]; std::string busbuf;
char namebuf[PATH_MAX + 3]; std::string namebuf;
char peer_labelbuf[PATH_MAX + 3]; std::string peer_labelbuf;
char pathbuf[PATH_MAX + 3]; std::string pathbuf;
char ifacebuf[PATH_MAX + 3]; std::string ifacebuf;
char memberbuf[PATH_MAX + 3]; std::string memberbuf;
char *p; char buffer[128];
const char *vec[6]; const char *vec[6];
pattern_t ptype; pattern_t ptype;
@ -1073,26 +1054,24 @@ static int process_dbus_entry(aare_ruleset_t *dfarules, struct dbus_entry *entry
if (!entry) /* shouldn't happen */ if (!entry) /* shouldn't happen */
return TRUE; return TRUE;
p = busbuf; sprintf(buffer, "\\x%02x", AA_CLASS_DBUS);
p += sprintf(p, "\\x%02x", AA_CLASS_DBUS); busbuf.append(buffer);
if (entry->bus) { if (entry->bus) {
ptype = convert_aaregex_to_pcre(entry->bus, 0, p, ptype = convert_aaregex_to_pcre(entry->bus, 0, busbuf, &pos);
PATH_MAX+3 - (p - busbuf), &pos);
if (ptype == ePatternInvalid) if (ptype == ePatternInvalid)
goto fail; goto fail;
} else { } else {
/* match any char except \000 0 or more times */ /* match any char except \000 0 or more times */
strcpy(p, "[^\\000]*"); busbuf.append("[^\\000]*");
} }
vec[0] = busbuf; vec[0] = busbuf.c_str();
if (entry->name) { if (entry->name) {
ptype = convert_aaregex_to_pcre(entry->name, 0, namebuf, ptype = convert_aaregex_to_pcre(entry->name, 0, namebuf, &pos);
PATH_MAX+3, &pos);
if (ptype == ePatternInvalid) if (ptype == ePatternInvalid)
goto fail; goto fail;
vec[1] = namebuf; vec[1] = namebuf.c_str();
} else { } else {
/* match any char except \000 0 or more times */ /* match any char except \000 0 or more times */
vec[1] = "[^\\000]*"; vec[1] = "[^\\000]*";
@ -1100,44 +1079,40 @@ static int process_dbus_entry(aare_ruleset_t *dfarules, struct dbus_entry *entry
if (entry->peer_label) { if (entry->peer_label) {
ptype = convert_aaregex_to_pcre(entry->peer_label, 0, ptype = convert_aaregex_to_pcre(entry->peer_label, 0,
peer_labelbuf, PATH_MAX+3, peer_labelbuf, &pos);
&pos);
if (ptype == ePatternInvalid) if (ptype == ePatternInvalid)
goto fail; goto fail;
vec[2] = peer_labelbuf; vec[2] = peer_labelbuf.c_str();
} else { } else {
/* match any char except \000 0 or more times */ /* match any char except \000 0 or more times */
vec[2] = "[^\\000]*"; vec[2] = "[^\\000]*";
} }
if (entry->path) { if (entry->path) {
ptype = convert_aaregex_to_pcre(entry->path, 0, pathbuf, ptype = convert_aaregex_to_pcre(entry->path, 0, pathbuf, &pos);
PATH_MAX+3, &pos);
if (ptype == ePatternInvalid) if (ptype == ePatternInvalid)
goto fail; goto fail;
vec[3] = pathbuf; vec[3] = pathbuf.c_str();
} else { } else {
/* match any char except \000 0 or more times */ /* match any char except \000 0 or more times */
vec[3] = "[^\\000]*"; vec[3] = "[^\\000]*";
} }
if (entry->interface) { if (entry->interface) {
ptype = convert_aaregex_to_pcre(entry->interface, 0, ifacebuf, ptype = convert_aaregex_to_pcre(entry->interface, 0, ifacebuf, &pos);
PATH_MAX+3, &pos);
if (ptype == ePatternInvalid) if (ptype == ePatternInvalid)
goto fail; goto fail;
vec[4] = ifacebuf; vec[4] = ifacebuf.c_str();
} else { } else {
/* match any char except \000 0 or more times */ /* match any char except \000 0 or more times */
vec[4] = "[^\\000]*"; vec[4] = "[^\\000]*";
} }
if (entry->member) { if (entry->member) {
ptype = convert_aaregex_to_pcre(entry->member, 0, memberbuf, ptype = convert_aaregex_to_pcre(entry->member, 0, memberbuf, &pos);
PATH_MAX+3, &pos);
if (ptype == ePatternInvalid) if (ptype == ePatternInvalid)
goto fail; goto fail;
vec[5] = memberbuf; vec[5] = memberbuf.c_str();
} else { } else {
/* match any char except \000 0 or more times */ /* match any char except \000 0 or more times */
vec[5] = "[^\\000]*"; vec[5] = "[^\\000]*";
@ -1305,31 +1280,41 @@ static int test_filter_slashes(void)
#define MY_REGEX_TEST(input, expected_str, expected_type) \ #define MY_REGEX_TEST(input, expected_str, expected_type) \
do { \ do { \
char tbuf[PATH_MAX + 3]; \ std::string tbuf; \
std::string tbuf2 = "testprefix"; \
char *test_string; \ char *test_string; \
char* output_string = NULL; \ char *output_string = NULL; \
std::string expected_str2; \
pattern_t ptype; \ pattern_t ptype; \
int pos; \ int pos; \
\ \
test_string = strdup((input)); \ test_string = strdup((input)); \
ptype = convert_aaregex_to_pcre(test_string, 0, tbuf, PATH_MAX + 3, &pos); \ ptype = convert_aaregex_to_pcre(test_string, 0, tbuf, &pos); \
asprintf(&output_string, "simple regex conversion for '%s'\texpected = '%s'\tresult = '%s'", \ asprintf(&output_string, "simple regex conversion for '%s'\texpected = '%s'\tresult = '%s'", \
(input), expected_str, tbuf); \ (input), expected_str, tbuf.c_str()); \
MY_TEST(strcmp(tbuf, (expected_str)) == 0, output_string); \ MY_TEST(strcmp(tbuf.c_str(), (expected_str)) == 0, output_string); \
MY_TEST(ptype == (expected_type), "simple regex conversion type check for '" input "'"); \ MY_TEST(ptype == (expected_type), "simple regex conversion type check for '" input "'"); \
free(output_string); \
/* ensure convert_aaregex_to_pcre appends only to passed ref string */ \
expected_str2 = tbuf2; \
expected_str2.append((expected_str)); \
ptype = convert_aaregex_to_pcre(test_string, 0, tbuf2, &pos); \
asprintf(&output_string, "simple regex conversion for '%s'\texpected = '%s'\tresult = '%s'", \
(input), expected_str2.c_str(), tbuf2.c_str()); \
MY_TEST((tbuf2 == expected_str2), output_string); \
free(test_string); free(output_string); \ free(test_string); free(output_string); \
} \ } \
while (0) while (0)
#define MY_REGEX_FAIL_TEST(input) \ #define MY_REGEX_FAIL_TEST(input) \
do { \ do { \
char tbuf[PATH_MAX + 3]; \ std::string tbuf; \
char *test_string; \ char *test_string; \
pattern_t ptype; \ pattern_t ptype; \
int pos; \ int pos; \
\ \
test_string = strdup((input)); \ test_string = strdup((input)); \
ptype = convert_aaregex_to_pcre(test_string, 0, tbuf, PATH_MAX + 3, &pos); \ ptype = convert_aaregex_to_pcre(test_string, 0, tbuf, &pos); \
MY_TEST(ptype == ePatternInvalid, "simple regex conversion invalid type check for '" input "'"); \ MY_TEST(ptype == ePatternInvalid, "simple regex conversion invalid type check for '" input "'"); \
free(test_string); \ free(test_string); \
} \ } \

1
parser/tst/simple_tests/file/ok_alternations_3.sd
View file

File diff suppressed because one or more lines are too long