UnixRule: Fix handling of peers with a ?

`?` is a valid AARE char, add it to the regexes that match the AARE. Also add some tests to ensure this is really fixed, and make the error output of the tests more useful/verbose. Note: One of the added tests (with a space in the peer name) uncovered a bug in quote handling. This will be fixed in the next commit. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/404
2025-03-04 08:24:42 +01:00 · 2024-06-19 13:28:24 +02:00 · 2024-06-19 13:28:24 +02:00 · d8360dc765
commit d8360dc765
parent 1fcd0c1700
2 changed files with 6 additions and 3 deletions
--- a/utils/apparmor/rule/unix.py
+++ b/utils/apparmor/rule/unix.py
@ -23,8 +23,8 @@ from apparmor.translations import init_translation

 _ = init_translation()

-_aare = r'([][!/\\\,().*@{}\w^-]+)'
-_quoted_aare = r'"([][!/\\\,().*@{}\w\s^-]+)"'
+_aare = r'([][!/\\\,().*?@{}\w^-]+)'
+_quoted_aare = r'"([][!/\\\,().*?@{}\w\s^-]+)"'
 aare = rf'({_aare}|{_quoted_aare}|\(({_aare}|{_quoted_aare})\))'
 aare_set = rf'({_aare}|{_quoted_aare}|\(({_aare}|{_quoted_aare})+\))'

--- a/utils/test/test-unix.py
+++ b/utils/test/test-unix.py
@ -37,6 +37,9 @@ class UnixTestParse(AATest):
        ('unix (accept, rw) protocol=AA type=BB,',          UnixRule(('accept', 'rw'),  {'type': 'BB', 'protocol': 'AA'}, UnixRule.ALL,                 UnixRule.ALL,                   False, False, False, '')),
        ('unix shutdown addr=@srv,',                        UnixRule('shutdown',        UnixRule.ALL,                     {'addr': '@srv'},             UnixRule.ALL,                   False, False, False, '')),
        ('unix send addr=@foo{a,b} peer=(label=splat),',    UnixRule('send',            UnixRule.ALL,                     {'addr': '@foo{a,b}'},        {'label': 'splat'},             False, False, False, '')),
+        ('unix peer=(addr=@/tmp/foo-??????),',              UnixRule(UnixRule.ALL,      UnixRule.ALL,                     UnixRule.ALL,                 {'addr': '@/tmp/foo-??????'},   False, False, False, '')),
+      # ('unix peer=(addr="@/tmp/f o-??????"),',            UnixRule(UnixRule.ALL,      UnixRule.ALL,                     UnixRule.ALL,                 {'addr': '@/tmp/f o-??????'},   False, False, False, '')),  # quote handling is broken
+        ('unix peer=(addr=@/tmp/foo-*),',                   UnixRule(UnixRule.ALL,      UnixRule.ALL,                     UnixRule.ALL,                 {'addr': '@/tmp/foo-*'},        False, False, False, '')),
        ('unix (accept, rw) protocol=AA type=BB opt=AA label=bb peer=(addr=a label=bb),',
                                                            UnixRule(('accept', 'rw'),  {'type': 'BB', 'protocol': 'AA'}, {'opt': 'AA', 'label': 'bb'}, {'addr': 'a', 'label': 'bb'},   False, False, False, '')),  # noqa: E127
    )
@ -45,7 +48,7 @@ class UnixTestParse(AATest):
        self.assertTrue(UnixRule.match(rawrule))
        obj = UnixRule.create_instance(rawrule)
        expected.raw_rule = rawrule.strip()
-        self.assertTrue(obj.is_equal(expected, True))
+        self.assertTrue(obj.is_equal(expected, True), f'\n  {rawrule}   expected,\n  {obj.get_clean()}   returned by obj.get_clean()\n  {expected.get_clean()}   returned by expected.get_clean()')

    def test_diff_local(self):
        obj1 = UnixRule('send', UnixRule.ALL, {'addr': 'foo'}, UnixRule.ALL, )