mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

UnixRule: Fix handling of peers with a ?

Browse source 
`?` is a valid AARE char, add it to the regexes that match the AARE.

Also add some tests to ensure this is really fixed, and make the error
output of the tests more useful/verbose.

Note: One of the added tests (with a space in the peer name) uncovered a
bug in quote handling. This will be fixed in the next commit.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/404
This commit is contained in:
Christian Boltz 2024-06-19 13:28:24 +02:00
parent 1fcd0c1700
commit d8360dc765
Failed to generate hash of commit
2 changed files with 6 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
utils/apparmor/rule/unix.py
View file

@ -23,8 +23,8 @@ from apparmor.translations import init_translation
_ = init_translation() _ = init_translation()
_aare = r'([][!/\\\,().*@{}\w^-]+)' _aare = r'([][!/\\\,().*?@{}\w^-]+)'
_quoted_aare = r'"([][!/\\\,().*@{}\w\s^-]+)"' _quoted_aare = r'"([][!/\\\,().*?@{}\w\s^-]+)"'
aare = rf'({_aare}|{_quoted_aare}|\(({_aare}|{_quoted_aare})\))' aare = rf'({_aare}|{_quoted_aare}|\(({_aare}|{_quoted_aare})\))'
aare_set = rf'({_aare}|{_quoted_aare}|\(({_aare}|{_quoted_aare})+\))' aare_set = rf'({_aare}|{_quoted_aare}|\(({_aare}|{_quoted_aare})+\))'

5
utils/test/test-unix.py
View file

@ -37,6 +37,9 @@ class UnixTestParse(AATest):
('unix (accept, rw) protocol=AA type=BB,', UnixRule(('accept', 'rw'), {'type': 'BB', 'protocol': 'AA'}, UnixRule.ALL, UnixRule.ALL, False, False, False, '')), ('unix (accept, rw) protocol=AA type=BB,', UnixRule(('accept', 'rw'), {'type': 'BB', 'protocol': 'AA'}, UnixRule.ALL, UnixRule.ALL, False, False, False, '')),
('unix shutdown addr=@srv,', UnixRule('shutdown', UnixRule.ALL, {'addr': '@srv'}, UnixRule.ALL, False, False, False, '')), ('unix shutdown addr=@srv,', UnixRule('shutdown', UnixRule.ALL, {'addr': '@srv'}, UnixRule.ALL, False, False, False, '')),
('unix send addr=@foo{a,b} peer=(label=splat),', UnixRule('send', UnixRule.ALL, {'addr': '@foo{a,b}'}, {'label': 'splat'}, False, False, False, '')), ('unix send addr=@foo{a,b} peer=(label=splat),', UnixRule('send', UnixRule.ALL, {'addr': '@foo{a,b}'}, {'label': 'splat'}, False, False, False, '')),
('unix peer=(addr=@/tmp/foo-??????),', UnixRule(UnixRule.ALL, UnixRule.ALL, UnixRule.ALL, {'addr': '@/tmp/foo-??????'}, False, False, False, '')),
# ('unix peer=(addr="@/tmp/f o-??????"),', UnixRule(UnixRule.ALL, UnixRule.ALL, UnixRule.ALL, {'addr': '@/tmp/f o-??????'}, False, False, False, '')), # quote handling is broken
('unix peer=(addr=@/tmp/foo-*),', UnixRule(UnixRule.ALL, UnixRule.ALL, UnixRule.ALL, {'addr': '@/tmp/foo-*'}, False, False, False, '')),
('unix (accept, rw) protocol=AA type=BB opt=AA label=bb peer=(addr=a label=bb),', ('unix (accept, rw) protocol=AA type=BB opt=AA label=bb peer=(addr=a label=bb),',
UnixRule(('accept', 'rw'), {'type': 'BB', 'protocol': 'AA'}, {'opt': 'AA', 'label': 'bb'}, {'addr': 'a', 'label': 'bb'}, False, False, False, '')), # noqa: E127 UnixRule(('accept', 'rw'), {'type': 'BB', 'protocol': 'AA'}, {'opt': 'AA', 'label': 'bb'}, {'addr': 'a', 'label': 'bb'}, False, False, False, '')), # noqa: E127
) )
@ -45,7 +48,7 @@ class UnixTestParse(AATest):
self.assertTrue(UnixRule.match(rawrule)) self.assertTrue(UnixRule.match(rawrule))
obj = UnixRule.create_instance(rawrule) obj = UnixRule.create_instance(rawrule)
expected.raw_rule = rawrule.strip() expected.raw_rule = rawrule.strip()
self.assertTrue(obj.is_equal(expected, True)) self.assertTrue(obj.is_equal(expected, True), f'\n {rawrule} expected,\n {obj.get_clean()} returned by obj.get_clean()\n {expected.get_clean()} returned by expected.get_clean()')
def test_diff_local(self): def test_diff_local(self):
obj1 = UnixRule('send', UnixRule.ALL, {'addr': 'foo'}, UnixRule.ALL, ) obj1 = UnixRule('send', UnixRule.ALL, {'addr': 'foo'}, UnixRule.ALL, )