Split off RE_PROFILE_NAME and RE_PROFILE_PATH from RE_PROFILE_START

(might get re-used later ;-) Also add two tests for profile names not starting with / - the quoted version wasn't catched as invalid before, so this change is actually also a bugfix. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9.
2025-03-04 16:35:02 +01:00 · 2015-05-09 01:10:59 +02:00 · 2015-05-09 01:10:59 +02:00 · ea72078cc4
commit ea72078cc4
parent 43a8d7703d
2 changed files with 7 additions and 2 deletions
--- a/utils/apparmor/regex.py
+++ b/utils/apparmor/regex.py
@ -26,6 +26,9 @@ RE_OWNER                = '(?P<owner>owner\s+)?'  # optionally: <owner>
 RE_EOL                  = '\s*(?P<comment>#.*?)?\s*$'  # optional whitespace, optional <comment>, optional whitespace, end of the line
 RE_COMMA_EOL            = '\s*,' + RE_EOL # optional whitespace, comma + RE_EOL

+RE_PROFILE_NAME         = '(?P<%s>(\S+|"[^"]+"))'    # string without spaces, or quoted string. %s is the match group name
+RE_PROFILE_PATH         = '(?P<%s>(/\S+|"/[^"]+"))'  # filename (starting with '/') without spaces, or quoted filename. %s is the match group name
+
 RE_PROFILE_END          = re.compile('^\s*\}' + RE_EOL)
 RE_PROFILE_CAP          = re.compile(RE_AUDIT_DENY + 'capability(?P<capability>(\s+\S+)+)?' + RE_COMMA_EOL)
 RE_PROFILE_LINK         = re.compile(RE_AUDIT_DENY + 'link\s+(((subset)|(<=))\s+)?([\"\@\/].*?"??)\s+->\s*([\"\@\/].*?"??)' + RE_COMMA_EOL)
@ -64,9 +67,9 @@ RE_HAS_COMMENT_SPLIT = re.compile('^(?P<not_comment>' + __re_no_or_quoted_hash +
 RE_PROFILE_START          = re.compile(
    '^(?P<leadingspace>\s*)' +
    '(' +
-        '(?P<plainprofile>(/\S+|"[^"]+"))' + # just a path
+        RE_PROFILE_PATH % 'plainprofile' + # just a path
        '|' + # or
-        '(' + 'profile' + '\s+(?P<namedprofile>(\S+|"[^"]+"))' + '(\s+(?P<attachment>(/\S+|"/[^"]+")))?' + ')' + # 'profile', profile name, optionally attachment
+        '(' + 'profile' + '\s+' + RE_PROFILE_NAME % 'namedprofile' + '(\s+' + RE_PROFILE_PATH % 'attachment' + ')?' + ')' + # 'profile', profile name, optionally attachment
    ')' +
    '\s+((flags=)?\((?P<flags>.+)\)\s+)?\{' +
    RE_EOL)
--- a/utils/test/test-regex_matches.py
+++ b/utils/test/test-regex_matches.py
@ -403,6 +403,8 @@ class AANamedRegexProfileStart_2(AANamedRegexTest):
        ('/bin/foo /bin/bar', False), # missing 'profile' keyword
        ('profile {', False), # no attachment
        ('   profile foo bar /foo {', False), # missing quotes around "foo bar"
+        ('bin/foo {', False), # not starting with '/'
+        ('"bin/foo" {', False), # not starting with '/', quoted version

        ('   /foo {',                     { 'plainprofile': '/foo',    'namedprofile': None,          'attachment': None,     'flags': None,       'comment': None }),
        ('   "/foo" {',                   { 'plainprofile': '"/foo"',  'namedprofile': None,          'attachment': None,     'flags': None,       'comment': None }),