[apparmor] [PATCH 05/13] Require matched mode strings to terminate

[Kees Cook]

On Tue, Feb 14, 2012 at 09:32:27AM -0800, John Johansen wrote:
> mode strings overlap with other potential commands, or strings, and as
> currently written can be match as a leading substring of an ID.  Eliminate
> the leading substring case by requiring that for a mode string to be
> recognized it must be terminated by whitespace, eol, eof, or
> comma (end of rule).
> 
> The other cases where modes string overlap are ambiguous and the ID should
> be quoted to remove the ambiguity.
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
>  parser/parser_lex.l |    6 +++---
>  1 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/parser/parser_lex.l b/parser/parser_lex.l
> index 8f549c8..e4f8f66 100644
> --- a/parser/parser_lex.l
> +++ b/parser/parser_lex.l
> @@ -175,9 +175,9 @@ SLASH		\/
>  COLON		:
>  END_OF_RULE	[,]
>  RANGE		-
> -MODE_CHARS 	([RrWwaLlMmkXx])|(([Pp]|[Cc])[Xx])|(([Pp]|[Cc])?([IiUu])[Xx])
> -MODES		{MODE_CHARS}+
>  WS		[[:blank:]]
> +MODE_CHARS	([RrWwaLlMmkXx])|(([Pp]|[Cc])[Xx])|(([Pp]|[Cc])?([IiUu])[Xx])
> +MODES		({MODE_CHARS}+)
>  NUMBER		[[:digit:]]+

Why the relocation churn here? Better to just change only the MODES
definition for better change readability.

>  ID_CHARS	[^ \t\n"!,]
> @@ -540,7 +540,7 @@ LT_EQUAL	<=
>  			return TOK_ID;
>  			}
>  
> -{MODES}			{
> +({MODES})/([[:space:],])	{
>  			DUMP_PREPROCESS;
>  			yylval.mode = strdup(yytext);
>  			PDEBUG("Found modes: %s\n", yylval.mode);

Otherwise, looks fine.

-Kees

-- 
Kees Cook