[apparmor] [Patch][parser] Fix: Parser error when using regex profile names in IPC rules

Thu Sep 25 09:38:06 UTC 2014

On 09/24/2014 11:32 AM, John Johansen wrote:

v2 changes
- added support for character escaping to IDs
- added tests
- updated existing tests to support character escaping

Fix: Parser error when using regex profile names in IPC rules

BugLink: http://bugs.launchpad.net/bugs/1373085

The parser fails to accept certain characters, even when escaped or quoted
as part of the profile or label name in ipc rules. This is due to the
lexer not accepting those characters as part of the input pattern.

Signed-off-by: John Johansen <john.johansen at canonical.com>

---

=== modified file 'parser/parser_lex.l'

--- parser/parser_lex.l	2014-09-03 22:05:56 +0000
+++ parser/parser_lex.l	2014-09-25 09:05:15 +0000
@@ -207,13 +207,14 @@
 NUMBER		[[:digit:]]+
 
 ID_CHARS	[^ \t\n"!,]
-ID 		{ID_CHARS}|(,{ID_CHARS})
+ID 		{ID_CHARS}|(,{ID_CHARS}|\\[ ]|\\\t|\\\"|\\!|\\,)
 IDS		{ID}+
 POST_VAR_ID_CHARS	[^ \t\n"!,]{-}[=\+]
-POST_VAR_ID 	{POST_VAR_ID_CHARS}|(,{POST_VAR_ID_CHARS})
-LIST_VALUE_ID_CHARS	[^ \t\n"!,]{-}[()]
+POST_VAR_ID 	{POST_VAR_ID_CHARS}|(,{POST_VAR_ID_CHARS}|\\[ ]|\\\t|\\\"|\\!|\\,|\\\(|\\\))
+LIST_VALUE_ID_CHARS	([^ \t\n"!,]{-}[()]|\\[ ]|\\\t|\\\"|\\!|\\,|\\\(|\\\))
+LIST_VALUE_QUOTED_ID_CHARS [^\0"]|\\\"
 LIST_VALUE_ID	{LIST_VALUE_ID_CHARS}+
-QUOTED_LIST_VALUE_ID	{LIST_VALUE_ID}|\"{LIST_VALUE_ID}\"
+QUOTED_LIST_VALUE_ID	\"{LIST_VALUE_QUOTED_ID_CHARS}+\"
 ID_CHARS_NOEQ	[^ \t\n"!,]{-}[=]
 LEADING_ID_CHARS_NOEQ [^ \t\n"!,]{-}[=()+&]
 ID_NOEQ		{ID_CHARS_NOEQ}|(,{ID_CHARS_NOEQ})

=== renamed file 'parser/tst/simple_tests/dbus/bad_regex_03.sd' => 'parser/tst/simple_tests/dbus/ok_regex_01.sd'
--- parser/tst/simple_tests/dbus/bad_regex_03.sd	2014-04-26 04:48:25 +0000
+++ parser/tst/simple_tests/dbus/ok_regex_01.sd	2014-09-25 08:23:00 +0000
@@ -1,6 +1,6 @@
 #
-#=DESCRIPTION dbus rule with a bad peer regex expansion
-#=EXRESULT FAIL
+#=DESCRIPTION dbus rule with a peer regex expansion that needs escaping
+#=EXRESULT PASS
 #
 
 profile foo {

=== added file 'parser/tst/simple_tests/dbus/ok_regex_02.sd'
--- parser/tst/simple_tests/dbus/ok_regex_02.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/dbus/ok_regex_02.sd	2014-09-25 08:23:13 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION dbus rule with a peer regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  dbus send bus=session peer=(label=splat\	),
+}

=== added file 'parser/tst/simple_tests/dbus/ok_regex_03.sd'
--- parser/tst/simple_tests/dbus/ok_regex_03.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/dbus/ok_regex_03.sd	2014-09-25 08:23:25 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION dbus rule with a peer regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  dbus send bus=session peer=(label=splat\"),
+}

=== added file 'parser/tst/simple_tests/dbus/ok_regex_04.sd'
--- parser/tst/simple_tests/dbus/ok_regex_04.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/dbus/ok_regex_04.sd	2014-09-25 08:23:41 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION dbus rule with a peer regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  dbus send bus=session peer=(label=splat\!),
+}

=== added file 'parser/tst/simple_tests/dbus/ok_regex_05.sd'
--- parser/tst/simple_tests/dbus/ok_regex_05.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/dbus/ok_regex_05.sd	2014-09-25 08:21:31 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION dbus rule with a peer regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  dbus send bus=session peer=(label=splat\,),
+}

=== added file 'parser/tst/simple_tests/dbus/ok_regex_06.sd'
--- parser/tst/simple_tests/dbus/ok_regex_06.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/dbus/ok_regex_06.sd	2014-09-25 08:22:03 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION dbus rule with a peer regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  dbus send bus=session peer=(label=splat\(),
+}

=== added file 'parser/tst/simple_tests/dbus/ok_regex_07.sd'
--- parser/tst/simple_tests/dbus/ok_regex_07.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/dbus/ok_regex_07.sd	2014-09-25 08:22:45 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION dbus rule with a peer regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  dbus send bus=session peer=(label=splat\)),
+}

=== added file 'parser/tst/simple_tests/dbus/ok_regex_08.sd'
--- parser/tst/simple_tests/dbus/ok_regex_08.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/dbus/ok_regex_08.sd	2014-09-25 08:24:36 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION dbus rule with a peer regex expansion that are quoted
+#=EXRESULT PASS
+#
+
+profile foo {
+  dbus send bus=session peer=(label="splat"),
+}

=== added file 'parser/tst/simple_tests/dbus/ok_regex_09.sd'
--- parser/tst/simple_tests/dbus/ok_regex_09.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/dbus/ok_regex_09.sd	2014-09-25 08:25:05 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION dbus rule with a peer regex expansion that are quoted with escaped quote
+#=EXRESULT PASS
+#
+
+profile foo {
+  dbus send bus=session peer=(label="splat\""),
+}

=== renamed file 'parser/tst/simple_tests/file/file/bad_embedded_spaces_1.sd' => 'parser/tst/simple_tests/file/file/ok_embedded_spaces_4.sd'
--- parser/tst/simple_tests/file/file/bad_embedded_spaces_1.sd	2012-02-16 16:06:04 +0000
+++ parser/tst/simple_tests/file/file/ok_embedded_spaces_4.sd	2014-09-25 09:21:16 +0000
@@ -1,5 +1,5 @@
 #=DESCRIPTION Simple test case for embedded spaces
-#=EXRESULT FAIL
+#=EXRESULT PASS
 
 /bin/foo {
   file /abc\ def r,

=== renamed file 'parser/tst/simple_tests/file/bad_embedded_spaces_1.sd' => 'parser/tst/simple_tests/file/ok_embedded_spaces_4.sd'
--- parser/tst/simple_tests/file/bad_embedded_spaces_1.sd	2009-07-23 07:42:57 +0000
+++ parser/tst/simple_tests/file/ok_embedded_spaces_4.sd	2014-09-25 09:11:37 +0000
@@ -1,5 +1,5 @@
 #=DESCRIPTION Simple test case for embedded spaces
-#=EXRESULT FAIL
+#=EXRESULT PASS
 
 /bin/foo {
   /abc\ def r,

=== added file 'parser/tst/simple_tests/unix/ok_regex_01.sd'
--- parser/tst/simple_tests/unix/ok_regex_01.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/unix/ok_regex_01.sd	2014-09-25 08:49:18 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION unix rule with regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  unix addr=@splat\ ,
+}

=== added file 'parser/tst/simple_tests/unix/ok_regex_02.sd'
--- parser/tst/simple_tests/unix/ok_regex_02.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/unix/ok_regex_02.sd	2014-09-25 08:49:32 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION unix rule with regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  unix addr=@splat\	,
+}

=== added file 'parser/tst/simple_tests/unix/ok_regex_03.sd'
--- parser/tst/simple_tests/unix/ok_regex_03.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/unix/ok_regex_03.sd	2014-09-25 08:49:44 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION unix rule with regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  unix addr=@splat\",
+}

=== added file 'parser/tst/simple_tests/unix/ok_regex_04.sd'
--- parser/tst/simple_tests/unix/ok_regex_04.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/unix/ok_regex_04.sd	2014-09-25 08:49:59 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION unix rule with regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  unix addr=@splat\!,
+}

=== added file 'parser/tst/simple_tests/unix/ok_regex_05.sd'
--- parser/tst/simple_tests/unix/ok_regex_05.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/unix/ok_regex_05.sd	2014-09-25 08:50:12 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION unix rule with regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  unix addr=@splat\,,
+}

=== added file 'parser/tst/simple_tests/unix/ok_regex_06.sd'
--- parser/tst/simple_tests/unix/ok_regex_06.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/unix/ok_regex_06.sd	2014-09-25 08:50:23 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION unix rule with regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  unix addr=@splat\(,
+}

=== added file 'parser/tst/simple_tests/unix/ok_regex_07.sd'
--- parser/tst/simple_tests/unix/ok_regex_07.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/unix/ok_regex_07.sd	2014-09-25 08:50:33 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION unix rule with regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  unix addr=@splat\),
+}

=== added file 'parser/tst/simple_tests/unix/ok_regex_08.sd'
--- parser/tst/simple_tests/unix/ok_regex_08.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/unix/ok_regex_08.sd	2014-09-25 08:50:51 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION unix rule with regex expansion that is quoted
+#=EXRESULT PASS
+#
+
+profile foo {
+  unix addr="@splat ",
+}

=== added file 'parser/tst/simple_tests/unix/ok_regex_09.sd'
--- parser/tst/simple_tests/unix/ok_regex_09.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/unix/ok_regex_09.sd	2014-09-25 08:51:08 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION unix rule with regex expansion that is quoted with quote escaped
+#=EXRESULT PASS
+#
+
+profile foo {
+  unix addr="@splat \"",
+}

=== added file 'parser/tst/simple_tests/unix/ok_regex_11.sd'
--- parser/tst/simple_tests/unix/ok_regex_11.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/unix/ok_regex_11.sd	2014-09-25 08:39:17 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION unix rule with peer regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  unix peer=(label=splat\ ),
+}

=== added file 'parser/tst/simple_tests/unix/ok_regex_12.sd'
--- parser/tst/simple_tests/unix/ok_regex_12.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/unix/ok_regex_12.sd	2014-09-25 08:39:35 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION unix rule with peer regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  unix peer=(label=splat\	),
+}

=== added file 'parser/tst/simple_tests/unix/ok_regex_13.sd'
--- parser/tst/simple_tests/unix/ok_regex_13.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/unix/ok_regex_13.sd	2014-09-25 08:39:54 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION unix rule with peer regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  unix peer=(label=splat\"),
+}

=== added file 'parser/tst/simple_tests/unix/ok_regex_14.sd'
--- parser/tst/simple_tests/unix/ok_regex_14.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/unix/ok_regex_14.sd	2014-09-25 08:40:11 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION unix rule with peer regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  unix peer=(label=splat\!),
+}

=== added file 'parser/tst/simple_tests/unix/ok_regex_15.sd'
--- parser/tst/simple_tests/unix/ok_regex_15.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/unix/ok_regex_15.sd	2014-09-25 08:40:32 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION unix rule with peer regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  unix peer=(label=splat\,),
+}

=== added file 'parser/tst/simple_tests/unix/ok_regex_16.sd'
--- parser/tst/simple_tests/unix/ok_regex_16.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/unix/ok_regex_16.sd	2014-09-25 08:40:48 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION unix rule with peer regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  unix peer=(label=splat\(),
+}

=== added file 'parser/tst/simple_tests/unix/ok_regex_17.sd'
--- parser/tst/simple_tests/unix/ok_regex_17.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/unix/ok_regex_17.sd	2014-09-25 08:41:06 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION unix rule with peer regex expansion that needs escaping
+#=EXRESULT PASS
+#
+
+profile foo {
+  unix peer=(label=splat\)),
+}

=== added file 'parser/tst/simple_tests/unix/ok_regex_18.sd'
--- parser/tst/simple_tests/unix/ok_regex_18.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/unix/ok_regex_18.sd	2014-09-25 08:41:31 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION unix rule with peer regex expansion that is quoted
+#=EXRESULT PASS
+#
+
+profile foo {
+  unix peer=(label="splat "),
+}

=== added file 'parser/tst/simple_tests/unix/ok_regex_19.sd'
--- parser/tst/simple_tests/unix/ok_regex_19.sd	1970-01-01 00:00:00 +0000
+++ parser/tst/simple_tests/unix/ok_regex_19.sd	2014-09-25 08:41:49 +0000
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION unix rule with peer regex expansion that is quoted with quote escaped
+#=EXRESULT PASS
+#
+
+profile foo {
+  unix peer=(label="splat \""),
+}


