parser: determine xmatch priority based on smallest DFA match (!326) · Merge requests · AppArmor / apparmor

Eric Chiang requested to merge ericchiang/apparmor:xmatch_regex_priority into master Feb 08, 2019

The length of a xmatch is used to prioritize multiple profiles that match the same path, with the intent that the more specific match wins. Currently, the length of a xmatch is computed by the position of the first regex character.

While trying to work around issues with no_new_privs by combining profiles, we noticed that the xmatch length computation doesn't work as expected for multiple regexs. Consider the following two profiles:

profile all /** { }
profile bins /{,usr/,usr/local/}bin/** { }

xmatch_len is currently computed as "1" for both profiles, even though "bins" is clearly more specific.

When determining the length of a regex, compute the smallest possible match and use that for xmatch priority instead of the position of the first regex character.

parser: determine xmatch priority based on smallest DFA match

Merge request reports