From db0e079e8e4f4ff6d5b28e184397f87fd8ceebb0 Mon Sep 17 00:00:00 2001 From: Oliver Calder Date: Wed, 13 Nov 2024 22:21:06 -0600 Subject: [PATCH] i/builtin: allow @ in custom-device filepaths (#14651) * i/builtin: allow @ in custom-device filepaths Signed-off-by: Oliver Calder * i/builtin: disallow @{ in custom-device file paths AppArmor variables take the form @{foo} in rules, so we cannot allow a specified filepath to contain substrings of this form. Such paths should never be necessary. Signed-off-by: Oliver Calder --------- Signed-off-by: Oliver Calder --- interfaces/builtin/custom_device.go | 12 +++++++++--- interfaces/builtin/custom_device_test.go | 18 ++++++++++++++---- 2 files changed, 23 insertions(+), 7 deletions(-) diff --git a/interfaces/builtin/custom_device.go b/interfaces/builtin/custom_device.go index e39abedc197..218b795ffa2 100644 --- a/interfaces/builtin/custom_device.go +++ b/interfaces/builtin/custom_device.go @@ -1,7 +1,7 @@ // -*- Mode: Go; indent-tabs-mode: t -*- /* - * Copyright (C) 2022 Canonical Ltd + * Copyright (C) 2022-2024 Canonical Ltd * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License version 3 as @@ -51,8 +51,14 @@ var ( // A cryptic, uninformative error message that we use only on impossible code paths customDeviceInternalError = errors.New(`custom-device interface internal error`) - // Validating regexp for filesystem paths - customDevicePathRegexp = regexp.MustCompile(`^/[^"@]*$`) + // Validating regexp for filesystem paths. @ can appear in paths under + // /sys/devices for devices that are defined in the device tree (of the + // form device@address), so we need to support @ characters in paths. + // However, @{foo} is the format for variables in AppArmor, so we must + // disallow `@{`. For completeness, we allow paths with a trailing @ as + // well. This is not the case for common-files-derived interfaces, since + // these append {,/,/**} pattern to the end of filepath. + customDevicePathRegexp = regexp.MustCompile(`^/([^"@]|@[^{])*@?$`) // Validating regexp for udev device names. // We forbid: diff --git a/interfaces/builtin/custom_device_test.go b/interfaces/builtin/custom_device_test.go index 19de629758d..16bd01591d2 100644 --- a/interfaces/builtin/custom_device_test.go +++ b/interfaces/builtin/custom_device_test.go @@ -1,7 +1,7 @@ // -*- Mode: Go; indent-tabs-mode: t -*- /* - * Copyright (C) 2022 Canonical Ltd + * Copyright (C) 2022-2024 Canonical Ltd * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License version 3 as @@ -72,9 +72,11 @@ slots: read-devices: - /dev/js* files: - write: [ /bar ] + write: [ /bar, /baz@qux, /trailing@ ] read: - /dev/input/by-id/* + - /dev/dma_heap/qcom,qseecom + - /sys/devices/platform/soc@0/soc@0:bus@30000000/30350000.ocotp-ctrl/imx-ocotp0/nvmem udev-tagging: - kernel: input/mice subsystem: input @@ -209,8 +211,12 @@ apps: `custom-device "devices" path contains invalid glob pattern "\*\*"`, }, { - "devices: [/dev/@foo]", - `custom-device "devices" path must start with / and cannot contain special characters.*`, + `devices: ["/dev/@{foo}"]`, + `custom-device "devices" path must start with /dev/ and cannot contain special characters.*`, + }, + { + `devices: ["/dev/@{foo"]`, + `custom-device "devices" path must start with /dev/ and cannot contain special characters.*`, }, { "devices: [/dev/foo|bar]", @@ -405,7 +411,11 @@ func (s *CustomDeviceInterfaceSuite) TestAppArmorSpec(c *C) { c.Check(plugSnippet, testutil.Contains, `"/dev/input/mice" rwk,`) c.Check(plugSnippet, testutil.Contains, `"/dev/js*" r,`) c.Check(plugSnippet, testutil.Contains, `"/bar" rw,`) + c.Check(plugSnippet, testutil.Contains, `"/baz@qux" rw,`) + c.Check(plugSnippet, testutil.Contains, `"/trailing@" rw,`) c.Check(plugSnippet, testutil.Contains, `"/dev/input/by-id/*" r,`) + c.Check(plugSnippet, testutil.Contains, `"/dev/dma_heap/qcom,qseecom" r,`) + c.Check(plugSnippet, testutil.Contains, `"/sys/devices/platform/soc@0/soc@0:bus@30000000/30350000.ocotp-ctrl/imx-ocotp0/nvmem" r,`) c.Check(slotSnippet, HasLen, 0) }