checkpolicy currently imposes arbitrary limits on pathnames used
in genfscon and other statements. This prevents specifying certain
paths in /proc such as those containing comma (,) characters.
Generalize the PATH, QPATH, and FILENAME patterns to support most
legal pathnames.
For simplicity, we do not support pathnames containing newlines or
quotes.
Reported-by: Inamdar Sharif <isharif@xxxxxxxxxx>
Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
---
checkpolicy/policy_scan.l | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index 22da338..2f7f221 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -249,9 +249,9 @@ high |
HIGH { return(HIGH); }
low |
LOW { return(LOW); }
-"/"({alnum}|[_\.\-/])* { return(PATH); }
-\""/"[ !#-~]*\" { return(QPATH); }
-\"({alnum}|[_\.\-\+\~\: ])+\" { return(FILENAME); }
+"/"[^ \n\r\t\f]* { return(PATH); }
+\""/"[^\"\n]*\" { return(QPATH); }
+\"[^"/"\"\n]+\" { return(FILENAME); }
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
{digit}+|0x{hexval}+ { return(NUMBER); }
{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
--
2.5.5
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
