| Message ID | 1468511275-23946-1-git-send-email-sds@tycho.nsa.gov (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l index 22da338..2f7f221 100644 --- a/checkpolicy/policy_scan.l +++ b/checkpolicy/policy_scan.l @@ -249,9 +249,9 @@ high | HIGH { return(HIGH); } low | LOW { return(LOW); } -"/"({alnum}|[_\.\-/])* { return(PATH); } -\""/"[ !#-~]*\" { return(QPATH); } -\"({alnum}|[_\.\-\+\~\: ])+\" { return(FILENAME); } +"/"[^ \n\r\t\f]* { return(PATH); } +\""/"[^\"\n]*\" { return(QPATH); } +\"[^"/"\"\n]+\" { return(FILENAME); } {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } {digit}+|0x{hexval}+ { return(NUMBER); } {alnum}*{letter}{alnum}* { return(FILESYSTEM); }
checkpolicy currently imposes arbitrary limits on pathnames used in genfscon and other statements. This prevents specifying certain paths in /proc such as those containing comma (,) characters. Generalize the PATH, QPATH, and FILENAME patterns to support most legal pathnames. For simplicity, we do not support pathnames containing newlines or quotes. Reported-by: Inamdar Sharif <isharif@nvidia.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- checkpolicy/policy_scan.l | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)