On Wed, Aug 27, 2014 at 12:56:49PM -0700, Steve Beattie wrote: > On Mon, Aug 25, 2014 at 05:06:07PM -0700, [email protected] wrote: > > This patch implements parsing of fine grained mediation for unix domain > > sockets, that have abstract and anonymous paths. Sockets with file > > system paths are handled by regular file access rules. > > > > the unix network rules follow the general fine grained network > > rule pattern of > > > > [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] > > [<peer expr>] > > > > specifically for af_unix this is > > > > [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] > > [<peer expr>] > > > > <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] > > > > <access expr> = ( <access> | <access list> ) > > > > <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | > > 'connect' | 'shutdown' | 'getattr' | 'setattr' | > > 'getopt' | 'setopt' | > > 'send' | 'receive' | 'r' | 'w' | 'rw' ) > > (some access modes are incompatible with some rules or require additional > > parameters) > > > > <access list> = '(' <access> ( [','] <WS> <access> )* ')' > > So I'm testing a bit with this patch and it seems that the patch doesn't > implement this exactly. Currently, the parser does not accept the following: > > unix send, > unix receive, > unix server, > unix (server), > > Implementing the latter two requires a bit of complexity that I wasn't > prepared to tackle at this moment. The following patch adds support > for the first two, as well as adding a bunch more simple acceptance > tests for the various access keywords. > > Signed-off-by: Steve Beattie <[email protected]>
Acked-by: Seth Arnold <[email protected]> Thanks > --- > parser/parser_lex.l | 2 +- > parser/tst/simple_tests/unix/ok_accept_1.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_accept_2.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_attr_1.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_attr_2.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_attr_3.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_attr_4.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_bind_2.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_bind_3.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_connect_1.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_connect_2.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_create_1.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_create_2.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_listen_1.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_listen_2.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_msg_11.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_msg_12.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_msg_13.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_msg_14.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_msg_15.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_msg_16.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_msg_17.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_msg_18.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_msg_19.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_opt_1.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_opt_2.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_opt_3.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_opt_4.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_shutdown_1.sd | 7 +++++++ > parser/tst/simple_tests/unix/ok_shutdown_2.sd | 7 +++++++ > 30 files changed, 204 insertions(+), 1 deletion(-) > > Index: b/parser/parser_lex.l > =================================================================== > --- a/parser/parser_lex.l > +++ b/parser/parser_lex.l > @@ -489,7 +489,7 @@ LT_EQUAL <= > eavesdrop { RETURN_TOKEN(TOK_EAVESDROP); } > } > > -<DBUS_MODE,SIGNAL_MODE>{ > +<DBUS_MODE,SIGNAL_MODE,UNIX_MODE>{ > send { RETURN_TOKEN(TOK_SEND); } > receive { RETURN_TOKEN(TOK_RECEIVE); } > } > Index: b/parser/tst/simple_tests/unix/ok_msg_11.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_msg_11.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix rule > +#=EXRESULT PASS > + > +profile a_profile { > + unix, > +} > Index: b/parser/tst/simple_tests/unix/ok_msg_12.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_msg_12.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix send test > +#=EXRESULT PASS > + > +profile a_profile { > + unix send, > +} > Index: b/parser/tst/simple_tests/unix/ok_msg_13.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_msg_13.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix msg test > +#=EXRESULT PASS > + > +profile a_profile { > + unix receive, > +} > Index: b/parser/tst/simple_tests/unix/ok_create_1.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_create_1.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix create acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix create, > +} > Index: b/parser/tst/simple_tests/unix/ok_create_2.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_create_2.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix create acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix (create), > +} > Index: b/parser/tst/simple_tests/unix/ok_accept_1.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_accept_1.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix accept acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix accept, > +} > Index: b/parser/tst/simple_tests/unix/ok_accept_2.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_accept_2.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix accept acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix (accept), > +} > Index: b/parser/tst/simple_tests/unix/ok_bind_2.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_bind_2.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix bind acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix bind, > +} > Index: b/parser/tst/simple_tests/unix/ok_bind_3.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_bind_3.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix bind acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix (bind), > +} > Index: b/parser/tst/simple_tests/unix/ok_listen_1.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_listen_1.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix listen acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix listen, > +} > Index: b/parser/tst/simple_tests/unix/ok_listen_2.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_listen_2.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix listen acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix (listen), > +} > Index: b/parser/tst/simple_tests/unix/ok_attr_1.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_attr_1.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix getattr acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix getattr, > +} > Index: b/parser/tst/simple_tests/unix/ok_attr_2.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_attr_2.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix getattr acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix (getattr), > +} > Index: b/parser/tst/simple_tests/unix/ok_attr_3.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_attr_3.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix setattr acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix setattr, > +} > Index: b/parser/tst/simple_tests/unix/ok_attr_4.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_attr_4.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix setattr acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix (setattr), > +} > Index: b/parser/tst/simple_tests/unix/ok_connect_1.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_connect_1.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix connect acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix connect, > +} > Index: b/parser/tst/simple_tests/unix/ok_connect_2.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_connect_2.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix connect acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix (connect), > +} > Index: b/parser/tst/simple_tests/unix/ok_opt_1.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_opt_1.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix getopt acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix getopt, > +} > Index: b/parser/tst/simple_tests/unix/ok_opt_2.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_opt_2.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix getopt acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix (getopt), > +} > Index: b/parser/tst/simple_tests/unix/ok_opt_3.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_opt_3.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix setopt acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix setopt, > +} > Index: b/parser/tst/simple_tests/unix/ok_opt_4.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_opt_4.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix setopt acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix (setopt), > +} > Index: b/parser/tst/simple_tests/unix/ok_msg_14.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_msg_14.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix msg test > +#=EXRESULT PASS > + > +profile a_profile { > + unix r, > +} > Index: b/parser/tst/simple_tests/unix/ok_msg_15.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_msg_15.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix msg test > +#=EXRESULT PASS > + > +profile a_profile { > + unix (r), > +} > Index: b/parser/tst/simple_tests/unix/ok_msg_16.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_msg_16.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix msg test > +#=EXRESULT PASS > + > +profile a_profile { > + unix w, > +} > Index: b/parser/tst/simple_tests/unix/ok_msg_17.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_msg_17.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix msg test > +#=EXRESULT PASS > + > +profile a_profile { > + unix (w), > +} > Index: b/parser/tst/simple_tests/unix/ok_msg_18.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_msg_18.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix msg test > +#=EXRESULT PASS > + > +profile a_profile { > + unix rw, > +} > Index: b/parser/tst/simple_tests/unix/ok_msg_19.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_msg_19.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix msg test > +#=EXRESULT PASS > + > +profile a_profile { > + unix (rw), > +} > Index: b/parser/tst/simple_tests/unix/ok_shutdown_1.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_shutdown_1.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix shutdown acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix shutdown, > +} > Index: b/parser/tst/simple_tests/unix/ok_shutdown_2.sd > =================================================================== > --- /dev/null > +++ b/parser/tst/simple_tests/unix/ok_shutdown_2.sd > @@ -0,0 +1,7 @@ > +# > +#=DESCRIPTION simple unix shutdown acceptance test > +#=EXRESULT PASS > + > +profile a_profile { > + unix (shutdown), > +} > > -- > Steve Beattie > <[email protected]> > http://NxNW.org/~steve/ > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
