On 08/30/2014 09:19 PM, John Johansen wrote: > fix output of listen and setopts commands > > The listen and setopts commands have broken encodings because the > tmp stream they use to handle diverging from the other commands > has does not set its write position to to the end of the copied data. > Instead the write head is set to the beginning so that when the > new data for the command is written it overwrites the begging of > the command instead of appending to it. > So, before this patch, I was seeing denials like this: apparmor="DENIED" operation="setsockopt" profile="/usr/sbin/cupsd" pid=4283 comm="cupsd" family="unix" sock_type="stream" protocol=0 requested_mask="setopt" denied_mask="setopt" peer_name=none
Yet none of this policy would make the denial go away:
unix (setopt) type=stream peer=(addr=none),
unix (setopt) type=stream,
unix (setopt),
Does this patch fix that?
Also, I had a similar problem with getopt. Eg, I saw denials like this:
apparmor="DENIED" operation="getsockopt"
profile="/usr/lib/thunderbird/thunderbird{,*[^s][^h]}" pid=3798
comm="threaded-ml" family="unix" sock_type="stream" protocol=0
requested_mask="getopt" denied_mask="getopt" peer_name=none
Yet this policy didn't make it go away:
unix (getopt) type=stream peer=(addr=none),
(I even tried 'unix (getopt) type=stream addr=none,' for giggles even though it
shouldn't have worked, and it correctly didn't :).
I'm guessing that the getopt issue I saw is not addressed in this patch?
Thanks for working on this! :)
> Signed-off-by: John Johansen <[email protected]>
>
> ---
>
> === modified file 'parser/af_unix.cc'
> --- parser/af_unix.cc 2014-08-30 05:32:14 +0000
> +++ parser/af_unix.cc 2014-08-31 02:09:00 +0000
> @@ -316,7 +312,7 @@
> */
> int unix_rule::gen_policy_re(Profile &prof)
> {
> - std::ostringstream buffer, tmp;
> + std::ostringstream buffer;
> std::string buf;
>
> int mask = mode;
> @@ -371,7 +367,8 @@
> }
>
> if (mask & AA_NET_LISTEN) {
> - tmp.str(buffer.str());
> + std::ostringstream tmp(buffer.str());
> + tmp.seekp(0, ios_base::end);
> tmp << "\\x" << std::setfill('0') << std::setw(2) <<
> std::hex << CMD_LISTEN;
> /* TODO: backlog conditional: for now match anything*/
> tmp << "..";
> @@ -383,7 +380,8 @@
> goto fail;
> }
> if (mask & AA_NET_OPT) {
> - tmp.str(buffer.str());
> + std::ostringstream tmp(buffer.str());
> + tmp.seekp(0, ios_base::end);
> tmp << "\\x" << std::setfill('0') << std::setw(2) <<
> std::hex << CMD_OPT;
> /* TODO: sockopt conditional: for now match anything */
> tmp << "..";
>
>
>
--
Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
