On 08/31/2014 04:06 PM, Jamie Strandboge wrote: > On 08/30/2014 09:19 PM, John Johansen wrote: >> fix output of listen and setopts commands >> >> The listen and setopts commands have broken encodings because the >> tmp stream they use to handle diverging from the other commands >> has does not set its write position to to the end of the copied data. >> Instead the write head is set to the beginning so that when the >> new data for the command is written it overwrites the begging of >> the command instead of appending to it. >> > So, before this patch, I was seeing denials like this: > apparmor="DENIED" operation="setsockopt" profile="/usr/sbin/cupsd" pid=4283 > comm="cupsd" family="unix" sock_type="stream" protocol=0 > requested_mask="setopt" denied_mask="setopt" peer_name=none > > Yet none of this policy would make the denial go away: > unix (setopt) type=stream peer=(addr=none), > unix (setopt) type=stream, > unix (setopt), > > Does this patch fix that?
Ok, I installed 2.8.96~2541-0ubuntu4~abstractsock15 which includes these
patches, but I still see the setopt denials with cups ('sudo stop cups ; sudo
start cups' will trigger it). I still can't make the denials go away with 'unix
(setopt) type=stream peer=(addr=none)'.
> Also, I had a similar problem with getopt. Eg, I saw denials like this:
> apparmor="DENIED" operation="getsockopt"
> profile="/usr/lib/thunderbird/thunderbird{,*[^s][^h]}" pid=3798
> comm="threaded-ml" family="unix" sock_type="stream" protocol=0
> requested_mask="getopt" denied_mask="getopt" peer_name=none
>
> Yet this policy didn't make it go away:
> unix (getopt) type=stream peer=(addr=none),
>
Interestingly, I no longer see the getopt denial-- even *without* any rules for
it. My test case was starting thunderbird without the dbus-session-strict
abstraction, but now I don't see this. Not sure if this is tbird using a
different code path or something with this patchset. If needed I can try with
another set of apparmor patches (just let me know what to test).
>
>> Signed-off-by: John Johansen <[email protected]>
>>
>> ---
>>
>> === modified file 'parser/af_unix.cc'
>> --- parser/af_unix.cc 2014-08-30 05:32:14 +0000
>> +++ parser/af_unix.cc 2014-08-31 02:09:00 +0000
>> @@ -316,7 +312,7 @@
>> */
>> int unix_rule::gen_policy_re(Profile &prof)
>> {
>> - std::ostringstream buffer, tmp;
>> + std::ostringstream buffer;
>> std::string buf;
>>
>> int mask = mode;
>> @@ -371,7 +367,8 @@
>> }
>>
>> if (mask & AA_NET_LISTEN) {
>> - tmp.str(buffer.str());
>> + std::ostringstream tmp(buffer.str());
>> + tmp.seekp(0, ios_base::end);
>> tmp << "\\x" << std::setfill('0') << std::setw(2) <<
>> std::hex << CMD_LISTEN;
>> /* TODO: backlog conditional: for now match anything*/
>> tmp << "..";
>> @@ -383,7 +380,8 @@
>> goto fail;
>> }
>> if (mask & AA_NET_OPT) {
>> - tmp.str(buffer.str());
>> + std::ostringstream tmp(buffer.str());
>> + tmp.seekp(0, ios_base::end);
>> tmp << "\\x" << std::setfill('0') << std::setw(2) <<
>> std::hex << CMD_OPT;
>> /* TODO: sockopt conditional: for now match anything */
>> tmp << "..";
>>
>>
>>
>
>
>
>
--
Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
