On 09/02/2014 04:18 PM, Seth Arnold wrote: > On Sun, Aug 31, 2014 at 10:20:29AM -0700, John Johansen wrote: >> Fix: rejecting of unix rules with listen or bind permissions >> >> Only reject rules with explicit listen or bind permissions if a peer >> conditional is specified. > > With this change, do we want to put AA_NET_ACCEPT back in this check? > no, NET_ACCEPT shows up in both local and peer perms, and we don't want to limit it to cases where only peer_conds are specified.
ie. we want unix accept, #accept everything unix accept peer=(addr=@foo), #accept connections from @foo unix accept addr=@blah, #accept any peer on @blah unix accept addr=@blah peer=(addr=@foo), ... >> >> Signed-off-by: John Johansen <[email protected]> > > Acked-by: Seth Arnold <[email protected]> > > Thanks > >> >> --- >> >> === modified file 'parser/af_unix.cc' >> --- parser/af_unix.cc 2014-08-31 02:13:35 +0000 >> +++ parser/af_unix.cc 2014-08-31 17:15:54 +0000 >> @@ -115,12 +115,10 @@ >> mode = mode_p; >> if (mode & ~AA_VALID_NET_PERMS) >> yyerror("mode contains invalid permissions for unix >> socket rules\n"); >> - else if ((mode & AA_NET_BIND) && >> - ((mode & AA_PEER_NET_PERMS) || has_peer_conds())) >> + else if ((mode & AA_NET_BIND) && has_peer_conds()) >> /* Do we want to loosen this? */ >> yyerror("unix socket 'bind' access cannot be used with >> message rule conditionals\n"); >> - else if ((mode & AA_NET_LISTEN) && >> - ((mode & AA_PEER_NET_PERMS) || has_peer_conds())) >> + else if ((mode & AA_NET_LISTEN) && has_peer_conds()) >> /* Do we want to loosen this? */ >> yyerror("unix socket 'listen' access cannot be used >> with message rule conditionals\n"); >> } else { >> >> >> >> -- >> AppArmor mailing list >> [email protected] >> Modify settings or unsubscribe at: >> https://lists.ubuntu.com/mailman/listinfo/apparmor >> >> >> -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
