Re: [apparmor] [patch 18/12] v3 unix socket rules

Fri, 05 Sep 2014 09:26:30 -0700 

Do not output local permissions for rules that have peer_conditionals

while it is not possible to specify a rule with local conditionals with
peer conditionals
eg.
   unix listen peer=(addr=@foo),

a rule such as
   unix peer=(addr=@foo),

is possible, and was setting all permissions for local as well as the peer
condition permissions.

Currently this means the create permission must be specified in a separate
rule from a rule with a peer= condition, if create is to be allowed. This
isn't too much of an issue but it does mean rule such as
  unix connect peer=(addr=@foo),

Can not imply the ability to create a socket. Which may indeed be the
behavior if we wish to enforce that the socket was created in another
process and passed in. Is this what we want to do?

Signed-off-by: John Johansen <[email protected]>

---

=== modified file 'parser/af_unix.cc'
--- parser/af_unix.cc   2014-09-05 15:49:33 +0000
+++ parser/af_unix.cc   2014-09-05 16:13:04 +0000
@@ -334,7 +334,7 @@
        }
 
        write_to_prot(buffer);
-       if (mask & AA_NET_CREATE) {
+       if ((mask & AA_NET_CREATE) && !has_peer_conds()) {
                buf = buffer.str();
                if (!prof.policy.rules->add_rule(buf.c_str(), deny,
                                                 map_perms(AA_NET_CREATE),
@@ -355,7 +355,8 @@
                buffer << "\\x00";
 
                /* create already masked off */
-               if (mask & AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD) {
+               if ((mask & AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD) &&
+                   !has_peer_conds()) {
                        buf = buffer.str();
                        if (!prof.policy.rules->add_rule(buf.c_str(), deny,
                                                         map_perms(mask & 
AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD),
@@ -364,7 +365,7 @@
                                goto fail;
                }
 
-               if (mask & AA_NET_LISTEN) {
+               if ((mask & AA_NET_LISTEN) && !has_peer_conds()) {
                        std::ostringstream tmp(buffer.str());
                        tmp.seekp(0, ios_base::end);
                        tmp << "\\x" << std::setfill('0') << std::setw(2) << 
std::hex << CMD_LISTEN;
@@ -377,7 +378,7 @@
                                                         dfaflags))
                                goto fail;
                }
-               if (mask & AA_NET_OPT) {
+               if ((mask & AA_NET_OPT) && !has_peer_conds()) {
                        std::ostringstream tmp(buffer.str());
                        tmp.seekp(0, ios_base::end);
                        tmp << "\\x" << std::setfill('0') << std::setw(2) << 
std::hex << CMD_OPT;


-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to