with unix rules we output a downgraded rule compatible with network rules so
that policy will work on kernels that support network socket controls but not
the extended af_unix rules
however this is currently broken if the socket type is left unspecified
(initialized to -1), resulting in denials for kernels that don't support the
extended af_unix rules.
---
=== modified file 'parser/af_unix.cc'
--- parser/af_unix.cc 2015-02-12 18:19:16 +0000
+++ parser/af_unix.cc 2017-08-18 11:25:26 +0000
@@ -196,16 +196,20 @@
#define CMD_OPT 4
void unix_rule::downgrade_rule(Profile &prof) {
+ unsigned int mask = (unsigned int) -1;
+
if (!prof.net.allow && !prof.alloc_net_table())
yyerror(_("Memory allocation error."));
+ if (sock_type_n != -1)
+ mask = 1 << sock_type_n;
if (deny) {
- prof.net.deny[AF_UNIX] |= 1 << sock_type_n;
+ prof.net.deny[AF_UNIX] |= mask;
if (!audit)
- prof.net.quiet[AF_UNIX] |= 1 << sock_type_n;
+ prof.net.quiet[AF_UNIX] |= mask;
} else {
- prof.net.allow[AF_UNIX] |= 1 << sock_type_n;
+ prof.net.allow[AF_UNIX] |= mask;
if (audit)
- prof.net.audit[AF_UNIX] |= 1 << sock_type_n;
+ prof.net.audit[AF_UNIX] |= mask;
}
}
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
